On Mon, Feb 3, 2020, 07:01 Vieri <[email protected]> wrote:
> Hi,
>
> I'm seeing this in my logs:
>
> [Mon Feb 03 15:41:38.279594 2020] [:error] [pid 9250] [client 1.2.3.4:2493]
> [client 1.2.3.4] ModSecurity: Warning. Match of "within
> %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file
> "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"]
> [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data
> "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-generic"] [tag "OWASP_CRS"] [tag
> "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag
> "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "
> gw.mydomain.org"] [uri
> "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"]
> [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer:
> https://gw.mydomain.org/
You can't block DELETE. Guacamole needs this method, as well as several
others, for its REST API. The request that is being blocked above is an
attempt to log out.
...
>
> Overall, Guacamole behind this reverse proxy seems to work fine (for
> end-users), ...
If you are blocking requests based on method alone, things are likely
breaking.
... but I'm worried about the HTTP/403 reply...
> Do you think it's worth looking into?
> Do I need to tweak my modsecurity anomaly_score?
A 403 response in itself is not worrisome and doesn't mean you are being
attacked. If you see a ton of permission denied responses for the same IP,
then perhaps, but you can expect this and other error codes under normal
circumstances. The REST response which causes Guacamole to render a login
screen and prompt the user to log in is a 403, as is the response which
requests additional credentials (MFA, password reset, etc.). You'll also
see this if a user closes the tab without logging out, their session
expires, and then they come back later (their token will be invalid).
- Mike
