Re: Using SecChrootDir Directive

Hi Ivan,

> 
>   Everything else can remain outside jail but there are consequences
>   (e.g. you won't be able to restart Apache, just stop-start it).
> 

Why i'm not able to restart Apache?
When using /usr/local/sbin/apachectl graceful

All httpd processes die and in logs i've got:
httpd: bad user name nobody

But in httpd.conf:
User www
Group www

TIA

p.

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

Re: Re: Using SecChrootDir Directive

peceka wrote:
> Hi Ivan,
> 
>>
>>   Everything else can remain outside jail but there are consequences
>>   (e.g. you won't be able to restart Apache, just stop-start it).
>>
> 
> Why i'm not able to restart Apache?

   For a restart to take place the main Apache process must be able
   to re-read the configuration. If the httpd.conf if outside jail
   it won't be able to access it.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

Re: Re: Using SecChrootDir Directive

The error message in the logs most likely indicates that the apache
process is reading the chrooted httpd.conf file (which has the 'User
nobody' directive set) and is checking this against the chrooted
/etc/passwd file (which most likely does not not have an entry for the
'nobody' account).

Try and trace/strace your apachectl command to verify which files it
is accessing -

# strace -f -e trace=open /usr/local/sbin/apachectl graceful

--

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC

On 6/2/05, peceka <peceka <at> gmail.com> wrote:
> Hi Ivan,
> 
> >
> >   Everything else can remain outside jail but there are consequences
> >   (e.g. you won't be able to restart Apache, just stop-start it).
> >
> 
> Why i'm not able to restart Apache?
> When using /usr/local/sbin/apachectl graceful
> 
> All httpd processes die and in logs i've got:
> httpd: bad user name nobody

Mod Security issue

SecChrootDir and uploading files

Hi,

does anybody know about problems with uploading files when using 
SecChrootDir?

<IfModule mod_security.c>

    SecChrootLock modsec_chroot.lock
    SecChrootDir /usr/chroot/apache

SecFilterEngine DynamicOnly
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

SecUploadDir /tmp
SecUploadKeepFiles On

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 9
SecFilterDebugLog /var/log/httpd/modsec_debug_log

# Accept only valid protocol versions, helps
# fight HTTP fingerprinting.
SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$

# Require the Host header field to be present.
SecFilterSelective HTTP_Host ^$

# Allow supported request methods only.
SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

</IfModule>

web3d# pwd
/usr/chroot/apache
web3d# ls -al
total 10
drwxr-xr-x  5 root  wheel  512 Jun  2 10:18 .
drwxr-xr-x  3 root  wheel  512 Jun  1 11:29 ..
drwxrwxrwt  2 root  wheel  512 Jun  3 17:26 tmp
drwxr-xr-x  3 root  wheel  512 Jun  2 10:18 usr
drwxr-xr-x  5 root  wheel  512 Jun  3 17:21 var
web3d# ls -lR var
total 6
drwxr-xr-x  3 root  wheel  512 Jun  3 15:46 log
drwxr-xr-x  2 root  wheel  512 Jun  3 17:55 run
drwxrwxrwt  2 root  wheel  512 Jun  3 17:21 tmp

var/log:
total 2
drwxrwxrwt  2 root  wheel  512 Jun  3 15:46 httpd

var/log/httpd:
total 0

var/run:
total 0
-rw-------  1 root  wheel  0 Jun  3 17:55 httpd.lock.1236

var/tmp:
total 0
web3d#

script which uploads files on server:
web3d# cat temp.php

<form action='temp.php' method="post">
<input type=file name=f >
<br>
<?
print_r($HTTP_POST_FILES );
?>
<br>
<input type=hidden value='hid'>
<input type=submit>
web3d#

and all the time $HTTP_POST_FILES  shows me:
Array ( )

TIA,
p.

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

SecChrootDir and uploading files

Hi,

does anybody know about problems with uploading files when using SecChrootDir?

<IfModule mod_security.c>

   SecChrootLock modsec_chroot.lock
   SecChrootDir /usr/chroot/apache

SecFilterEngine DynamicOnly
SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

SecUploadDir /tmp
SecUploadKeepFiles On

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 9
SecFilterDebugLog /var/log/httpd/modsec_debug_log

# Accept only valid protocol versions, helps
# fight HTTP fingerprinting.
SecFilterSelective SERVER_PROTOCOL !^HTTP/(0\.9|1\.0|1\.1)$

# Require the Host header field to be present.
SecFilterSelective HTTP_Host ^$

# Allow supported request methods only.
SecFilterSelective REQUEST_METHOD !^(GET|HEAD|POST)$

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type \
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

