Need help with legitimate traffic being blocked
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Hello,
I am working on setting up better security for my Debian 6 server. I am new to ModSecurity and OWASP Core Rules. The problem that I'm having is that it is blocking legitimate traffic and I don't understand why or how to fix it. Can somebody help me? Here is some pretty detailed information about my environment and my problem.
Apache2 is my webserver and it is installed from the Debian package. The version is 2.2.16-6+squeeze14. I'm using the Worker MPM.
I installed ModSecurity from the Debian package. The version is: 2.5.12-1+squeeze4
Per the recommendation of an article I found online, I installed OWASP 2.2.5-0. I had initially tried the most recent version of OWASP but this gave me errors (due to my version of ModSecurity).
I'm using PHP compiled from source, version 5.4.24.
I'm using PHP-FPM FastCGI.
I'm using MySQL 5.1.73-1+deb6u1.
I'm using Memcached 2.1.0.
ZendOpcode Cache 7.0.3 is installed.
Website is built using the Drupal CMS, version 7.28.
All non-SSL traffic is redirected to SSL.
I had some troubles getting Apache2 to pass the configtest but I was able to find the proper configuration changes needed via Google searching. I enabled all of the rules as per the INSTALL instructions included in OWASP CRS. I also enabled the experimental Brute Force, DOS, and Slow DOS rules (these don't appear to be causing any issues.)
I set ModSecurity to "On" mode but quickly got complaints from our staff being blocked by it. So now it is in "DetectionOnly" mode. I looked in the AuditLog but didn't see anything helpful in there (just a bunch of stuff about cookies -- perhaps because things in the 10 setup file are set to nolog?). However, the Apache2 SSL Error log shows a lot of information about the block attempts.
Our staff users are connecting from the IP address 63.227.218.204, so I filtered the SSL Error Log to dump all entries with that IP address to a separate file. All of the warnings/errors in this log are legitimate traffic. So I need help tuning ModSecurity and OWASP to permit this traffic. I've attached the log file to this post. https://www.fosterclub.com/sites/default/files/file/output.log
I have also attached my modsecurity.conf file and my modsecurity_crs_10_setup.conf file. https://www.fosterclub.com/sites/default/files/file/modsecurity.conf
https://www.fosterclub.com/sites/default/files/file/modsecurity_crs_10_setup.conf
I would very much appreciate any help anyone can offer. Please let me know if you need any additional information. Thanks!