skip to Main Content

I am using:

  • Ubuntu 24.04
  • Plesk Obsidian 18.0.62
  • Apache/2.4.59
  • Tomcat/10.1.16
  • tomcat-connectors-1.2.49
  • libapache2-mod-jk
  • ModSecurity
  • Fail2ban
  • Free ModSecurity Rules from Comodo

And I have a servlet on worker1.

In Plesk, ModSecurity is set to "On" and uses Free ModSecurity Rules from Comodo.

IP Address Banning (Fail2Ban) intrusion detection is "On".

When I make 5 (successful) post from client to the servlet, the client IP is banned during the time interval set in Fail2Ban.

Here is the modsec_audit.log report:

--ffd6be58-A--
[30/Jun/2024:09:37:02.722882 +0000] ZoEnPjdhHHdmdP54dSpN12AAFQ ***banned client IP*** 49290 127.0.0.1 7081
--ffd6be58-B--
POST /tomcat_app/Debate/url_a_servlet_general HTTP/1.0
Host: www.mywebsite.com
X-Real-IP: ***banned client IP***
X-Accel-Internal: /internal-nginx-static-location
Connection: close
Content-Length: 181
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
x-gwt-module-base: https://www.mywebsite.com/tomcat_app/Debate/
x-gwt-permutation: A7F24557812452238ACA3ACDA68F4D27
content-type: text/x-gwt-rpc; charset=UTF-8
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://www.mywebsite.com
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://www.mywebsite.com/index-booking.html
accept-encoding: gzip, deflate, br, zstd
accept-language: es-ES,es;q=0.9,ar-ES;q=0.8,ar;q=0.7,en-ES;q=0.6,en;q=0.5
priority: u=1, i
cookie: c=cookie-text

--ffd6be58-F--
HTTP/1.1 200 200
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Disposition: attachment
Content-Length: 45
Cache-Control: max-age=1209600
Expires: Sun, 14 Jul 2024 09:37:02 GMT
Connection: close
Content-Type: application/json;charset=utf-8

--ffd6be58-H--
Message: Warning. Match of "pmFromFile userdata_wl_content_type" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "17"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mywebsite.com|F|2"] [data "TX:0=text/x-gwt-rpc"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"]
Message: Warning. Operator GE matched 5 at TX:incoming_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "35"] [id "214930"] [rev "1"] [msg "COMODO WAF: Inbound Points Exceeded|Total Incoming Points: 5|www.mywebsite.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client ***banned client IP***] ModSecurity: Warning. Match of "pmFromFile userdata_wl_content_type" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "17"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mywebsite.com|F|2"] [data "TX:0=text/x-gwt-rpc"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "www.mywebsite.com"] [uri "/tomcat_app/Debate/url_a_servlet_general"] [unique_id "ZoEnPjdhHHdmdP54dSpN12AAFQ"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client ***banned client IP***] ModSecurity: Warning. Operator GE matched 5 at TX:incoming_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "35"] [id "214930"] [rev "1"] [msg "COMODO WAF: Inbound Points Exceeded|Total Incoming Points: 5|www.mywebsite.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "www.mywebsite.com"] [uri "/tomcat_app/Debate/url_a_servlet_general"] [unique_id "ZoEnPjdhHHdmdP54dSpN12AAFQ"]
Apache-Handler: jakarta-servlet
Stopwatch: 1719740222713534 9429 (- - -)
Stopwatch2: 1719740222713534 9429; combined=2313, p1=292, p2=1896, p3=29, p4=23, p5=73, sr=63, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

--ffd6be58-Z--

I want to go on using my servlet (from any IP) without significantly reducing the level of security of the server.

I think that I should add a custom directive in Plesk->tools&settings->Web Application Firewall->configuration, to accept application/json. Am I right?

I can read under the text box: "Input a ModSecurity directive here. It will override the previously specified directives (rule sets, specific rules, the predefined set of values, and so on)."

How to write this rule?

2

Answers


  1. Chosen as BEST ANSWER

    It is probably not a json problem but text/x-gwt-rpc. I think that the solution is:

    1- Edit the file userdata_wl_content_type
    2- Add the line "text/x-gwt-rpc" at the end 
    3- Restart apache (e.g. systemctl restart apache2.service)
    

    It works. I am not an expert so I am not 100% sure that this does not open a vulnerability. But I think that is is fine and this answer can help others with a similar issue.

    Edit: this does not work as the file is periodically updated.


  2. CRS dev-on-duty here. I don’t know the Comodo WAF rule set. But I know the OWASP CRS rule set.
    In CRS you can configure your allowed content-types in the crs-setup.conf: https://github.com/coreruleset/coreruleset/blob/main/crs-setup.conf.example#L506 (uncomment and add your content-type).
    Maybe this helps.

    If you want to know more about WAF tuning and the OWASP CRS, see here:
    https://coreruleset.org/docs/concepts/false_positives_tuning/

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search