</IfModule>

web3d# pwd
/usr/chroot/apache
web3d# ls -al
total 10
drwxr-xr-x  5 root  wheel  512 Jun  2 10:18 .
drwxr-xr-x  3 root  wheel  512 Jun  1 11:29 ..
drwxrwxrwt  2 root  wheel  512 Jun  3 17:26 tmp
drwxr-xr-x  3 root  wheel  512 Jun  2 10:18 usr
drwxr-xr-x  5 root  wheel  512 Jun  3 17:21 var
web3d# ls -lR var
total 6
drwxr-xr-x  3 root  wheel  512 Jun  3 15:46 log
drwxr-xr-x  2 root  wheel  512 Jun  3 17:55 run
drwxrwxrwt  2 root  wheel  512 Jun  3 17:21 tmp

var/log:
total 2
drwxrwxrwt  2 root  wheel  512 Jun  3 15:46 httpd

var/log/httpd:
total 0

var/run:
total 0
-rw-------  1 root  wheel  0 Jun  3 17:55 httpd.lock.1236

var/tmp:
total 0
web3d#

script which uploads files on server:
web3d# cat temp.php

<form action='temp.php' method="post">
<input type=file name=f >
<br>
<?
print_r($HTTP_POST_FILES );
?>
<br>
<input type=hidden value='hid'>
<input type=submit>
web3d#

and all the time $HTTP_POST_FILES  shows me:
Array ( )

TIA,
p.

-------------------------------------------------------
This SF.Net email is sponsored by Yahoo.
Introducing Yahoo! Search Developer Network - Create apps using Yahoo!
Search APIs Find out how you can build Yahoo! directly into your own
Applications - visit http://developer.yahoo.net/?fr=offad-ysdn-ostg-q22005

How to block request that don't have a specific cookie

Hello,

My site have been DDoSed for a month now :(

I tried to set up a filter that block every request that don't have a
specific cookie, but I can't find noway to 
set it up, it can check a existed cookie to match the value,
but if that cookie is not existed, it allow the 
request.

Please help... thank you in advance.

-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20

Re: How to block request that don't have a specific cookie

You should be able to achieve this by creating the following filter -

SecFilterSelective HTTP_COOKIE "!cookietest"

If I then make the following request (without supplying a cookie
header at all) it will be denied -

# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 403 Forbidden

Here was the error message logged -

May 26 11:10:27 metacortex httpd[12206]: [error] [client 127.0.0.1]
mod_security: Access denied with code 403. Pattern match "!cookietest"
at HEADER(COOKIE) [uri "/"] [unique_id 0lNfrcCoAWYAAC <at> uB5MAAAAA]

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

On 6/4/05, FrzzMan <frzzman <at> gmail.com> wrote:
> Hello,
> 
> My site have been DDoSed for a month now :(
> 
> I tried to set up a filter that block every request that don't have a
> specific cookie, but I can't find noway to
> set it up, it can check a existed cookie to match the value,
> but if that cookie is not existed, it allow the
> request.
> 
> Please help... thank you in advance.
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> a projector? How fast can you ride your desk chair down the office luge track?
> If you want to score the big prize, get to know the little guy.
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> _______________________________________________
> mod-security-users mailing list
> mod-security-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r 

Logs Console

Hi all, i saw Modseclogwatch ,and i thought it was ok, but i wanted something more like
ACID or BASE, so I used the code of Evert Daman as a base for a console like those.
I did some work this weekend here is a demo:

http://laramies.no-ip.org/mod_sec_test/

 My Todo list have:

 -A Search form
 -A delete field in the table
 -Some graphics bars/pies with GD
 -Configuration screen for the install/setup
 -Multiple language version
 -Use css for everything
 -Beautify some outputs
 -Session control

I will work in the frontend and Evert will keep working on the parser

The code will be available as soon as i finish the first version, and Evert
correct a problem with the parsing of some headers.

Tell me what you think..

-- 
_________________________________
Christian Martorella
e-Security Engineer
cmartorella <at> isecauditors.com

Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2º 1ª.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
www.isecauditors.com
____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener información confidencial. Por ello, se informa a quien lo
reciba por error que la información contenida en el mismo es reservada
y su uso no autorizado está prohibido legalmente, por lo que en tal
caso le rogamos que nos lo comunique por la misma vía o por teléfono
(93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo
o entregarlo a otra persona y proceda a borrarlo de inmediato.

En cumplimiento de la Ley Orgánica 15/1999 de 13 de diciembre de
protección de datos de carácter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que será el único destinatario de dichos datos, y cuya finalidad
exclusiva es la gestión de clientes y acciones de comunicación
comercial, y de que tiene la posibilidad de ejercer los derechos de
acceso, rectificación, cancelación y oposición previstos en la ley
mediante carta dirigida a Internet Security Auditors, c. Santander,
101. Edif. A. 2º 1ª, 08030 Barcelona, o vía e-mail a la siguiente
dirección de correo: legal <at> isecauditors.com

-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r 

Tomcat

Hi,
Anyone know if there is any effort to get mod_security to work with Tomcat?
If not, does anyone know  where I can get the source code of mod_security for 
java?

thanks,
Adrian

----------------------------------------------------------------
Adrian Wilford
Email (Home): awilford <at> gmail.com
Email (Work): adrianw <at> peregrine.co.za

Work: +27 11 722 7498
Cell: +27 83 260 4034
----------------------------------------------------------------

-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20