[Mod-security-developers] [JIRA] Resolved: (MODSEC-364) Modsecurity displaying wrong IP Address in
Brought to you by:
victorhora,
zimmerletw
From: Breno S. P. (JIRA) <no...@mo...> - 2012-12-19 11:50:24
|
[ https://www.modsecurity.org/tracker/browse/MODSEC-364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Breno Silva Pinto resolved MODSEC-364. -------------------------------------- Resolution: Fixed > Modsecurity displaying wrong IP Address in Apache 2.4 (as backend) error log > ---------------------------------------------------------------------------- > > Key: MODSEC-364 > URL: https://www.modsecurity.org/tracker/browse/MODSEC-364 > Project: ModSecurity > Issue Type: Bug > Security Level: Normal > Components: Logging > Affects Versions: 2.7.0, 2.7.1 > Environment: CentOS 5.8 x86, HTTPD 2.4.3 > Reporter: Aditya W > Assignee: Breno Silva Pinto > Labels: 2.4.x, httpd > Fix For: 2.7.2 > > > Tested on Apache 2.4.3 with ModSecurity 2.7.0 (first) and then 2.7.1. Both of them displaying wrong ip address, it should display 192.168.11.1 not 127.0.0.1 or 192.168.11.2 > Apache configuration: > 1. mod_remoteip enabled > 2. logformat parameter has been changed to %a instead of the default %h so Apache can put the correct ip address in the logfile > First Test using this configuration: > ==================================== > RemoteIPHeader X-Remote-Addr > RemoteIPInternalProxy 127.0.0.1 > RemoteIPInternalProxy 192.168.11.2 > Access Log > ---------- > 192.168.11.1 - - [06/Dec/2012:14:49:48 +0700] "GET /test.html?i=%3Cscript%3Etest HTTP/1.1" 403 211 "http://www.domain-1.lan" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0" > * Correct IP Address > Modsecurity Audit Log > --------------------- > --aae1f609-A-- > [06/Dec/2012:15:08:59 +0700] UMBSm8CoCwIAABTYwcQAAABA 192.168.11.2 48573 192.168.11.2 82 > --aae1f609-B-- > GET /test.html?i=%3Cscript%3Etest HTTP/1.1 > Host: www.domain-1.lan > Connection: close > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: http://www.domain-1.lan/ > * Wrong IP Address > Apache Error Log by Modsecurity > ------------------------- > [Thu Dec 06 14:59:43.263020 2012] [:error] [pid 5160:tid 3025914768] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at ARGS:i. [file "/usr/local/custom-apps/httpd/apache-2.4/conf/custom/modsec-rules/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: script>test found within ARGS:i: <script>test"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.domain-1.lan"] [uri "/test.html"] [unique_id "UMBQb8CoCwIAABQoXmwAAADA"] > [Thu Dec 06 15:04:01.802295 2012] [:error] [pid 5264:tid 3025914768] [client 192.168.11.2] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)([\\\\d\\\\w]++)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)(?:(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*?)\\\\2|(?:!=|<=|>=|<>|<|>|\\\\^|is\\\\s+not|not\\\\ ..." at ARGS:i. [file "/usr/local/custom-apps/httpd/apache-2.4/conf/custom/modsec-rules/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: script>test found within ARGS:i: <script>test"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "www.domain-1.lan"] [uri "/test.html"] [unique_id "UMBRccCoCwIAABSQ1YsAAADA"] > Both of them are displaying wrong ip address it should be 192.168.11.1 > Forcing Apache to generate error log > ---------------------------- > [Thu Dec 06 14:54:56.483077 2012] [core:alert] [pid 4439:tid 3025914768] [client 192.168.11.1:39711] /home/user-1/public_html/.htaccess: Invalid command 'aaa', perhaps misspelled or defined by a module not included in the server configuration, referer: http://www.domain-1.lan > * Correct IP Address > Second test using this configuration > ==================================== > RemoteIPHeader X-Remote-Addr > RemoteIPTrustedProxy 127.0.0.1 > RemoteIPTrustedProxy 192.168.11.2 > Note: i think the correct way in this case / if it's in the same machine is using RemoteIPInternalProxy because according to https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html > Unlike the RemoteIPInternalProxy directive, any intranet or private IP address reported by such proxies, including the 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public 2000::/3 block) are not trusted as the useragent IP, and are left in the RemoteIPHeader header's value > Access log > ---------- > 192.168.11.2 - - [06/Dec/2012:15:54:38 +0700] "GET /test.html?i=%3Cscript%3Etest HTTP/1.1" 403 211 "http://www.domain-1.lan/" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0" > * Wrong IP Address, i believe because of the reason i stated above but i could be wrong though > Modsecurity Audit Log > --------------------- > --17d7e23e-A-- > [06/Dec/2012:15:54:38 +0700] UMBdTsCoCwIAABq@pdYAAADC 192.168.11.2 48598 192.168.11.2 82 > --17d7e23e-B-- > GET /test.html?i=%3Cscript%3Etest HTTP/1.1 > Host: www.domain-1.lan > X-Remote-Addr: 192.168.11.1 > Connection: close > User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Referer: http://www.domain-1.lan/ > * Wrong IP Address but displaying the X-Remote-Addr specified on Apache config > Forcing Apache to generate error log > ---------------------------- > [Thu Dec 06 16:03:28.518751 2012] [core:alert] [pid 7077:tid 3025914768] [client 192.168.11.2:48604] /home/user-1/public_html/.htaccess: Invalid command 'aaa', perhaps misspelled or defined by a module not included in the server configuration, referer: http://www.domain-1.lan/ > * Wrong IP Address > And i believe that's all, i'm sorry for a long post because i try to give as much info as i can -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira |