Re: [mod-security-users] Filter Rules by IP Address
Brought to you by:
victorhora,
zimmerletw
From: Christopher M. <mu...@to...> - 2005-10-25 17:14:16
|
Move your IP rule sdown under: SecFilterDebugLog logs/modsec_debug_log At the very bottom of the module you have: SecFilter "/tmp" Thats looks be be getting you. Try moving your code down first. -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Naveen Amradi said: > Forgot to attach file in the previous reply. > Thanks, > naveen > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> >> Chris, >> I have attached my conf file. WOuld you please look at it. I have >> placed >> the rule right below the SecFilterEngine. In that case wont that rule be >> higher than other ones. Maybe i am sounding dumb. I am trying to read >> the >> book and understand slowly. >> I would appreciate if you can look at the conf file. >> Everyone on this list is so active helpful. >> Thanks a lot, >> naveen >> >> On 10/25/05, Christopher Murley <mu...@to...> wrote: >> > >> > HI Naveen, your problem isn't with the IP rule you created. You error >> > was: >> > >> > mod_security-message: Access denied with code 403. Pattern match >> "/tmp" >> > at >> > THE_REQUEST >> > >> > >> > The request you sent: >> > >> > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 >> > >> > has /TMP (lowercased) /tmp in it. You must have another rule higher in >> > your chain thats disallowing URLS referencing /tmp. >> > >> > -- >> > Regards, >> > >> > -Chris >> > >> > _______________________________________________ >> > Christopher Murley >> > Network Administrator >> > TownNews.Com >> > 800.293.9576 >> > >> > Naveen Amradi said: >> > > HI Ryan, >> > > I appreciate your quick response and help. >> > > I am still not able to configure it properly. >> > > Just like u said i added >> > > >> > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass >> > > I tried putting it right below the SecFilterEnging and other places >> > too. >> > > And i am getting this error in the log file. Maybe i am missing >> > something. >> > > >> > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE >> > > Request: 196.168.0.94 <http://196.168.0.94/> < http://196.168.0.94> >> - >> > - [25/Oct/2005:11:39:02 >> > > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 >> > > Handler: server-parsed >> > > ---------------------------------------- >> > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 >> > > User-Agent: Contribute >> > > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> < >> > http://www.outreach.olemiss.edu/> >> > > Cookie: >> > > >> > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; >> > > PHPSESSID=59ded4be35990378545d942f2a11c0f9 >> > > mod_security-message: Access denied with code 403. Pattern match >> > "/tmp" at >> > > THE_REQUEST >> > > mod_security-action: 403 >> > > >> > > HTTP/1.1 403 Forbidden >> > > Content-Length: 232 >> > > >> > > Could you help me?And Just for info i am trying to configure >> > Macromedia >> > > Contribute. >> > > >> > > Thanks a lot, >> > > >> > > naveen >> > > >> > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: >> > >> >> > >> Naveen, >> > >> Think of the mod_security directives (SecFilter|SecFilterSelective) >> > as >> > >> you >> > >> would firewall rules in that the order in which they are specified >> in >> > >> the >> > >> httpd.conf file does matter. Again, like firewall rules, once a >> > filter >> > >> matches the incoming HTTP request it will trigger the actions >> > specified. >> > >> With this being said, if you want to "whitelist" an IP address to >> > allow >> > >> this >> > >> client access, then add in a rule like this near the top of your >> > >> Mod_Security directives - >> > >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass >> > >> Add this just below the mod_security general directives (such as >> > >> SecFilterEngine, etc....). >> > >> That should do it. >> > >> >> > >> -- >> > >> Ryan C. Barnett >> > >> Web Application Security Consortium (WASC) Member >> > >> CIS Apache Benchmark Project Lead >> > >> SANS Instructor: Securing Apache >> > >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC >> > >> Author: Preventing Web Attacks with Apache >> > >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> > >> > >> > >> > HI All, >> > >> > >> > >> > Newbie of ModSecurity. I was wondering is there a way to >> > >> > open up rules for certain ip addresses. >> > >> > >> > >> > Thanks a gazillion! >> > >> > Naveen >> > >> >> > >> >> > >> >> > >> >> > >> >> > > >> > >> > >> > |