headers
fwd | 15 Jun 2004 00:26
Favicon

problem chroot/mod_security apache with mod_ssl

Hello,
 
I need a little help on problem with chrooting apache via mod_security with SecChrootdir and ssl support via mod_ssl.
------------------------------------------------------------------------------------------------------------------------------------------
in httpd.conf :
 
LoadModule security_module    libexec/mod_security.so
LoadModule env_module         libexec/mod_env.so
LoadModule config_log_module  libexec/mod_log_config.so
LoadModule mime_module        libexec/mod_mime.so
LoadModule negotiation_module libexec/mod_negotiation.so
LoadModule status_module      libexec/mod_status.so
LoadModule includes_module    libexec/mod_include.so
LoadModule autoindex_module   libexec/mod_autoindex.so
LoadModule dir_module         libexec/mod_dir.so
LoadModule cgi_module         libexec/mod_cgi.so
LoadModule asis_module        libexec/mod_asis.so
LoadModule imap_module        libexec/mod_imap.so
LoadModule action_module      libexec/mod_actions.so
LoadModule userdir_module     libexec/mod_userdir.so
LoadModule alias_module       libexec/mod_alias.so
LoadModule rewrite_module     libexec/mod_rewrite.so
LoadModule access_module      libexec/mod_access.so
LoadModule auth_module        libexec/mod_auth.so
LoadModule setenvif_module    libexec/mod_setenvif.so
<IfDefine SSL>
LoadModule ssl_module         libexec/libssl.so
</IfDefine>
LoadModule php4_module        libexec/libphp4.so
LoadModule perl_module        libexec/libperl.so
ClearModuleList
AddModule mod_security.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_so.c
AddModule mod_setenvif.c
<IfDefine SSL>
AddModule mod_ssl.c
</IfDefine>
AddModule mod_php4.c
AddModule mod_perl.c

-----
&
-----
 
<IfModule mod_security.c>
SecFilterEngine On
SecServerSignature "Microsoft-IIS/4.0"
SecChrootdir /home/chroot/usr/local/apache/
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:401"
</IfModule>
------------------------------------------------------------------------------------------------------------------------------------------
 
# apachectl stop
/usr/local/apache/bin/apachectl stop: httpd stopped
# apachectl startssl
Apache/1.3.31 mod_ssl/2.8.18 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
 
Server www.test.com:443 (RSA)
Enter pass phrase:
 
Ok: Pass Phrase Dialog successful.
/usr/local/apache/bin/apachectl startssl: httpd started
# ps -auwx | grep httpd
root      2649  1.2  8.5  8344 5224 ?        S    23:42   0:00 /usr/local/apache/bin/httpd -DSSL
apache    2749  0.0  0.0     0    0 ?        Z    23:42   0:00 [httpd <defunct>]
root      2751  0.0  1.2  1976  792 pts/1    R    23:42   0:00 grep httpd
------------------------------------------------------------------------------------------------------------------------------------------
 
but
 
------------------------------------------------------------------------------------------------------------------------------------------
 
# apachectl start
/usr/local/apache/bin/apachectl start: httpd started
# ps -auwx | grep httpd
root     16086  1.1  6.4  6464 3904 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16087  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16088  0.1  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16089  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16090  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16091  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
root     16103  0.0  1.2  1976  792 pts/1    R    00:03   0:00 grep httpd
------------------------------------------------------------------------------------------------------------------------------------------
in /usr/local/apache/error_log :
[Mon Jun 14 23:42:43 2004] [notice] mod_security: performed chroot, path=/home/chroot/usr/local/apache/
[Mon Jun 14 23:42:43 2004] [notice] Apache configured -- resuming normal operations
[Mon Jun 14 23:42:43 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Jun 14 23:42:43 2004] [error] mod_ssl: Child could not open SSLMutex lockfile /usr/local/apache/logs/ssl_mutex.2648 (Syst
em error follows)
[Mon Jun 14 23:42:43 2004] [error] System: Aucun fichier ou r\xe9pertoire de ce type (errno: 2)
------------------------------------------------------------------------------------------------------------------------------------------
When i comment the SecChrootdir /home/chroot/usr/local/apache/ line, everything's fine.
 
