Issue
- Adding or searching for IPs in RBL can lead to 403 HTTP responses:
-
IP placed in the bl_uri list:
[root@server]# grep -r "1.2.3.4" /var/imunify360/modsec/
/var/imunify360/modsec/generic/rules/bl_uri:1.2.3.4
Environment
- Imunify360 Stand-Alone
- ModSecurity
Solution
Since the UI is on a stand-alone installation hosted by a webserver, all requests to the UI are handled by ModSecurity as to a generic site.
Detecting the IP address "1.2.3.4" in the request, and matching it with the entry in the file bl_uri leads to blocking this request with 403 error.
/var/imunify360/modsec/generic/rules/006_i360_4_custom.conf:
SecRule ARGS|REQUEST_COOKIES "@pmFromFile bl_uri"
"id:77142102,block,log,severity:2,t:none,t:urlDecodeUni,t:normalizePath,msg:
'IM360 WAF: Block URI containing malicious URLs||
T:APACHE||MVN:%{MATCHED_VAR_NAME}||MV:%{MATCHED_VAR}||SC:%{SCRIPT_FILENAME}||',
tag:'service_i360custom'"
The following CLI can be used as a workaround for the IP blacklist:
imunify360-agent ip-list local add --purpose drop 1.2.3.4
The behavior will be investigated within task IFR-681 for future Imunify360 releases.
Comments
0 comments
Please sign in to leave a comment.