You should be more specific with your filter rules. Use HTTP_USER_AGENT
to block user agents instead of the very generic THE_REQUEST.
Linh
Jamie Krasnoo wrote:
>I was going through the audit logs thismorning and found that a page
>of a customer of mine was being blocked by mod_sec for no good reson
>other than the fact that the parameters contained lynx (Ottawa-Lynx to
>be exact). I doubt that there would be any other conflicts with linux
>programs when it comes to sports teams. As you can see I modified the
>rule for lynx to make sure it doesn't match a "-" in front of it. Am I
>opening up my server to an attack if someone does somthing clever? How
>would I make sure something doesn't get rejected if nothing malicous
>was intended?
>
>Thanks,
>
>Jamie
>
>-------------------------------------------------------------------------------------------------------------------------------
>
> # Block various methods of downloading files to a server
> SecFilterSelective THE_REQUEST "wget "
> SecFilterSelective THE_REQUEST "[^-]lynx "
> SecFilterSelective THE_REQUEST "scp "
> SecFilterSelective THE_REQUEST "ftp "
> SecFilterSelective THE_REQUEST "cvs "
> SecFilterSelective THE_REQUEST "rcp "
> SecFilterSelective THE_REQUEST "curl "
> SecFilterSelective THE_REQUEST "telnet "
> SecFilterSelective THE_REQUEST "ssh "
> SecFilterSelective THE_REQUEST "echo "
> SecFilterSelective THE_REQUEST "links -dump "
> SecFilterSelective THE_REQUEST "links -dump-charset "
> SecFilterSelective THE_REQUEST "links -dump-width "
> SecFilterSelective THE_REQUEST "links http:// "
> SecFilterSelective THE_REQUEST "links ftp:// "
> SecFilterSelective THE_REQUEST "links -source "
> SecFilterSelective THE_REQUEST "mkdir "
> SecFilterSelective THE_REQUEST "cd /tmp "
> SecFilterSelective THE_REQUEST "cd /var/tmp "
> SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=k&kid�0944&bid$1720&dat�1642
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>
--
-----------------------------------------------
Linh Vu - Web/DB and Systems Support officer
School of Physics, The University of Melbourne
Office: 8344 8093 Email: vu...@ph...
-----------------------------------------------
|