# ps -auwx | grep httpd
root     15992  1.5  8.5  8344 5220 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   15998  0.5  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   15999  0.0  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   16000  0.0  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   16001  0.5  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   16002  0.0  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
root     16004  0.0  1.3  1976  800 pts/1    S    23:51   0:00 grep httpd
------------------------------------------------------------------------------------------------------------------------------------------
 
Directory /home/chroot/usr/local/apache/ exists :
 
# ls -l -R /home/chroot/
/home/chroot/:
total 4
drwxr-xr-x    3 root     root         4096 jun 14 01:31 usr/
 
/home/chroot/usr:
total 4
drwxr-xr-x    3 root     root         4096 jun 14 01:31 local/
 
/home/chroot/usr/local:
total 4
drwxr-xr-x    2 root     root         4096 jun 14 01:31 apache/
 
/home/chroot/usr/local/apache:
total 0

------------------------------------------------------------------------------------------------------------------------------------------
 
Is it possible that apache mod_security chrooting works fine with mod_ssl ?
Do you have ideas about that ?
am i obliged to pass from a chroot usual way ?
 
Thanks in advance
 
Fwd.
Permalink | Reply | 501 comments |
headers
Ivan Ristic | 15 Jun 2004 10:34
Gravatar

[Fwd: Re: problem chroot/mod_security apache with mod_ssl]


-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
Gravatar
From: Ivan Ristic <ivanr <at> webkreator.com>
Subject: Re: [mod-security-users] problem chroot/mod_security apache with mod_ssl
Date: 2004-06-15 08:17:15 GMT
fwd wrote:
> Hello, 
>  
> I need a little help on problem with chrooting apache via mod_security with
> SecChrootdir and ssl support via mod_ssl. 
> 
> SecChrootdir /home/chroot/usr/local/apache/

  I'd say you want to use "/home/chroot" here.

> [Mon Jun 14 23:42:43 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Jun 14 23:42:43 2004] [error] mod_ssl: Child could not open SSLMutex
> lockfile /usr/local/apache/logs/ssl_mutex.2648 (Syst
> em error follows)

  Yes, with the chroot path as you defined, the place mod_ssl
  looks for its lock file is:

  /home/chroot/usr/local/apache/usr/local/apache/logs/ssl_mutex.2647

  and that's why it doesn't work.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
Permalink | Reply | 0 comments |
headers
Ivan Ristic | 15 Jun 2004 10:30
Gravatar

[Fwd: Re: problem chroot/mod_security apache with mod_ssl]


-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
Gravatar
From: Ivan Ristic <ivanr <at> webkreator.com>
Subject: Re: [mod-security-users] problem chroot/mod_security apache with mod_ssl
Date: 2004-06-15 08:17:15 GMT
fwd wrote:
> Hello, 
>  
> I need a little help on problem with chrooting apache via mod_security with
> SecChrootdir and ssl support via mod_ssl. 
> 
> SecChrootdir /home/chroot/usr/local/apache/

  I'd say you want to use "/home/chroot" here.

> [Mon Jun 14 23:42:43 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Jun 14 23:42:43 2004] [error] mod_ssl: Child could not open SSLMutex
> lockfile /usr/local/apache/logs/ssl_mutex.2648 (Syst
> em error follows)

  Yes, with the chroot path as you defined, the place mod_ssl
  looks for its lock file is:

  /home/chroot/usr/local/apache/usr/local/apache/logs/ssl_mutex.2647

  and that's why it doesn't work.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 13 Jun 2004 20:45
Gravatar

[ANNOUNCE] mod_security 1.8RC2 released


Mod_security 1.8RC2 has been released. It is available for immediate
download from:

   http://www.modsecurity.org/download/

This is the second release candidate on the road to the final
release next week. It fixes a few small bugs and greatly
enhances the way events are logged into the error log.

About mod_security
------------------
Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:

 * Apply filters against any part of the request (URI,
   headers, either GET or POST)
 * Apply filters against individual parameters
 * Reject SQL injection attacks
 * Reject Cross site scripting attacks

With few general rules mod_security can protect from both
known and unknown vulnerabilities.

Changes (v1.8RC2)
------------------

  * Fixed a problem where validation functions would reject a
    request without performing the default action fully
    (previously only the status was honored).

  * Improved logging a great deal. It is now easy to identify
    what and where went wrong.

  * Child processes now re-initialize mutexes, as they should (Apache
    2.x only)

  * Other cosmetic changes here and there.

  * BUG Temporary files were being created with wrong permissions.

