A very urgent problem with a paymentprovider blocked

Free Modsecurity rules - Comodo Web Application Fi
1

Hello!

We are integrating our payment provider “Mollie in Netherlands” and with the payment procedure, the provider send back a statusupdates and also a so called webhook.
The problem happening now is that their system generate errors in the logs on the my account from Mollue, probably because CWAF blocks them.
The log is full of the same errors which I attach one here:

How can we fix this problem in a way that CWAF let these status updates from “Mollie” trough without blocking them.

Thanks very much in advance for your help!

[attachment deleted by admin]

2

Hi

Please check modsecurity audit log for possible false positive rule and disable it.
Also you can try to turn off CWAF temporary to check who causing this problem.

How to disable rule by ID:
In plugin open ‘Catalog’ tab.
Type rule ID in ‘Filter by [Item ID]’ field, press ‘Search by Rule ID’ button
Turn off found rule.
Press ‘Implement’ button to apply changes

Or with command line utility:

# /var/cpanel/cwaf/scripts/cwaf-cli.pl -xa RULE_ID_TO_DISABLE

for cPanel install

# /usr/local/cwaf/scripts/cwaf-cli.pl -xa RULE_ID_TO_DISABLE

for other web management panel installs

How to temporary turn off CWAF:
In plugin open ‘Security Engine’ tab.
Select ‘Off’ value in ‘Security Engine’ dropdown
Press ‘Update config’ to apply changes

If you don’t have CWAF plugin installed please change ‘SecRuleEngine’ directive in config file. Set in to ‘SecRuleEngine Off’, save file and restart web server.

Regards, Oleg

3

Hello Oleg!

Thanks for your fast reply!
I have searched the whole server but there is no modsecurity audit log. Do you have an idea where to find it? In the server under logs there is nothing from modsecurity.

I will test with CWAF off but another way is maybe to allow all traffic coming from mollie. How can i do that in CWAF?
Oleg, when you see that error, can it come from something else also? I have also CSF installed.

Thanks in advance!

Regards,
Allard

4

Hi

As I remembered from last session your web server is Apache with Webmin/Wirtualmin
I have checked similar setup and found in file /etc/httpd/conf.d/zzzz_cwaf_security2.conf following record

SecAuditLog /var/log/httpd/modsec_audit.log

So please try to check this location.

With best regards, Oleg

5

By the way you can add mollie to Whitelisted Domains

To do so open ‘userdata’ tab.
Add mollie domain to ‘Whitelisted Domains’ and save changes.
Restard Apache.
This is wrong, sorry.

Open ‘userdata’ tab.
Add mollie IP address (for example 192.168.50.1) to ‘Custom Rules’ and save changes.

SecRule REMOTE_ADDR "^192\.168\.50\.1$" phase:1,log,allow,ctl:ruleEngine=Off,id:999945

Restard Apache.

Then mod_security will ignore any requests from mollie IP.

With best regards, Oleg

6

Hi Oleg,

Thanks for your very good tips. Finally, I have found the log:) In Webmin is a new filemanager and you can there search for a specific file. So that was easy.

In the log itself I see for example:

[09/Oct/2015:01:28:38 +0200] Vhb8AqpBMHSIAAHKouXAAAAAB xx.xxx.xx.xxx 60235 1xx.xx.xx.xx 443
–cc1d8f26-B–
POST / HTTP/1.1
Host: www.mydomain.com
Accept: /
Accept-Encoding: deflate, gzip
User-Agent: Mollie.nl HTTP client/1.0

–cc1d8f26-F–
HTTP/1.1 403 Forbidden
Content-Length: 202
Content-Type: text/html; charset=iso-8859-1

In the second part you see 403 forbidden and that is exact what the log shows from Mollie.

How can we make good exceptions rules for Mollie Oleg, so that everything can go trough?

Thanks so much in advance!!

