RE: [mod-security-users] Getting first SecSelectiveFilter to work
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] Getting first SecSelectiveFilter to work
|
From: <Ral...@it...> - 2006-02-23 11:34:32
|
>=20 > BTW, let's go back to the users' list when we're discussing > ModSecurity. >=20 >=20 Sorry for the detour, so back to the list. > > Oops, I have revisited the list of *all* LOCATIONS, > > as it claims in the doc > > ( > > http://www.modsecurity.org/documentation/modsecurity-apache-manua > > l-1.9.2.html#N103CE ) > > but I didn't discover HTTP_User-Agent therein. > > Could you please refer me to a complete list > > since guessing what are valid Location tokens is a bit involved. >=20 > It is there, look at the end of the locations list. The "User-Agent" > part it the name of the header. You can put any header name there. Sorry Ivan, but I still couldn't find it in the Location list. Actually, the string agent only appears three times in the whole of the single html version of the doc. And the first time it appears is in an audit log excerpt where the actual HTTP Request Header is cited. http://www.modsecurity.org/documentation/modsecurity-apache-manua l-1.9.2.html#N109C4 So I guess any valid request header field as named in section 5.3 of RFC2616 http://www.faqs.org/rfcs/rfc2616.html will be accepted by mod_security if prepended with "HTTP_", right ? Actually, I was fooled by lwp-request (i.e. the LWP demo script that comes with Perl's LWP module). Though it according to its POD recognizes an -H switch that you can supply any HTTP request header field I made a little quoting mistake whereby it kept its default User-Agent setting, which naturally was lwp-request and would never match my filter. I realized this when I reached line 383 in lwp-request in the debugger where the -H supplied HTTP header is dissected and if user-agent match supplied to the user_agent() mutator method. This of course could more easily be seen after I changed the log format to Combined in httpd.conf as it included referer and agent fields. I also removed the Perlish clutter from my filter (e.g. match delimeters) so that it now read # tail -4 ../../conf.d/security.conf=20 SecFilterSelective HTTP_User-Agent "^(tintin|snowy)-statuscheck$" log,deny,status:404 </IfModule> (n.b. the trailing action is redundant as it is the default filter action defined further above) When I now run lwp-request again I can see my filter catchning this # tail -18 modsec_audit.log=20 =3D=3D51661f45=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Request: 123.123.123.123 123.123.123.123 - - [23/Feb/2006:11:58:15 +0100] "GET /server-status?auto HTTP/1.1" 40 4 211 "-" "tintin-StatusCheck" - "-" Handler: server-status ---------------------------------------- GET /server-status?auto HTTP/1.1 Connection: close Host: 123.123.123.123 User-Agent: tintin-StatusCheck mod_security-action: 404 mod_security-message: Access denied with code 404. Pattern match "^(tintin|snowy)-statuscheck$" at HEADER("User-Agent") HTTP/1.1 404 Not Found Content-Length: 211 Connection: close Content-Type: text/html; charset=3Diso-8859-1 --51661f45-- Many thanks for the immediate help Ivan! >=20 > How many web servers are there? Make sure to check out the > recently-announced ModSecurity Console > (http://www.thinkingstone.com/products/console/) - I'm sure > it would make your life much easier. > > I also would have liked to chroot the webserver. > > But again I'm plagued with third party closed source CGI > > programmes that I must provide > > on customer demand. >=20 > Yes, that's always a problem. So you need to support various > CGIs in addition to Tomcat? I guess the best thing you can > do is use suEXEC to run the CGIs. >=20 > > If that alone wasn't bad enough they soon will coerce me into > > placing some JSP or Java servlets > > on the server, and I have no Java experience whatsoever. >=20 > You could be able to secure Java easily, because it comes > with MAC facilities built in. Try reading about the Security > Manager. >=20 > > But I have no idea how to secure a Tomcat, let alone mod_jk. >=20 > At least you can run Tomcat on a high port as a non-root user. I for sure would never let a server run as root proc (Apache is an exception as it initializes as root but forks/threads all its client accept() children under User and Group) And afaik the Tomcat default Port is 8080, isn't it? (but can be set in server.xml anyway) |
