Re: [mod-security-users] Modsecurity and Console Issue
Brought to you by:
victorhora,
zimmerletw
From: Russ L. <rl...@nc...> - 2007-04-20 14:00:00
|
Yes I do. I configured the load balancer to pass the public IP via the NS_FORWARD Header. Then I recompiled mod_extracted2 to watch for the NS_FORWARD header. This works and apache sees the public IP address as per the modsecurity log below as well as the Apache Access Logs. -----Original Message----- From: Ivan Ristic [mailto:iva...@gm...]=20 Sent: Friday, April 20, 2007 8:56 AM To: Russ Lavoie Cc: Ryan Barnett; mod...@li... Subject: Re: [mod-security-users] Modsecurity and Console Issue Judging from your initial email, you have a non-transparent load balancer in front of your web server. The IP address seen by the web server is that of the load balancer. Do you have any reason to expect the web server to see the real IP address? For example, do you have some sort of an Apache module installed to fake the real IP address on the web server level? On 4/20/07, Russ Lavoie <rl...@nc...> wrote: > > > > > Oops, I forgot to give you a part of the error showing that modsecurity sees the external IP. But the console says it is the Load Balancers IP. L Where is it getting this crazy information? > > > > [Fri Apr 20 04:12:58 2007] [error] [client 194.138.39.56] ModSecurity: Access denied with code 404 (phase 2). Pattern match "(?:\\\\b(?:m(?:ozilla\\\\/4\\\\.0 \\\\(compatible\\\\)|etis)|webtrends security analyzer|pmafind)\\\\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\\\\.nasl)" at REQUEST_HEADERS:User-Agent. [id "990002"] [msg "Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [hostname "www.guildwars.com"] [uri "/home/dir/something.xml?random=3D1177056778203"] [unique_id "4yeKBKwegU0AAD5djM0AAAAK"] > > > > Thanks! > > > > ________________________________ > > From: Ryan Barnett [mailto:Ryan.Barnett@Breach.com] > Sent: Thursday, April 19, 2007 6:28 PM > To: Russ Lavoie; mod...@li...; Ivan Ristic > Subject: RE: [mod-security-users] Modsecurity and Console Issue > > > > > Russ, > > You Load Balancing devices seem to not be transparently passing traffic, but rather are proxying them. This means that it is re-writing the requests so the web server that is receiving the request (with ModSecurity installed) is seeing the Load Balancer's IP. > > > > If you can not get the LB reconfigured to keep the real source IP, then I would recommend that you update your Apache logging directive to use the value from the NS_FORWARD request header in place of the "%h" token value that is normally the remote hostname or IP. Try this - > > > > LogFormat "\"%{NS_FORWARD}i\" %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined > > > > This should fix the IP address issues within the ModSecurity audit log files that are being sent to the Console. I did not get a chance to test this out so let me know if it works. > > > > > > > -- > Ryan C. Barnett > ModSecurity Community Manager > > Breach Security: Director of Application Security Training > Web Application Security Consortium (WASC) Member > Author: Preventing Web Attacks with Apache > > > > -------------- > > Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) > > Learn More About the Breach Webinar Series: > > http://www.breach.com/webinars.asp > > -------------- > > > > > ________________________________ > > From: mod...@li... [mailto:mod...@li...] On Behalf Of Russ Lavoie > Sent: Thursday, April 19, 2007 12:44 PM > To: mod...@li...; Ivan Ristic > Subject: [mod-security-users] Modsecurity and Console Issue > > > > Hello All, > > > > Running apache 2.2.4 and modsecurity 2.1.1 with the core ruleset. > > > > ModSecurity Console is reporting my load balancing devices as the remote IP (private IP range). BUT, inside the alert the hit has the actual public IP of the person hitting the site. Is there something I can do here? > > > > Below is an example: > > > > This is the console hit list. > > > > 2007-04-19 > 15:33:11 > 172.30.35.26 (THIS IS MY LOAD BALANCING DEVICE) > PORT: 22532 HOSTNAME: domain.com METHOD: GET URI: /_vti_bin/owssvr.dll > URL file extension is restricted by policy > > > > This is inside the hit. > > > > GET = /_vti_bin/owssvr.dll?UL=3D1&ACT=3D4&BUILD=3D4518&STRMVER=3D4&CAPREQ=3D0 HTTP/1.1Accept: */* > X-Vermeer-Content-Type: application/octet-stream > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0. \ > 50727; InfoPath.2) > Host: domain.com > Connection: Keep-Alive > Cache-Control: no-cache > Cookie: __utmc=3D45631794; __utma=3D45631794.777472214.1172694132.1177005191.11770101 \ > 52.100; __utmz=3D45631794.1172694132.1.1.utmccn=3D(direct)|utmcsr=3D(direct)|utmc= md=3D(n o \ > ne); __utmb=3D45631794 > NS_FORWARD: 82.9.67.163 (ACTUAL IP) > > > > Why is it reporting the wrong IP on the initial page in the console? This is making it pretty rough for me. > > > > Thanks! > ------------------------------------------------------------------------ - > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > --=20 Ivan Ristic |