Are Empty User Agents Being Blocked?

linux4me · February 22, 2016, 8:56pm

I’m running rules version 1.67 of the Comodo WAF Plugin on Litespeed, and I’ve been trying to figure out whether or not empty user agents are blocked. I couldn’t find it listed in the protection wizard. There’s an old post that mentions it would be added, but no follow-up.

if it’s not in there now, what rule is safe to use in User Data → Custom rules to block an empty user agent?

TDmitry · February 23, 2016, 10:29am

Here is two simple custom rules for your purposes:

id:1 - Block request if no user-agent were specified in request:

SecRule &REQUEST_HEADERS:User-Agent "[at-bypass]eq 0" "id:1,phase:2,log,deny,status:403,msg:'User-Agent expected'"

id:2 - Block request if empty user-agent were specified in request:

SecRule REQUEST_HEADERS:User-Agent "[at-bypass]eq 0" "id:2,phase:2,log,deny,status:403,msg:'Empty User-Agent is not allowed',t:none,t:removeWhitespace,t:length"

linux4me · February 23, 2016, 5:08pm

Thanks, TDmitry.

I tried the rules and I immediately saw in Mod Security Tools that they blocked 127.0.0.1. Whoops!

Do I need to whitelist 127.0.0.1, or any other IPs on the server, or is it just not wise to block empty user-agents?

TDmitry · February 24, 2016, 12:57am

Too many various applications can skip User-Agent in headers so that’s why we don’t deliver such rules to customers, such rules will produce too many false positives.

Most browsers in default configuration send User-Agent string to server. So if you know for which purposes your web server made for and what kind of requests it serves then you can easily answer on your own question. But if you don’t know - better not use such rule.

Also this could be a great reason to investigate what happening on your server and why localhost sends such requests…

linux4me · February 24, 2016, 5:00pm

Thanks for the information. I will leave the rules out so that I don’t cause problems. I don’t know where to start tracking down the localhost requests. Maybe the cPanel forum?

oleg.tsygany · February 25, 2016, 11:52am

Hi

You can start from analyzing your host traffic.

For example to see all packets directed to localhost you can use:

tcpdump -A -s0 -i any dst 127.0.0.1

To see all packets directed FROM localhost:

tcpdump -A -s0 -i any src 127.0.0.1

Regards, Oleg

TDmitry · February 25, 2016, 12:12pm

Also you can capture only local http traffic using combination of tcpdump arguments like this:

src 127.0.0.1 and port 80

Thanks to Oleg.

linux4me · February 25, 2016, 5:18pm

I’m way over my head on this, and you’re going way beyond CWAF support for this, but I ran the command:


tcpdump -A -s0 -i any src 127.0.0.1 and port 80

and got this kind of output:


tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
11:10:52.093356 IP localhost.59051 > localhost.http: Flags [S], seq 1080627074, win 65495, options [mss 65495,sackOK,TS val 633240570 ecr 0,nop,wscale 7], length 0
E..<tx@.@..A...........P@i..........wb.........
%.{.........
11:10:52.093420 IP localhost.http > localhost.59051: Flags [S.], seq 4179689366, ack 1080627075, win 65483, options [mss 65495,sackOK,TS val 633240570 ecr 633240570,nop,wscale 7], length 0
E..<..@.@.<..........P... ..@i.................
%.{.%.{.....
11:10:52.093460 IP localhost.59051 > localhost.http: Flags [.], ack 1, win 512, options [nop,nop,TS val 633240570 ecr 633240570], length 0
E..4ty@.@..H...........P@i... .............
%.{.%.{.
11:10:52.093559 IP localhost.59051 > localhost.http: Flags [P.], seq 1:18, ack 1, win 512, options [nop,nop,TS val 633240571 ecr 633240570], length 17
E..Etz@.@..6...........P@i... .......9.....
%.{.%.{.GET / HTTP/1.0



11:10:52.093604 IP localhost.http > localhost.59051: Flags [.], ack 18, win 512, options [nop,nop,TS val 633240571 ecr 633240571], length 0
E..4.l@.@..U.........P... ..@i.............
%.{.%.{.
11:10:52.095201 IP localhost.http > localhost.59051: Flags [P.], seq 1:320, ack 18, win 512, options [nop,nop,TS val 633240572 ecr 633240571], length 319
E..s.m@.@............P... ..@i.......g.....
%.{.%.{.HTTP/1.0 200 OK
Last-Modified: Sun, 14 Feb 2016 22:02:22 GMT
Content-Type: text/html
Content-Length: 111
Date: Thu, 25 Feb 2016 17:10:52 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: close

<html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>

11:10:52.095260 IP localhost.59051 > localhost.http: Flags [.], ack 320, win 521, options [nop,nop,TS val 633240572 ecr 633240572], length 0
E..4t{@.@..F...........P@i...!.....	.L.....
%.{.%.{.
11:10:52.095380 IP localhost.59051 > localhost.http: Flags [R.], seq 18, ack 320, win 521, options [nop,nop,TS val 633240572 ecr 633240572], length 0
E..4t|@.@..E...........P@i...!.....	.H.....
%.{.%.{.
11:10:52.095409 IP localhost.http > localhost.59051: Flags [F.], seq 320, ack 18, win 512, options [nop,nop,TS val 633240572 ecr 633240572], length 0
E..4.n@.@..S.........P...!..@i.......T.....
%.{.%.{.
11:10:52.095446 IP localhost.59051 > localhost.http: Flags [R], seq 1080627092, win 0, length 0
E..(..@.@.<............P@i......P...z...

TDmitry · February 26, 2016, 11:07am

As I can understand - you are asking us to learn your tcpdump log files. But this action isn’t related to Comodo Web Application Firewall product, so you may ask help with this in proper place.

linux4me · February 26, 2016, 4:46pm

Will do. Thanks for your help.