Re: [mod-security-users] Fedora3 mod_security not working

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Never mind......

I solved the problem and all is working well at this point.....

If you see any additional SecFilter statements that should be added then 
please let me know, ok.

Thanks,
Lonnie

Lonnie wrote:

> Sir,
>
> I have subscribed to your mod_security list but after replying to the 
> confirmation, I get no notice that i can go ahead and post or welcome 
> message.
>
> My problem is that even after installing the mod_security on my Linux 
> Fedora3 Apache2 system and adding your quick example to the httpd.conf 
> and restarting my server, I can still do a traversal attack on my system.
>
> http://www.paysafenet.com/?x=../../../../../../../etc/passwd
>
> with
> <IfModule mod_security.c>
>
>   # Turn the filtering engine On or Off
>   SecFilterEngine On
>
>   # Make sure that URL encoding is valid
>   SecFilterCheckURLEncoding On
>
>   # Only allow bytes from this range
>   SecFilterForceByteRange 32 126
>
>   # The audit engine works independently and
>   # can be turned On of Off on the per-server or
>   # on the per-directory basis
>   SecAuditEngine RelevantOnly
>
>   # The name of the audit log file
>   SecAuditLog logs/audit_log
>
>   SecFilterDebugLog logs/modsec_debug_log
>   SecFilterDebugLevel 0
>
>   # Should mod_security inspect POST payloads
>   SecFilterScanPOST On
>
>   # Action to take by default
>   SecFilterDefaultAction "deny,log,status:406"
>
>   # Redirect user on filter match
>   SecFilter xxx redirect:http://www.webkreator.com
>
>   # Execute the external script on filter match
>   SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl
>
>   # Simple filter
>   SecFilter 111
>      # Only check the QUERY_STRING variable
>   SecFilterSelective QUERY_STRING 222
>
>   # Only check the body of the POST request
>   SecFilterSelective POST_PAYLOAD 333
>
>   # Only check arguments (will work for GET and POST)
>   SecFilterSelective ARGS 444
>
>   # Test filter
>   SecFilter "/cgi-bin/keyword"
>
>   # Another test filter, will be denied with 404 but not logged
>   # action supplied as a parameter overrides the default action
>   SecFilter 999 "deny,nolog,status:404"
>
>   # Prevent OS specific keywords
>   SecFilter /etc/password
>
>   # Prevent path traversal (..) attacks
>   SecFilter "\.\./"
>
>   # Weaker XSS protection but allows common HTML tags
>   SecFilter "<( |\n)*script"
>
>   # Prevent XSS atacks (HTML/Javascript injection)
>   SecFilter "<(.|\n)+>"
>
>   # Very crude filters to prevent SQL injection attacks
>   SecFilter "delete[[:space:]]+from"
>   SecFilter "insert[[:space:]]+into"
>   SecFilter "select.+from"
>
>   # Require HTTP_USER_AGENT and HTTP_HOST headers
>   SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
>
>   # Forbid file upload
>   SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
>
>   # Only watch argument p1
>   SecFilterSelective "ARG_p1" 555
>
>   # Watch all arguments except p1
>   SecFilterSelective "ARGS|!ARG_p2" 666
>
>   # Only allow our own test utility to send requests (or Mozilla)
>   SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
>
>   # Do not allow variables with this name
>   SecFilterSelective ARGS_NAMES 777
>
>   # Do now allow this variable value (names are ok)
>   SecFilterSelective ARGS_VALUES 888
>
> </IfModule>
>
> can you please help me to figure out why this is not working?
>
> Thanks,
> Lonnie Cumberland
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users