Thread: [mod-security-users] Help! Can't even get a basic configuration working! :(
Brought to you by:
victorhora,
zimmerletw
From: Boocock, J. (CSS) <Joh...@ca...> - 2005-02-17 14:01:58
|
All, I'm wondering if you can help me please, I am having frustrating problems in that I can't get even the most basic configuration to work with mod_security, I was trying to set it up so that initially I can stop our Apache 1.3 (+Tomcat 3) web server servicing requests which feature "..", and if this worked removing multiple forward slashes in requests as we get odd results from accessing apps if you enter multiple slashes such as http://domain.com//app1// I have the following defined at the start of my httpd.conf: <IfModule mod_security.c> # The name of the audit log file SecAuditLog /www/apache/common/logs/audit_log SecAuditEngine RelevantOnly SecFilterDebugLog /www/apache/common/logs/modsec_debug_log SecFilterDebugLevel 0 # Turn the filtering engine On or Off SecFilterEngine On # Action to take by default SecFilterDefaultAction "deny,log,status:403" # Prevent path traversal (..) attacks SecFilter "\.\./" </IfModule> However if I go to http://domain.com/somepath/../ I can still get the front page on the web server and nothing appears in the audit log. I know mod_security is doing something as if I turn the debug log on, or change SecAuditEngine to On I see inbound connections being logged, the problem is I still can use ../ in URLS and nothing is logged. The platform is Sun Solaris 9, using apache 1.3.33, mod_ssl-2.8.22 and mod_security-1.8.6 compiled in statically, with mod_jk loaded as a DSO, "httpd -l" shows the following: Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_info.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_auth_dbm.c mod_proxy.c mod_so.c mod_setenvif.c mod_ssl.c mod_security.c It was build using nothing fancy: ./configure --prefix=/www/apache/apache_1.3.33+mod_ssl-2.8.22 \ --enable-module=ssl \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ --enable-module=rewrite \ --enable-shared=rewrite \ --enable-module=proxy \ --enable-module=auth_dbm \ --enable-module=info \ --add-module=../mod_security-1.8.6/apache1/mod_security.c Tomcat's configured to run through Apache only for servlets and .jsp files, so that Apache's security features are still applicable up front. I hope someone can help as I'm very disappointed with myself especially that I can't even get this working! Also, does mod_security work with piped logs like apache? Just wondering as some extra modules such as mod_jk (or at least the version of mod_jk I have) won't work with them and I'd like to rotate them with cronolog if possible. Many thanks in advance. JB ********************************************************************************** This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system. Computer viruses can be transmitted by e-mail. Recipients should check this e-mail for the presence of viruses. The Capita Group and its subsidiaries accept no liability for any damage caused by any virus transmitted by this e-mail. *********************************************************************************** |
From: Ivan R. <iv...@we...> - 2005-02-17 14:18:15
|
Boocock, John (CSS) wrote: > I am having frustrating problems in that I can=92t get even the most ba= sic=20 > configuration to work with mod_security, I was trying to set it up so=20 > that initially I can stop our Apache 1.3 (+Tomcat 3) web server=20 > servicing requests which feature =93..=94, and if this worked removing=20 > multiple forward slashes in requests as we get odd results from=20 > accessing apps if you enter multiple slashes such as=20 > http://domain.com//app1// > > ... > SecFilter "\.\./" > > However if I go to http://domain.com/somepath/../ I can still get the=20 > front page on the web server and nothing appears in the audit log. That's because Apache normalizes the URI before it reaches mod_security. If you send a request like this one: http://domain.com/somepath/?x=3D../tra/la/la ..it would get caught by mod_security. You may be able to use mod_rewrite though. It may be that it gets to run before Apache performs normalisation. > I know mod_security is doing something as if I turn the debug log on, o= r=20 > change SecAuditEngine to On I see inbound connections being logged, the= =20 > problem is I still can use ../ in URLS and nothing is logged. If you crank up the debug log level you should see mod_security accessing a normalized URI. > I hope someone can help as I=92m very disappointed with myself especial= ly=20 > that I can=92t even get this working! Don't worry, it's not your fault :) It's Apache and its peculiarities. > Also, does mod_security work with piped logs like apache? Just wonderin= g=20 > as some extra modules such as mod_jk (or at least the version of mod_jk= =20 > I have) won=92t work with them and I=92d like to rotate them with crono= log=20 > if possible. It doesn't. It's possible to add piped logging for the debug log but since one should always use a debug level of zero in production this is not a very useful feature. It is not possible to support piped logging for the audit log because it (piped logging) does not support locking and audit log spans multiple lines. --=20 Ivan Ristic (http://www.modsecurity.org) |