Regards,
Allard

7

Hi

If access blocked by mod_security there should be ID of Rule which blocks.
For example from my log:

--c3d0b169-H--
Message: Access denied with code 403 (phase 2). Match of "contains /ajax.php/imp/sendmessage" against "REQUEST_FILENAME" required. [file "/var/cpanel/cwaf/rules/01_Global_Generic.conf"] [line "14"] [id "211000"] [msg "COMODO WAF: System Command Injection"] [data "Matched Data: curl found within REQUEST_FILENAME: /"] [severity "CRITICAL"]

So in my case access is blocked by Rule 211000 ( [id “211000”] )
If no rule ID shown, possible access is blocked by Apache server, not by mod_security

Try to temporary turn off mod_security. If problem persist this is not mod_security issue.

With best regards, Oleg

8

Hi Oleg,

We are almost there because it is CWAF which is blocking. When I turned off the module, everything was wroking. I checked the log:

–14f35710-H–
Message: Access denied with code 403 (phase 1). Operator EQ matched 0 at REQUEST_HEADERS. [file “/usr/local/cwaf/rules/12_HTTP_Protocol.conf”] [line “41”] [id “210280”] [msg “COMODO WAF: POST request missing Content-Length Header.”] [data “0”] [severity “WARNING”]
Action: Intercepted (phase 1)
Stopwatch: 1444406795428269 598 (- - -)
Stopwatch2: 1444406494428269 598; combined=281, p1=215, p2=0, p3=0, p4=0, p5=66, sr=53, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache

Engine-Mode: “ENABLED”

How can we make an exception for Mollie Oleg and let the rule intact?
This is really difficult stuff but I am happy you know all about it :slight_smile:

Thanks already so much in advance!!

Regards,
Allard

9

Hi Oleg,

I tried to add 2 rules like this:

SecRule REMOTE_ADDR “^192.168.50.1$” phase:1,log,allow,ctl:ruleEngine=Off,id:999945
SecRule REMOTE_ADDR “^192.168.51.1$” phase:1,log,allow,ctl:ruleEngine=Off,id:999945

When I turn the engine on I get an error. Only after removing the rules I can start it again.

Can you please check what is wrong?

Regards,
Allard

10

Hi

You have used same IDs for both exception rules (999945 and 999945).
They should be different:

SecRule REMOTE_ADDR "^192\.168\.50\.1$" phase:1,log,allow,ctl:ruleEngine=Off,id:999945
SecRule REMOTE_ADDR "^192\.168\.51\.1$" phase:1,log,allow,ctl:ruleEngine=Off,id:999946

But I’d recommend to not whitelist Mollie IPs and only exclude “guilty” rule 210280

To do so please remove these two SecRule lines from ‘Userdata’ - > ‘Custom Rules’ textbox and add rule 210280 to exclude list.

# /usr/local/cwaf/scripts/cwaf-cli.pl -xa 210280

and restart Apache

With best regards, Oleg

11

Hello Oleg!

Thank you very much for your fantastic help and it is amazing how much you know about these extremely complicated things!
Everything works perfect now. No blocking anymore :slight_smile:

Wish you a super good weekend !!

Best regards,
Allard

12

You’re weclome :-TU

With best regards, Oleg

13

Hello Oleg!

I have one problem left because the provider can send from several servers in an IP range.

For the rules like this:

SecRule REMOTE_ADDR “^192.168.50.1$” phase:1,log,allow,ctl:ruleEngine=Off,id:999945
SecRule REMOTE_ADDR “^192.168.51.1$” phase:1,log,allow,ctl:ruleEngine=Off,id:999946

How can I add the ip range there instead of one single ip address?

Thanks so much in advance!

Kind regards
Allard

14

Hi

Well, expression after REMOTE_ADDR is regular expression (see here: http://blogs.msdn.com/b/oldnewthing/archive/2006/05/22/603788.aspx).
Also there is several tools to generate regex for this purpose, for example: IP Range Regular Expression Builder - AnalyticsMarket

Best regards, Oleg

15

Hi Oleg,

Thanks so much for the amazing tools which do the trick, it works perfect! :slight_smile: :-TU

Wish you a great day!

My kindest regards,
Allard