headers
Alberto Gonzalez Iniesta | 1 Mar 14:26
Favicon

Re: Update mod-security2 on ubuntu 7.10 - apache2.2

On Fri, Feb 29, 2008 at 01:45:28PM +0000, nameman wrote:
> Failed to fetch
> http://etc.inittab.org/~agi/debian/libapache-mod-security2/./Release  Unable to
> find expected entry  Sources in Meta-index file (malformed Release file?)
> Reading package lists... Done
> E: Some index files failed to download, they have been ignored, or old ones used
> instead."
> 
> What is the problem ?
> What do I do to update mod-security2 ?

The configuration in /etc/apt/sources.list should read:

deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./

If you have *exactly* that line, then I have no idea why it is giving
such error. But you can always download the debs with wget and install
them with dpkg.

Regards,

Alberto

--

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3
(Continue reading)

Permalink | Reply | 2 comments |
headers
James Nordstrom | 4 Mar 03:42

Still stuck with up to 400% decrease in performance.

Hi All, 

  	I have tried everything I can think of and am still
stuck with up to a 400% decrease in performance.

-Disabled all logging 
-Set log level to 0
-Removed the rules one by one
-Replaced 2.5.0 with 2.1.6 
-Disabled outbound inspection 

	I did not find one offending rule, the rules just
appear to run slow.

        Running a simple 100 user load test: (3 GETS
and 1 POST)
	Mod security disabled  8% - 20% CPU
	Mod security enabled  40% - 80% CPU (various rules
added/removed)

	Since I am facing the same issues with 2.5.0 as I am
with 2.1.6 I am wondering if PCRE can be the issue. I
use Apache 2.2.8 which uses an external PCRE lib.  I
see PCRE 7.6 is out should I upgrade from 7.2?

	My system is:
	-2x 2.4Ghr dual core AMD Opterons
	-32GB Ram 
	-OpenSuse 10.3 64Bit
	-Apache 2.2.8 (64Bit)
(Continue reading)

Permalink | Reply | 6 comments |
headers
Kevin Ross | 3 Mar 18:49

phpmyadmin

Hi all,

I just did a reinstall for one of our users--I installed Fedora 8--and his 
phpmyadmin is no longer accessible.  I can't seem to find information on the web 
about how to disable this--to allow access to phpmyadmin.  Does anyone here 
happen to be familiar with this?

Thanks,

Kevin

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Permalink | Reply | 1 comment |
headers
Jerry | 4 Mar 10:41
Picon
Picon

Re: Run external command pipping out IP address

I have now tried this on 2.5 and still get the same problem.

Is this specific to Centos 4?

Could it be due to selinux (either on or off)?

Is there another way to achieve the objective namely: If X rule is triggered 
automatically ban the IP via iptables?

What I'm trying to do is to totally block traffic which triggers a specific 
rule. I know I can set the rule to drop the connection but when the source 
sends 20 hits at a time this is not effective. I'd rather drop the first one 
and permanently ban the IP there and then and review it manually later.

"Ryan Barnett" <Ryan.Barnett <at> Breach.com> wrote in message 
news:50E6558DF2E9624DA8DADDE0C5018486012524BB <at> midas.utopiasystems.net...
> Jerry,
> I just ran some tests and had similar results.  The issue ended up being
> not with the perms on the file but rather the perms on the directory the
> script was in.  Ensure that the Apache user has execute perms on the
> entire directory structure to where your test.sh script is
> (/secondary/logs/).
>
> -- 
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ryan Barnett | 4 Mar 16:20

Re: phpmyadmin

What do the error logs say?  If modsecurity is blocking access, then the
error log data will tell you why.  What rule sets are you using?

-Ryan

 
> -----Original Message-----
> From: mod-security-users-bounces <at> lists.sourceforge.net [mailto:mod-
> security-users-bounces <at> lists.sourceforge.net] On Behalf Of Kevin Ross
> Sent: Monday, March 03, 2008 12:49 PM
> To: mod-security-users <at> lists.sourceforge.net
> Subject: [mod-security-users] phpmyadmin
> 
> Hi all,
> 
> I just did a reinstall for one of our users--I installed Fedora 8--and
his
> phpmyadmin is no longer accessible.  I can't seem to find information
on
> the web
> about how to disable this--to allow access to phpmyadmin.  Does anyone
> here
> happen to be familiar with this?
> 
> Thanks,
> 
> Kevin
> 
>
------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 0 comments |
headers
Brian Rectanus | 4 Mar 18:04

Re: Still stuck with up to 400% decrease inperformance.

Hi James.  Just wanted to let you know I am still looking at this.  I
have not been able to replicate/isolate the issue yet.

>From what I gathered from your emails, this happens just doing a simple
GET request of a static page (one that should not alert).  Is this true?

How are you generating the load?  Is it a single threaded (or multiple
unthreaded) processes on the same box doing requests, or is it some load
generation software external to the box?  Anything that you can do to
better describe your process of load testing would help me setup a
similar test here.

As for PCRE, I am not sure.  I have 7.4 that I am using.

