On 2/25/20 8:27 PM, Chris Bacott via FreeIPA-users wrote:
Oh wow. Well, thank you very much for showing me how to enable the debug
logging for the whole app stack, that proved to reveal exactly what the issue
was.
Turns out, apache mod_security was blocking the access from "ipa host-del".
[Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Pattern match
"(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$))" at ARGS:size. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "208"] [id
"942220"] [rev "2"] [msg "Looking for intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [data "Matched Data: 2147483647 found within ARGS:size: 2147483647"] [severity
"CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag
"WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "SNIP"] [uri "/ca/rest/c
erts/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.559335 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5
at TX:anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [msg "Inbound Anomaly Score
Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
[hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.559524 2020] [:error] [pid 26434:tid 139810169677568] [client 10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Operator GE matched 5
at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line "73"] [id "980130"] [msg
"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Looking for intiger overflow attacks, these are
taken from skipfish, except 3.0.00738585072007e-308 is the \\"magic number\\" crash"] [tag "event-correlation"] [hostname "SNIP"] [uri
"/ca/rest/certs/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.560660 2020] [wsgi:error] [pid 26430:tid 139810400032512]
[remote 10.39.42.117:53934] ipa: DEBUG: response status 403
I didn't specifically install or set up mod_security, I believe it's a default package,
but I normally just disable it as it causes all sorts of random headaches like this. Once
I disabled it, I was able to delete the host via "ipa host-del".
That at least solves that problem. Thank you for the suggestions!
Hi,
thanks for the update, glad you could solve the issue.
Mod_security is not installed by default with httpd, and is not required
by IPA either. Unless httpd is used by other apps on the master (which
is not recommended), you are safe to remove mod_security package.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
