Guacamole and Apache reverse proxy with modsecurity

[Vieri <re...@yahoo.com.INVALID>]

Hi,

I'm seeing this in my logs:

[Mon Feb 03 15:41:38.279594 2020] [:error] [pid 9250] [client 1.2.3.4:2493] [client 1.2.3.4] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "gw.mydomain.org"] [uri "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"] [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/

[Mon Feb 03 15:41:38.280044 2020] [:error] [pid 9250] [client 1.2.3.4:2493] [client 1.2.3.4] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "gw.mydomain.org"] [uri "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"] [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/

[Mon Feb 03 15:41:38.280179 2020] [:error] [pid 9250] [client 1.2.3.4:2493] [client 1.2.3.4] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "gw.mydomain.org"] [uri "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"] [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/

# grep -n --after-context=12 --before-context=1 949110 /usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf
79-SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
80:    "id:949110,\
81-    phase:2,\
82-    deny,\
83-    t:none,\
84-    log,\
85-    msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
86-    tag:'application-multi',\
87-    tag:'language-multi',\
88-    tag:'platform-multi',\
89-    tag:'attack-generic',\
90-    severity:'CRITICAL',\
91-    setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
92-

Overall, Guacamole behind this reverse proxy seems to work fine (for end-users), but I'm worried about the HTTP/403 reply...
Do you think it's worth looking into?
Do I need to tweak my modsecurity anomaly_score?

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Guacamole and Apache reverse proxy with modsecurity

[Vieri <re...@yahoo.com.INVALID>]

On Tuesday, February 4, 2020, 9:31:29 AM GMT+1, Vieri <re...@yahoo.com.invalid> wrote: 
>
> I guess I'll need to tune this down a bit.

In case someone else bumps into this: the defaults block methods required by RESTful APIs and WebDAV.
One needs to add the allowed methods.
The rule ID for that is 900200.

Thanks,

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Guacamole and Apache reverse proxy with modsecurity

[Vieri <re...@yahoo.com.INVALID>]

On Monday, February 3, 2020, 7:29:47 PM GMT+1, Mike Jumper <mj...@apache.org> wrote: 
>> I'm seeing this in my logs:
>> 
>> [Mon Feb 03 15:41:38.279594 2020] [:error] [pid 9250] [client 1.2.3.4:2493] [client 1.2.3.4] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "gw.mydomain.org"] [uri "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"] [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer: https://gw.mydomain.org/

> You can't block DELETE. Guacamole needs this method, as well as several others, for its REST API. The request that is being blocked 
> above is an attempt to log out.

Yes, I can see this in the log right when I log out.
 

> If you are blocking requests based on method alone, things are likely breaking.

These are the "default" modsecurity rules. I need to tweak them I guess. They may be too paranoid.

> A 403 response in itself is not worrisome and doesn't mean you are being attacked. 

I believe it's ModSecurity itself which is giving out the 403 response triggered by its rule.
In any case, I know I'm not under attack because the client IP address in the log is mine.
I guess I'll need to tune this down a bit.

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Guacamole and Apache reverse proxy with modsecurity

[Mike Jumper <mj...@apache.org>]

On Mon, Feb 3, 2020, 07:01 Vieri <re...@yahoo.com.invalid> wrote:

> Hi,
>
> I'm seeing this in my logs:
>
> [Mon Feb 03 15:41:38.279594 2020] [:error] [pid 9250] [client 1.2.3.4:2493]
> [client 1.2.3.4] ModSecurity: Warning. Match of "within
> %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file
> "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"]
> [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data
> "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag
> "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag
> "attack-generic"] [tag "OWASP_CRS"] [tag
> "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag
> "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "
> gw.mydomain.org"] [uri
> "/api/tokens/29306699FAB939B9531CD2E5C8525D4CC10C500E0CDBD965CFAF500880667237"]
> [unique_id "XjgxIiOWjFvp4Ckh-eibZgAAAAk"], referer:
> https://gw.mydomain.org/


You can't block DELETE. Guacamole needs this method, as well as several
others, for its REST API. The request that is being blocked above is an
attempt to log out.

...
>
> Overall, Guacamole behind this reverse proxy seems to work fine (for
> end-users), ...


If you are blocking requests based on method alone, things are likely
breaking.

... but I'm worried about the HTTP/403 reply...
> Do you think it's worth looking into?
> Do I need to tweak my modsecurity anomaly_score?


A 403 response in itself is not worrisome and doesn't mean you are being
attacked. If you see a ton of permission denied responses for the same IP,
then perhaps, but you can expect this and other error codes under normal
circumstances. The REST response which causes Guacamole to render a login
screen and prompt the user to log in is a 403, as is the response which
requests additional credentials (MFA, password reset, etc.). You'll also
see this if a user closes the tab without logging out, their session
expires, and then they come back later (their token will be invalid).

- Mike