  * BUG Fixed a problem in the UTF-8 validation routine. Some valid
    UTF-8 streams were being rejected as invalid.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 0 comments |
headers
Ivan Ristic | 15 Jun 2004 10:17
Gravatar

Re: problem chroot/mod_security apache with mod_ssl

fwd wrote:
> Hello, 
>  
> I need a little help on problem with chrooting apache via mod_security with
> SecChrootdir and ssl support via mod_ssl. 
> 
> SecChrootdir /home/chroot/usr/local/apache/

  I'd say you want to use "/home/chroot" here.

> [Mon Jun 14 23:42:43 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
> [Mon Jun 14 23:42:43 2004] [error] mod_ssl: Child could not open SSLMutex
> lockfile /usr/local/apache/logs/ssl_mutex.2648 (Syst
> em error follows)

  Yes, with the chroot path as you defined, the place mod_ssl
  looks for its lock file is:

  /home/chroot/usr/local/apache/usr/local/apache/logs/ssl_mutex.2647

  and that's why it doesn't work.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 501 comments |
headers
Ivan Ristic | 15 Jun 2004 17:04
Gravatar

[ANNOUNCE] mod_security 1.8 released


Mod_security 1.8 has been released. It is available for immediate
download from:

   http://www.modsecurity.org/download/

After more than six months of development, resulting in a
40% larger code base, a stable version of the 1.8 branch
is available. The list of changes below contains only the
list of improvement since the last v1.7.x release.

About mod_security
------------------
Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:

 * Apply filters against any part of the request (URI,
   headers, either GET or POST)
 * Apply filters against individual parameters
 * Reject SQL injection attacks
 * Reject Cross site scripting attacks

With few general rules mod_security can protect from both
known and unknown vulnerabilities.

Changes (since v1.7)
--------------------

  * Implementation of a multipart/form-data parser, closing
    a hole attackers could use to go through.

  * File upload interception and validation (via
    external scripts).

  * Improved audit log logs full requests (referencing
    files stored outside the file when necessary).

  * Improved debug logging, data is now properly escaped.

  * Improved logging, log entries now contain all the data
    needed to identify who, what, when, and where.

  * Keep uploaded files (option).

  * Much improved configuration code.

  * POST analysis can be turned off on the per-request
    basis now, dynamically.

  * A new (validating) cookie parser. Cookie data can
    be normalized or not.

  * Support for custom logging (to log only mod_security
    relevant requests).

  * Rewritten chroot support, now always works.

  * External scripts work with suExec.

  * Fixed a long-standing design flaw, where rejects due
    to normalization errors would not execute a default
    action.

  * The automated testing utility now supports a debug
    mode, where it prints the request and the response
    to the output.

  * Many small improvements. Many bugs fixed.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 0 comments |
headers
Telepac | 16 Jun 2004 17:39
Picon
Picon
Favicon

Problem with with characters portugeses

I'm Portuguese
I have problem with GET or POST whenever I intend to send characters as for
eg: " á " or " é "

please help me

Best regards

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 4 comments |
headers
Ivan Ristic | 16 Jun 2004 17:52
Gravatar

Re: Problem with with characters portugeses

Telepac wrote:

> I'm Portuguese
> I have problem with GET or POST whenever I intend to send characters as for
> eg: " á " or " é "

  You are likely restricting requests with:

  SecFilterForceByteRange FROM TO (set FROM to 0 and TO to 255)

  or

  SecFilterCheckUnicodeEncoding (should be off unless you know
  what you're doing)

  But you should really send us your full mod_security configuration
  so we can see for ourselves.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 0 comments |
headers
Luis Miguel Cruz | 16 Jun 2004 17:52
Picon

Re: Problem with with characters portugeses

What is the DefaultCharset you are using?
Those are not portugeses characters, they are also spanish characters :(

Telepac wrote:

> I'm Portuguese
> I have problem with GET or POST whenever I intend to send characters as for
> eg: " á " or " é "
> 
> please help me
> 
> Best regards
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 2 comments |
headers
Ivan Ristic | 16 Jun 2004 18:05
Gravatar

Re: Problem with with characters portugeses

Luis Miguel Cruz wrote:

> What is the DefaultCharset you are using?
> Those are not portugeses characters, they are also
> spanish characters :(

  There are no restrictions by default (if there are - that would be a
  bug), it all depends on your configuration. Also, HTTP does not
  care about character encodings.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
Permalink | Reply | 1 comment |

Gmane