headers
Lonnie | 1 Aug 02:17

Fedora3 mod_security not working

Sir,

I have subscribed to your mod_security list but after replying to the 
confirmation, I get no notice that i can go ahead and post or welcome 
message.

My problem is that even after installing the mod_security on my Linux 
Fedora3 Apache2 system and adding your quick example to the httpd.conf 
and restarting my server, I can still do a traversal attack on my system.

http://www.paysafenet.com/?x=../../../../../../../etc/passwd

with
<IfModule mod_security.c>

   # Turn the filtering engine On or Off
   SecFilterEngine On

   # Make sure that URL encoding is valid
   SecFilterCheckURLEncoding On

   # Only allow bytes from this range
   SecFilterForceByteRange 32 126

   # The audit engine works independently and
   # can be turned On of Off on the per-server or
   # on the per-directory basis
   SecAuditEngine RelevantOnly

   # The name of the audit log file
(Continue reading)

Permalink | Reply | 2 comments |
headers
Lonnie | 1 Aug 03:31

Re: Fedora3 mod_security not working

Never mind......

I solved the problem and all is working well at this point.....

If you see any additional SecFilter statements that should be added then 
please let me know, ok.

Thanks,
Lonnie

Lonnie wrote:

> Sir,
>
> I have subscribed to your mod_security list but after replying to the 
> confirmation, I get no notice that i can go ahead and post or welcome 
> message.
>
> My problem is that even after installing the mod_security on my Linux 
> Fedora3 Apache2 system and adding your quick example to the httpd.conf 
> and restarting my server, I can still do a traversal attack on my system.
>
> http://www.paysafenet.com/?x=../../../../../../../etc/passwd
>
> with
> <IfModule mod_security.c>
>
>   # Turn the filtering engine On or Off
>   SecFilterEngine On
>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Ivan Ristic | 1 Aug 12:47
Gravatar

Re: Fedora3 mod_security not working

Lonnie wrote:
> Never mind......
> 
> I solved the problem and all is working well at this point.....
> 
> If you see any additional SecFilter statements that should be added then 
> please let me know, ok.

   We can't tell you which rules to add, as that depends entirely
   on your application and your defence strategy.

   We can, however, tell you to remove all of the SecFilter
   statements from the configuration sent in your previous email
   (they are just examples). Then you can put back some you think
   you need.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply | 0 comments |
headers
Terry Dooher | 2 Aug 12:01
Favicon

Re: mod_security specific to each virtual host

Lonnie wrote:
> Greeting All,
> 
> I am working to get mod_security installed and running well for our 
> systems and am wondering if you can please tell me how i can customize 
> it for each virtual server that we have?

This is simply a matter of adding your ruleset to the configuration inside 
your chosen VirtualHost directive. The rules should then only be enabled for 
that host and not the others.

> What I mean is that I think that there is supposed to be some way to 
> redirect the user if any of the SecFilters are triggered to a particular 
> web address, right?

Depending on the rule you're matching, it might simply be possible to skip 
mod_security and just add a Redirect directive to your VirtualHost, issuing a 
301 for the specific file:

Redirect 301 /files/hiddenfile.txt http://main.example.com

This doesn't do any pattern matching however. the mod_security way would be to 
issue a "redirect:http://main.example.com" for the specific rule. (I think 
this is a 301, but I haven't used this)

> I want to set this up so that if a SecFilter is triggered by a 
> particular virtual server in my httpd.conf for ssl.conf then I will 
> redirect them to that main server instead of an error message page.

You could issue a "deny,log,status:403" as is recommended and specify a custom
(Continue reading)

Permalink | Reply | 1 comment |
headers
Terry Dooher | 2 Aug 12:10
Favicon

Re: mod_security specific to each virtual host

Terry Dooher wrote:
[snip]
> Depending on the rule you're matching, it might simply be possible to 
> skip mod_security and just add a Redirect directive to your VirtualHost, 
> issuing a 301 for the specific file:
> 
> Redirect 301 /files/hiddenfile.txt http://main.example.com
> 
> This doesn't do any pattern matching however. the mod_security way would 
> be to issue a "redirect:http://main.example.com" for the specific rule. 
> (I think this is a 301, but I haven't used this)

My mistake. You _can_ do pattern matching with redirect. RedirectMatch does 
regexp pattern matching.

'tis all in here:

http://httpd.apache.org/docs/2.0/mod/mod_alias.html

Terry.

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply | 0 comments |
headers
Alex | 2 Aug 16:04
Picon

Error 500, need help under Plesk Server

Hello,

we installed ht efine mod_security on our Plesk 7.5.3 Unix Server, based on
Fedora Core2.
We installed the Rule regression-v2.

Now some customer/users said to us, that the visitor gots an Internal Error
500, so mod_security gots a pattern match.
But when we looked on the site, all seems to be fine!

So i don´t know the problem what is wrong!

Has someone for us a standard working ruleset, that works with our plesk
server?

