1

I'm relatively new to ModSecurity and I'm looking for some advice.

I've a default ModSecurity installation under the ConfigServer ruleset.

Lately, I'm seeing quite a number of blocks under id "2000064" which is a Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent.

I suspect these are proper visitors but our hosting provider warn us NOT to remove this rule because it will block older versions of browsers and bots.

My question is, what does this pattern match mean: Mozilla/(4|5)\.0

Does it mean any user agent with Mozilla 4 and Mozilla 5 will be blocked?

It will be strange because there are lots of legitimate browsers with Mozilla/5.0 in the user agent. Even my current Firefox browser has a user agent of Mozilla/5.0 (Windows NT 10.0; Win64...

Is my hosting provider correct or is this rule too aggresive?

=================================== Here is the log sample

Pattern match "Mozilla/(4|5)\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.liquidweb.conf"] [line "104"] [id "2000064"]

[28/Jun/2024:03:54:21 --0400] Zn5sLRJ-7YQPbpofPVCiQwAAAgk 140.248.34.33 57238 69.16.199.39 443
--74de6d2a-B--
GET /mailmx/campaigns/bf371nqza781f/track-opening/vt017x0r0p698 HTTP/1.1
Host: ****(removed for privacy).com
Accept: image/webp,image/png,image/svg+xml,image/;q=0.8,video/;q=0.8,/*;q=0.5
Accept-Language: cs-CZ,cs;q=0.9
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0


--74de6d2a-F--
HTTP/1.1 406 Not Acceptable
Content-Length: 373
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1


--74de6d2a-H--
Message: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.liquidweb.conf"] [line "104"] [id "2000064"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 140.248.34.33] ModSecurity: Access denied with code 406 (phase 2). Pattern match "Mozilla/(4|5)\\\\.0$" at REQUEST_HEADERS:User-Agent. [file "/etc/apache2/conf.d/modsec2.liquidweb.conf"] [line "104"] [id "2000064"] [hostname "Host: *****(removed for privacy).com"] [uri "/mailmx/campaigns/bf371nqza781f/track-opening/vt017x0r0p698"] [unique_id "Zn5sLRJ-7YQPbpofPVCiQwAAAgk"]
Action: Intercepted (phase 2)
Stopwatch: 1719561261282883 1915 (- - -)
Stopwatch2: 1719561261282883 1915; combined=241, p1=88, p2=151, p3=0, p4=0, p5=2, sr=55, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
Romeo Ninov
  • 6,677
Eugene Walker
  • 11

1 Answers1

1

Here's the normal user agent string of a recent Firefox:

Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion

The regexp Mozilla/(4|5)\.0$ wouldn't match this, as $ means end of a string. It will match "Mozilla/5.0" because there is nothing after zero, but not "Mozilla/5.0 blah blah".

That said, any filter that just blocks certain useragents is an utter crap, since useragent is something that is freely set by the remote (by the web client) and that block is not just easy to circumvent, but that's the first thing that a minimally competent attacker would do. The useragent string can be used as a part of a complex detection, to establish a fingerprint of a remote, but alone it only has a limited use for statistics.

It is unknown, whether these are attackers or not. You can't just say by seeing an useragent. Yet, I don't get why blocking anyone just because it's old web client. Old, so what?

Nikita Kipriyanov
  • 15,624