Problem with installation on Windows Server 2012 R2
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
This is my first time with ModSecurity, and I'm obviously missing something here... I installed MS Visual C++ Redis x64 and x86, following by the ModSecurity msi package using "msiexec /i ModSecurityIIS_2.9.1-64b.msi /lv log.txt". No problems were encountered, and the log file looks clean.
I then installed the module using
appcmd.exe install module /name:"ModSecurity IIS" /image:"C:\Windows\System32\inetsrv\ModSecurityIIS.dll"
Next, I added
Added " <ModSecurity enabled="true" configFile="C:\\Program Files\\ModSecurity IIS\\modsecurity_iis.conf"/>" under system.webServer section.
Then, I did an iisreset. In there logs, there are multiple event ID 1 entries, and several information end with something along the lines of "ModSecurity for IIS (STABLE)/2.9.1 (http://www.modsecurity.org/) configured." There are two errors for Event ID 1 that end with the following:
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "ARCH-SRV"] [uri "/iisstart.htm"] [unique_id "17870283336438513687"]
[client ] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "ARCH-SRV"] [uri "/iisstart.htm"] [unique_id "17870283336438513687"]
Neither of these directories even exist.I can't send any URLs that indicate anything is being blocked, and I'm not sure what to try now. Any suggestions? thanks
This might be partly working. I found an IIS forum where someone stated "SecRule ARGS, "zzz" phase:1,log,deny,status:503,id:1" should actually be "SecRule ARGS "zzz" phase:1,log,deny,status:503,id:1" - there was an extra comma in some other postings. I made the change, and I get a 503 error when I try to access the web page. However, I can't login to the main page. I had 4 rules that were triggered, including two sql injection rules, one xss attacks, and another in the modsecurity_crs_30_http_policy. After commenting these out, I still can't authenticate, and the following are what shows up in the logs. The directories c:\inetpub\temp\global and \ip do not exist, so it's not a simple permissions problem. Can anyone please give me some direction? Thanks
====== #1 ======
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
[client 192.168.102.1:47251] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "ARCH-SRV"] [uri "/ao2016/globalajaxengine/aoajax.ashx?ids=*&flts=0&SnName=user_ajax&refreshParam=30.138179430896656¶m1=4.382920643111279"] [unique_id "17870283327848579102"]
====== /#1 ======
====== #2 ======
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
[client 192.168.102.1:47251] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "ARCH-SRV"] [uri "/ao2016/default.aspx"] [unique_id "17870283327848579103"]
====== /#2 ======
====== #3 ======
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
[client 192.168.102.1:47251] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "ARCH-SRV"] [uri "/ao2016/default.aspx"] [unique_id "17870283327848579103"]
====== /#3 ======