modsecurity inbound_anomaly_score

Are you accessing the machine via IP instead of DNS? This is designed behavior if so, as mod_security is outputting this message in response to the machine being accessed via IP. If you don't want the error you could comment out the rule in the file listed in your error.

For some background info, the reason the rule exists in the default configuration is because in most web sites you have a DNS associated name. So your customer base should be using that name. Lots of malicious bots like to "attack" or find vulnerable machines, by simply incrementing through IP ranges. By blocking these requests by IP at the outset you arguably lower risk. Make sure to remember to restart Apache after the change.

One more scenario is when you have LYNX performing some crontab jobs. lynx is considered a "website crawler" in the default included rules, just disable it.

Good luck

Joshua Enfield gave a good explanation of the issue, and if you want to give access to your server with a direct IP address, you can disable the rule creating a new .conf file in the folder with the rules of mod_security2:

modsecurity_crs_21_protocol_anomalies_customrules.conf

SecRuleRemoveById 960017

You can use SecRuleRemoveById to remove the rule or comment it in the original file:

[file "C:/Program Files/Apache Software Foundation/Apache2.2/conf/modsecurity_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"]

The first option should be better since you will know what rules are disabled and have more control at the end.

The example I gave above, works with the lastest OWASP rules 2.2.7.

*Also have in mind that disabling a rule is not probably the best way to solve the problem, and the rule should be enabled again once you understand and test it. Another way to solve it could be to get a free dns redirector service for your IP and access your server from internet with the new domain name:

• http://freedns.afraid.org
• http://www.noip.com