All, I’m wondering if you can help me please,

 

I am having frustrating problems in that I can’t get even the most basic configuration to work with mod_security, I was trying to set it up so that initially I can stop our Apache 1.3 (+Tomcat 3) web server servicing requests which feature “..”, and if this worked removing multiple forward slashes in requests as we get odd results from accessing apps if you enter multiple slashes such as http://domain.com//app1//

 

I have the following defined at the start of my httpd.conf:

 

<IfModule mod_security.c>

  # The name of the audit log file

  SecAuditLog /www/apache/common/logs/audit_log

  SecAuditEngine RelevantOnly

  SecFilterDebugLog /www/apache/common/logs/modsec_debug_log

  SecFilterDebugLevel 0

  # Turn the filtering engine On or Off

  SecFilterEngine On

  # Action to take by default

  SecFilterDefaultAction "deny,log,status:403"

  # Prevent path traversal (..) attacks

  SecFilter "\.\./"

</IfModule>

 

However if I go to http://domain.com/somepath/../ I can still get the front page on the web server and nothing appears in the audit log.

 

I know mod_security is doing something as if I turn the debug log on, or change SecAuditEngine to On I see inbound connections being logged, the problem is I still can use ../ in URLS and nothing is logged.

 

The platform is Sun Solaris 9, using apache 1.3.33, mod_ssl-2.8.22 and mod_security-1.8.6 compiled in statically, with mod_jk loaded as a DSO, “httpd –l” shows the following:

 

Compiled-in modules:

  http_core.c

  mod_env.c

  mod_log_config.c

  mod_mime.c

  mod_negotiation.c

  mod_status.c

  mod_info.c

  mod_include.c

  mod_autoindex.c

  mod_dir.c

  mod_cgi.c

  mod_asis.c

  mod_imap.c

  mod_actions.c

  mod_userdir.c

  mod_alias.c

  mod_access.c

  mod_auth.c

  mod_auth_dbm.c

  mod_proxy.c

  mod_so.c

  mod_setenvif.c

  mod_ssl.c

  mod_security.c

 

It was build using nothing fancy:

 

./configure --prefix=/www/apache/apache_1.3.33+mod_ssl-2.8.22 \

--enable-module=ssl \

--disable-rule=SSL_COMPAT \

--enable-rule=SSL_SDBM \

--enable-module=rewrite \

--enable-shared=rewrite \

--enable-module=proxy \

--enable-module=auth_dbm \

--enable-module=info \

--add-module=../mod_security-1.8.6/apache1/mod_security.c

 

Tomcat’s configured to run through Apache only for servlets and .jsp files, so that Apache’s security features are still applicable up front.

 

I hope someone can help as I’m very disappointed with myself especially that I can’t even get this working!

 

Also, does mod_security work with piped logs like apache? Just wondering as some extra modules such as mod_jk (or at least the version of mod_jk I have) won’t work with them and I’d like to rotate them with cronolog if possible.

 

Many thanks in advance.

 

JB



**********************************************************************************
This email and any files transmitted with it are confidential, and may be subject to legal privilege, and are intended solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error or think you may have done so, you may not peruse, use, disseminate, distribute or copy this message. Please notify the sender immediately and delete the original e-mail from your system.

Computer viruses can be transmitted by e-mail. Recipients should check this e-mail for the presence of viruses. The Capita Group and its subsidiaries accept no liability for any damage caused by any virus transmitted by this e-mail.
***********************************************************************************