IBM Support

Getting /cacti denied error on logon due to httpd modsecurity rules

Question & Answer


Question

The RTM web portal http://hostname/cacti gives "/cacti access denied" error on logon due to httpd modsecurity rules

Answer

To debug, create a test program phpinfo.php in /var/www/html/ with the following -

# cat /var/www/html/phpinfo.php
<?php
phpinfo();
?>

We  are unable to run this test php file as well and got access denied error in the browser (http://hostname/phpinfo.php)

- Turned on logging in /etc/php.ini but no error was generated in the log:
 - display_errors = On           [Security]  (Prints errors on command line)
 - log_errors = On               [Security]  (Logs in log file)
 - error_log = /tmp/php_error.log


There are 2 ways to fix it (Note: these are quickfixes to have RTM running by disabling firewall/rules)

1) Check /var/log/httpd/error_log and comment the httpd firewall rule that is blocking access. i.e for the error below, comment line 98 in file /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies

# cat    /var/log/httpd/error_log                                      
[Wed Feb 28 10:58:31.539708 2018] [:error] [pid 4990] [client          
10.229.24.22] ModSecurity: Access denied with code 403 (phase 2).          
Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file    "/etc/htt  
pd/modsecurity.d/activated_rules/modsecurity_crs_21_protocol_anomalies.    
conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a          
numeric IP address"] [data "10.229.24.22"] [severity "WARNING"] [ver      
"OWASP_CRS/2.2.9"] [maturity "9"] [accuracy    "9"] [tag                  
"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag        
"OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com   
/en-us/magazine/2005.01.hackerbasher.aspx";] [hostname "10.229.24.22"]    
[uri "/index.html"]    [unique_id "WpbRp5-oIsn65RAUnuJxDwAAAAE"]


2) Fix the RTM portal access denied issue by commenting out all lines in the file (/etc/httpd/conf.modules.d/10-mod_security.conf). i.e. by (effectively) disabling the httpd firewall

conf.modules.d]# cat 10-mod_security.conf #LoadModule security2_module    
modules/mod_security2.so

#<IfModule !mod_unique_id.c>
#    LoadModule unique_id_module modules/mod_unique_id.so
#</IfModule>

[{"Product":{"code":"SSZT2D","label":"IBM Spectrum LSF RTM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.1;10.1.0.1;10.1.0.2;10.1.0.3;10.1.0.4","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSVMSD","label":"Platform RTM"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
30 August 2019

UID

isg3T1027258

Page Feedback