-B

James Nordstrom wrote:
> Hi All,
> 
>         I have tried everything I can think of and am still
> stuck with up to a 400% decrease in performance.
> 
> -Disabled all logging
> -Set log level to 0
> -Removed the rules one by one
> -Replaced 2.5.0 with 2.1.6
> -Disabled outbound inspection
> 
>         I did not find one offending rule, the rules just
> appear to run slow.
(Continue reading)

Permalink | Reply | 5 comments |
headers
James Nordstrom | 4 Mar 20:02

Re: Still stuck with up to 400% decrease inperformance.

Hi Brian, 

    Thanks for your help.

    I am using webload (http://www.radview.com/) 100
users concurrent with 1 - 2 second sleep times. Each
virtual user request three pages using GET no prams,
test is running in a loop. No fixed number of
iterations. Load is generated on a dedicated load
generation box.  The target machine is also dedicated,
all test are run with everything configured the same
way with the exception of SecRuleEngine On and
SecRuleEngine Off,  network is dedicated 100Mb.

    The only odd thing I noticed was the test request
are not caching correctly, meeting for each request I
may be requesting 20 or more static files (css. js and
images) It was my understanding that mod_security
would not do or at least do limited work on these
types of request. (sub request from the parent HTML)

    If mod_security is acting on these request it
might explain the load. Because now 100 concurrent
request becomes 2000 request

    I also run the apache server as a reverse proxy
and SSL termination point. 

APACHE_MODULES="dir alias expires headers log_config
mime negotiation setenvif ssl unique_id proxy rewrite
(Continue reading)

Permalink | Reply | 4 comments |
headers
Mike Gallant | 4 Mar 21:50
Picon
Favicon

SecAction failure.

I have been upgrading our setup to newer versions an ran into an  
issue with modsecurity (2.1.6).  We are looking to shield the  
request_header:authorization value from the receiving cgi/php/perl  
application.

The operating system is Solairs 10 (0807) 5.10 Generic_120011-14  
sun4v sparc SUNW,Sun-Fire-T200
Apache  2.0.61

I have used the standard modsecurity_apache with the core rules, no  
modifications - things work and pages are displayed.

I then create the modsecurity_crs_15_customrules.conf and add one line:
SecAction log,phase:1,sanitiseRequestHeader:Authorization

Which yields a "Forbidden - You don't have permission to access on  
this server."

Having a little trouble sorting out why this might be failing......

Thanks,
Mike

I have included the apache info and the modsecurity log and debug log.

Server version: Apache/2.0.61
Server built:   Dec 17 2007 11:47:04
Server's Module Magic Number: 20020903:12
Server loaded:  APR 0.9.16, APR-UTIL 0.9.15
Compiled using: APR 0.9.16, APR-UTIL 0.9.15
(Continue reading)

Permalink | Reply | 1 comment |
headers
Brian Rectanus | 4 Mar 21:55

Re: SecAction failure.

The default in 2.1.6 is "deny,status:403", so that is what it is doing.
 Add the "pass" action:

SecAction "pass,log,phase:1,sanitiseRequestHeader:Authorization"

-B

Mike Gallant wrote:
> I have been upgrading our setup to newer versions an ran into an  
> issue with modsecurity (2.1.6).  We are looking to shield the  
> request_header:authorization value from the receiving cgi/php/perl  
> application.
> 
> The operating system is Solairs 10 (0807) 5.10 Generic_120011-14  
> sun4v sparc SUNW,Sun-Fire-T200
> Apache  2.0.61
> 
> I have used the standard modsecurity_apache with the core rules, no  
> modifications - things work and pages are displayed.
> 
> I then create the modsecurity_crs_15_customrules.conf and add one line:
> SecAction log,phase:1,sanitiseRequestHeader:Authorization
> 
> Which yields a "Forbidden - You don't have permission to access on  
> this server."
> 
> Having a little trouble sorting out why this might be failing......
> 
> 
> Thanks,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Ryan Barnett | 4 Mar 21:57

Re: SecAction failure.

Mike,
Two comments -

1) The reason you are getting the 403 is because you did not specify the disruptive action for SecAction
directive so it is inheriting it.  If you want to allow the requst to proceed after a SecAction, you need to
specify "pass"

2) The other problem is that this action does not work as you are expecting.  That action is used only for
obscuring the data in the Mod audit logs and does not manipulate the raw data.  In order to do what you are
describing, you will probably need to use mod_headers.

Thanks,
Ryan C. Barnett 

----- Original Message -----
From: mod-security-users-bounces <at> lists.sourceforge.net <mod-security-users-bounces <at> lists.sourceforge.net>
To: mod-security-users <at> lists.sourceforge.net <mod-security-users <at> lists.sourceforge.net>
Sent: Tue Mar 04 15:50:02 2008
Subject: [mod-security-users] SecAction failure.

I have been upgrading our setup to newer versions an ran into an  
issue with modsecurity (2.1.6).  We are looking to shield the  
request_header:authorization value from the receiving cgi/php/perl  
application.

The operating system is Solairs 10 (0807) 5.10 Generic_120011-14  
sun4v sparc SUNW,Sun-Fire-T200
Apache  2.0.61

I have used the standard modsecurity_apache with the core rules, no
(Continue reading)

Permalink | Reply | 0 comments |

Gmane