Recommendation for allowing my own scripts to get in

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
jerrykrinock
New Forum User
New Forum User
Posts: 2
Joined: Wed Jul 23, 2014 1:13 pm
Location: San Jose, CA USA

Recommendation for allowing my own scripts to get in

Unread post by jerrykrinock »

I have Perl scripts on my site that sometimes talk to one another using the Perl module LWP::UserAgent, like this…

Code: Select all

use LWP::UserAgent;
	my $ua = new LWP::UserAgent;
	my $orderProcessor = "$main::gScriptsPathUrl/ProcessOrder.pl" ;
	my $request = new HTTP::Request('POST', $orderProcessor) ;
	$request->content_type('application/x-www-form-urlencoded');
	$request->content($encodedQueryString) ;
	$ua->timeout(20) ; # 20 second timeout
	my $response = $ua->request($request);
Recently, possibly due to a server change, the above request began failing with HTTP Status 403 Forbidden. By guessing, I was able to fix the problem by telling my requests to spoof Firefox, like this…

Code: Select all

	$ua->agent("Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0") ;
I think, but I am not sure because my web host only gives me second-hand access to the logs on this shared host, that these rejected requests result are coincident with log entries like this:

Code: Select all

ModSecurity: Access denied with code 403 (phase 2). Match of "rx (^w3c-|systran\\\\))" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec_rules/20_asl_useragents.conf"] [line "147"] [id "330039"] [rev "4"] [msg "Atomicorp.com WAF Rules: Suspicious Unusual User Agent (libwww-perl).  Disable this rule if you use libwww-perl. "] [severity "CRITICAL"] [hostname "sheepsystems.com"] [uri "/cgi-bin/test/ProcessOrder.pl"] [unique_id "U87-V0VJqJ8AAGWTKqkAAAAH"]
My question is: What is the best way to work around this? My web host has offered to disable mod_security, but I don't think that would be a good idea. I also don't like the suggestion given, to disable libwww-perl, because this site is a on shared web host, and what if they do a security audit and decide to re-enable it again without telling me, or move me to a different server, or if I move to a different web host? It will take me two days to track down all of these little tweaks that made my site work. Does that make sense?

I think that modifying my "calling" script to use a different user agent, as I have, is a good workaround, but spoofing Firefox 30.0 is a kludge. Is there a good, future-proof User Agent string? What if I just made up my own User Agent string, "Jerry 1.0"? Is that a good idea?

Thanks,

Jerry Krinock
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Recommendation for allowing my own scripts to get in

Unread post by scott »

Sure changing your user-agent is one way to do it, another is to disable the specific rule by the Domain and/or URL:

https://www.atomicorp.com/wiki/index.ph ... ling_Rules

This has examples on how to do it globally, by the domain, by the url, or combination (domain & url)
jerrykrinock
New Forum User
New Forum User
Posts: 2
Joined: Wed Jul 23, 2014 1:13 pm
Location: San Jose, CA USA

Re: Recommendation for allowing my own scripts to get in

Unread post by jerrykrinock »

Thank you, Scott.

I decided to change the User Agent string in my "calling" script to "<MyCompanyName>/1.0". It seems to sail through Modsecurity with no problem. (This is instead of the Firefox 30 User Agent string in my original post, which also works.)

I hope this is the most future-proof, non-fragile solution.
Post Reply