Many thanks for help

Alex

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply | 1 comment |
headers
Ivan Ristic | 2 Aug 17:19
Gravatar

Re: Error 500, need help under Plesk Server

Alex wrote:
> Hello,
> 
> we installed ht efine mod_security on our Plesk 7.5.3 Unix Server, based on
> Fedora Core2.
> We installed the Rule regression-v2.
> 
> Now some customer/users said to us, that the visitor gots an Internal Error
> 500, so mod_security gots a pattern match.
> But when we looked on the site, all seems to be fine!
> 
> So i don´t know the problem what is wrong!
> 
> Has someone for us a standard working ruleset, that works with our plesk
> server?

   "Rule regression-v2" is *not* a working ruleset. You need to remove
   it from your configuration. For sets of rules have a look at
   http://www.gotroot.com

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
(Continue reading)

Permalink | Reply | 0 comments |
headers
Wally | 3 Aug 10:53
Picon

Custom directive needed

Hey guys, i need to know how to block this one call in mod_security.
Here is the error_log with the errors that i want to stop happening.
The problem is that these errors take up the bandwidth, so i need to
know how to stop apache handling them.

/usr/local/apache/logs]# tail -f access_log
211.229.230.115 - - [02/Aug/2005:01:21:21 -0400]
"6bNLilgBIbuJkWI3pww0QhnhnM" 501 -
65.10.248.190 - - [02/Aug/2005:01:21:24 -0400] "Kgd365YCZadmlioSqs8" 501 -
211.195.177.209 - - [02/Aug/2005:01:21:25 -0400] "CSwG8ImRNvWzpEsjntEnASp" 501 -
219.104.191.68 - - [02/Aug/2005:01:21:25 -0400]
"9kX7QLZbtIhLKCaq2qm9bpEKgoHNkYOkLJ0CW9igCN8ttTqYGRMH3zNCOfxOIJnlYlnMG31fA1gKpHmJG1oYzS7oDYYIuzgv"
501 -
206.149.212.240 - - [02/Aug/2005:01:21:27 -0400] "UXrSXYDCKyq6RJmJQzhw" 501 -
200.106.17.162 - - [02/Aug/2005:01:21:28 -0400]
"LuoWg58vto0JSfk0l6veD1luOAKBK1DaO54rfEP9TKTk3l58paSL10JjCFqCcMUyPCuWD4"
501 -
219.66.107.70 - - [02/Aug/2005:01:21:28 -0400]
"s8fEcwNOx0SqYlOGIwqnnp5oxx3TG8qR1mlyN2H4bWgJAvz19RKtuZdQYqsAJdsaay6NydjrKW30RcyUA44womsD"
501 -
61.235.157.180 - - [02/Aug/2005:01:21:29 -0400]
"vTiFxczhCX2tQ1XNehWfxyruQLDtH6uaCJuFmxlJggLoEUuC6fhHIB4rpj27" 501 -
221.185.120.244 - - [02/Aug/2005:01:21:29 -0400] "ptmrUX5v" 501 -
70.177.54.195 - - [02/Aug/2005:01:21:29 -0400] "mLRoUP6DdIj52v5voMxmsksz" 501 -
210.213.147.250 - - [02/Aug/2005:01:21:31 -0400] "xfxeKjsQjg5A6SWDkG" 501 -
60.214.223.1 - - [02/Aug/2005:01:21:34 -0400] "-" 408 -
24.45.203.10 - - [02/Aug/2005:01:21:34 -0400] "1sLtDPrGScL0uIoz" 501 -
67.168.31.96 - - [02/Aug/2005:01:21:35 -0400] "-" 408 -
68.219.29.135 - - [02/Aug/2005:01:21:35 -0400]
"S9vtUMgKOoMHgi5QARCLQlMWCNGP2Pv6TugQXLSNH01e5e7bTl0OszkQJ1zlVeDQsWUjjt3yKRA8ZbLxJZ"
(Continue reading)

Permalink | Reply | 2 comments |
headers
Ivan Ristic | 3 Aug 11:04
Gravatar

Re: Custom directive needed

Wally wrote:
> Hey guys, i need to know how to block this one call in mod_security.
> Here is the error_log with the errors that i want to stop happening.
> The problem is that these errors take up the bandwidth, so i need to
> know how to stop apache handling them.
 >
> 
> /usr/local/apache/logs]# tail -f access_log
> 211.229.230.115 - - [02/Aug/2005:01:21:21 -0400]
> "6bNLilgBIbuJkWI3pww0QhnhnM" 501 -

   You don't need/want mod_security for that. Tail the access log from
   a script, extract the IP addresses that are attacking you, and
   use blacklist (http://www.apachesecurity.net/tools/) to deny access
   to them on the firewall.

> 60.214.223.1 - - [02/Aug/2005:01:21:34 -0400] "-" 408 -

   BTW, these are not necessarily attacks. They could be, but only
   if they are coming in large numbers.

--

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
(Continue reading)

Permalink | Reply | 1 comment |
headers
Alex | 3 Aug 11:00
Picon

Which Rules to use?

Hello,

we´re using Plesk 7.5 for Unix on Fedora Core2 Server, and my question is:

Which rules is prefered to us:

 Application protection rules
 UserAgent rules
 Comment spam rules
 RootKit/Owned boxes blacklist
 Proxy scan rules
 Additional Apache 2.x rules

Must we all take to the httpd.conf?

Thanks for help

-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Permalink | Reply | 2 comments |

Gmane