Hi,
I work on a website and after 5-6 refresh of my page my IP is block during 20 minutes .... It's very annoying .... Because i can't work ...
This is my log error :
Failures: 15 (mod_security)
Interval: 300 seconds
Blocked: Temporary Block
Log entries:
[Mon Jul 15 21:18:09 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRK8SU7IAMACi5MH5gAAAGG"]
[Mon Jul 15 21:18:30 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLBiU7IAMACi5MH64AAAGR"]
[Mon Jul 15 21:18:32 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLCCU7IAMACi5MH7EAAAGG"]
[Mon Jul 15 21:18:35 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLCyU7IAMACi5mINsAAAFJ"]
[Mon Jul 15 21:18:41 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLESU7IAMACi4vHrkAAABT"]
[Mon Jul 15 21:18:42 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLEiU7IAMACi5MH70AAAGJ"]
[Mon Jul 15 21:18:44 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLFCU7IAMACi4vHrwAAABY"]
[Mon Jul 15 21:18:45 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLFSU7IAMACi4vHr4AAABK"]
[Mon Jul 15 21:18:47 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLFyU7IAMACi5MH8UAAAGK"]
[Mon Jul 15 21:18:49 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLGSU7IAMACi5MH8YAAAGH"]
[Mon Jul 15 21:18:50 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLGiU7IAMACi5MH8kAAAGB"]
[Mon Jul 15 21:18:56 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLICU7IAMACi4vHs8AAABR"]
[Mon Jul 15 21:18:58 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLIiU7IAMACi4vHtMAAABV"]
[Mon Jul 15 21:19:05 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLKSU7IAMACi5MH@UAAAGY"]
[Mon Jul 15 21:19:08 2013] [error] [client 62.35.251.239] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:type\\\\b\\\\W*?\\\\b(?:text\\\\b\\\\W*?\\\\b(?:j(?:ava)?|ecma|vb)|application\\\\b\\\\W*?\\\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\\\b.{0,100}?\\\\bsrc)\\\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)| ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "1234123404"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "fleuriste-schiltigheim.com"] [uri "/boutique/catalog/view/javascript/jquery/ui/external/jquery.cookie.js"] [unique_id "UeRLLCU7IAMACi5mIRoAAAFP"]
Any ideas ?
Thanks a lot
Nimix
IP Temporary Block
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: IP Temporary Block
Thanks for the question. So first off, those arent our modsecurity rules: you're experiencing a problem with someone elses rules and they look poorly written. So my first piece of advice would be to get rid of them and use some that have been better designed so you dont run into this problem. You can download our rules from this URL:
https://www.atomicorp.com/wiki/index.ph ... rity_Rules
Or simply install ASL:
https://www.atomicorp.com/products/asl.html
If you want to keep using the rules you have, then you'll need to modify those rules for your environment. Like I said, they look poorly written so you may run into issues with other rules too and you'll just end up playing whack a whole with the next rule that gets in your way.
Second, if your IP is being blocked that sounds like you're using some kind of script thats blocking IPs so you'd want to look into how to undo that with whatever script you are using. You could whitelist your IP for example, or change the threshold so it doesnt shun on a single event or a lower consequence event.
I hope this is helpful.
https://www.atomicorp.com/wiki/index.ph ... rity_Rules
Or simply install ASL:
https://www.atomicorp.com/products/asl.html
If you want to keep using the rules you have, then you'll need to modify those rules for your environment. Like I said, they look poorly written so you may run into issues with other rules too and you'll just end up playing whack a whole with the next rule that gets in your way.
Second, if your IP is being blocked that sounds like you're using some kind of script thats blocking IPs so you'd want to look into how to undo that with whatever script you are using. You could whitelist your IP for example, or change the threshold so it doesnt shun on a single event or a lower consequence event.
I hope this is helpful.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone