Modsecurity inbound_anomaly_score

apache-2.2mod-security

I get this error from web server – is this known issue. There is plenty of questions on google — but not clear solution.

[error] [client ] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): Host header is a numeric IP address"] [hostname ""]

Best Answer

Are you accessing the machine via IP instead of DNS? This is designed behavior if so, as mod_security is outputting this message in response to the machine being accessed via IP. If you don't want the error you could comment out the rule in the file listed in your error.

For some background info, the reason the rule exists in the default configuration is because in most web sites you have a DNS associated name. So your customer base should be using that name. Lots of malicious bots like to "attack" or find vulnerable machines, by simply incrementing through IP ranges. By blocking these requests by IP at the outset you arguably lower risk. Make sure to remember to restart Apache after the change.

Related Solutions

Block php file access (modsecurity)

This sounds like a suitable situation for the <FilesMatch > directive, no need for mod_security at all.

<FilesMatch sm6[0-9]+\.php>
  Order Allow,Deny
  Deny from all
</FilesMatch>

Of course, if you don't want anyone to access the file, why not delete it or move it out of the DocumentRoot ?

If you edit your question to include more about who shouldn't be able to access the file I'll update my answer to match.

ModSecurity not enabled

was able to teak some settings, and correct usage of conf files made it work

Best Answer

Related Solutions

Block php file access (modsecurity)

ModSecurity not enabled

Related Topic