Thread: Re: [mod-security-users] mod security 2.2.7 problem on openSUSE 13.1
Brought to you by:
victorhora,
zimmerletw
From: Administrator Beckspaced.c. <ad...@be...> - 2014-03-24 17:24:21
|
Message: 2 Date: Sat, 22 Mar 2014 16:20:32 +0100 From: Reindl Harald<h.r...@th...> Subject: Re: [mod-security-users] mod security 2.2.7 problem on openSUSE 13.1 To:mod...@li... Message-ID:<532...@th...> Content-Type: text/plain; charset="iso-8859-1" Am 22.03.2014 15:49, schrieb Administrator Beckspaced.com: > hello there > > using the newest mod security 2.2.7 with newest rule set 2.2.9 on an > opensuse 13.1 with apache 2.4.6 > > mod security is actually running fine but i'm trying to run the slow dos > rule set from experimental rules -> > modsecurity_crs_11_slow_dos_protection.conf > > whenever i enable this rule set i get blocked by mod security > > [Fri Mar 21 17:23:04.018323 2014] [:warn] [pid 29457] ModSecurity: > Access denied with code 400. Too many threads [150] of 100 allowed in > READ state from 91.22.223.123 - Possible DoS Consumption Attack [Rejected] just don't do that on the application level it's insane even respond from the webserver in such a case http://comments.gmane.org/gmane.comp.apache.mod-security.user/10722 ok ... thanks a lot for your reply ;-) will look into iptables to protect against slow dos attacks. but still i don't understand why mod security is blocking my IP address? the server is not public accessible, though it tells me that i got 150 threads connected? why is that? also ... why isn't apache creating the collection data files ip.dir ip.pag global.dir global.pag SecDataDir is set to /var/log/apache2 which is owned and writable by the apache user wwwrun:www but on apache restart those files (ip.dir global.dir) don't get generated! so how can mod security collect data if those files are not there? but apache is able to create the modsec_debug.log and modsec_audtit.log in the directory /var/log/apache2 but it will not create ip.dir and global.dir ... strange! using opensuse 13.1 which uses systemd now. could this have something to do with it? running another suse box with opensuse 12.2 which also uses systemd and there i don't have any problems at all files for mod security get generated after an apache restart really a bit out of knowledge here ;-( perhaps someone can guide me towards fixing this? thanks a million for your help & all the best becki p.s. if it is insane to respond to slow dos attack from the webserver with mod security ... why is it even there then? |
From: Reindl H. <h.r...@th...> - 2014-03-24 18:17:17
Attachments:
signature.asc
|
*argh* that's why "Reply all" on lists is bad my first reply got offlist Am 24.03.2014 18:23, schrieb Administrator Beckspaced.com: > p.s. if it is insane to respond to slow dos attack from the webserver > with mod security ... why is it even there then? because often the webserver admins are different persons than the firewall admins which may not be as resposnible as they should and so it's better than nothing but if you ever where target of a *real* DDOS where attack vectors are combined you know that the resourcces you burn down on the application layer trying to protect itself are hardly needed to handle the overall load block a connection on the iptables layer / network stack needs magnitudes less ressources |