mod-security-users Mailing List for ModSecurity (Page 21)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Madden, J. <Joe...@mo...> - 2020-06-11 13:44:54
|
Hi all,
I've had to disable the following rules in order to get a payload to process in a resonable amount of time.
It a XML payload with up to 20Mb in size, These are the rules which cause the processing from from around 30 seconds to 772 seconds
# Disables checking for Windows command injection
SecRuleRemoveById 932110
#Removes unix command injection filtering
SecRuleRemoveById 932100
#Removes unix command injection filtering 2
#SecRuleRemoveById 932105
#removes unix remote code exceuction
#SecRuleRemoveById 932150
#Disables Oracle WebLogic Remote Command Execution exploit
#SecRuleRemoveById 932115
#Disables PHPIDS - Converted SQLI Filters - Not required
#SecRuleRemoveById 942230
#Disables PHPIDS - Converted SQLI Filters - Not required
#SecRuleRemoveById 942190
#Disables HTTP Response Splitting - Not Required
#SecRuleRemoveById 921120
# Disables Sources for SQL ALTER statements
#SecRuleRemoveById 942360
#Disables XSS Filters - Category 3 - Not required
#SecRuleRemoveById 941130
#Disables XSS [NoScript InjectionChecker] Attributes injection - Not required
#SecRuleRemoveById 941170
#Disables XSS vectors making use of event handlers like onerror, onload
#SecRuleRemoveById 941120
I'll have times by the end of the day which rules take the longest but for example - Does anyone have any recommendations about this? We'd like to leave the uinix RCE and command filters on at this is what our platform is.
Thanks
Joe.
|
|
From: Madden, J. <Joe...@mo...> - 2020-06-11 13:40:15
|
Thanks all, We'll stick with 2.9.x for now. Joe Madden Systems Engineer D 01412224666 joe...@mo... -----Original Message----- From: Ervin Hegedüs <ai...@gm...> Sent: 10 June 2020 20:50 To: Madden, Joe via mod-security-users <mod...@li...> Cc: mod...@ow...; Madden, Joe <Joe...@mo...> Subject: Re: [mod-security-users] CentOS 8 Build moving modules to new server hi Joe, On Wed, Jun 10, 2020 at 03:15:46PM +0000, Madden, Joe via mod-security-users wrote: > Hi All, > > I've managed to build modsecurity 3 and get it running on apache on a Cento8 system in our lab. it's an off topic, just a very good advice: *do not use* Apache with libmodsecurity3. It's in very beta phase... Regards, a. |
|
From: Christian F. <chr...@ne...> - 2020-06-10 20:26:20
|
Hey Tom,
Thanks for using my extended format.
I've long ago abandoned awstats, but the format is based on the idea you
should be able to use it with tools like awstats out of the box. I do not know
if this still works, but if it does not, it's realtively simple to just cut
after the user-agent and end up with the original combined format (with the
socalled "logname" being replaced with the GEOIP country code - if you have
that configured; it's unfortunately not explained in the tutorials).
So I think you should get it to run one way or the other. If you do, please
report back.
Cheers,
Christian
On Wed, Jun 10, 2020 at 07:46:44PM +0000, Tom Misilo wrote:
> I was wondering if anyone has setup AWStats with the access log with a logformat similar to
> LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
> \"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
> %{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
> %I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
> %{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
> %{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended
>
> I had been following the tutorial located here https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ that had this recommended LogFormat.
>
>
> Thanks,
> Tom
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: Tom M. <tm...@ks...> - 2020-06-10 20:20:08
|
Hello,
I was wondering if anyone has setup AWStats with the access log with a logformat similar to
LogFormat "%h %{GEOIP_COUNTRY_CODE}e %u [%{%Y-%m-%d %H:%M:%S}t.%{usec_frac}t] \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" \"%{Content-Type}i\" %{remote}p %v %A %p %R \
%{BALANCER_WORKER_ROUTE}e %X \"%{cookie}n\" %{UNIQUE_ID}e %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
%I %O %{ratio}n%% %D %{ModSecTimeIn}e %{ApplicationTime}e %{ModSecTimeOut}e \
%{ModSecAnomalyScoreInPLs}e %{ModSecAnomalyScoreOutPLs}e \
%{ModSecAnomalyScoreIn}e %{ModSecAnomalyScoreOut}e" extended
I had been following the tutorial located here https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ that had this recommended LogFormat.
Thanks,
Tom
|
|
From: Ervin H. <ai...@gm...> - 2020-06-10 19:50:14
|
hi Joe, On Wed, Jun 10, 2020 at 03:15:46PM +0000, Madden, Joe via mod-security-users wrote: > Hi All, > > I've managed to build modsecurity 3 and get it running on apache on a Cento8 system in our lab. it's an off topic, just a very good advice: *do not use* Apache with libmodsecurity3. It's in very beta phase... Regards, a. |
|
From: Madden, J. <Joe...@mo...> - 2020-06-10 15:50:37
|
Hi All, I've managed to build modsecurity 3 and get it running on apache on a Cento8 system in our lab. Does anyone know if its possible to move the modules from the server they where build on, to the production system without having to rebuild it? We would fail a pen test for having the compilers on the system this is the reason. Is there an recommened way to do this? Cheers Joe. |
|
From: Walter H. <mo...@sp...> - 2020-05-27 16:29:55
|
The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the upcoming CRS v3.3.0 release. The release candidate is available at: • https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.tar.gz <https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.tar.gz> • https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.zip <https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.zip> This release packages many changes, such as: • New rule to detect LDAP injection • New HTTP Splitting rule • Block backup files ending with ~ in filename • Detect ffuf, Semrush and WFuzz scanners • Updated exclusion profiles for Nextcloud, WordPress and XenForo • Improvements to many patterns to improve detection and lower false alarms Important note: The format of configuration setting allowed_request_content_type has been changed to be more in line with other variables. If you had manually changed this setting, then you need to update this configuration setting. Please see the example rule 900220 in crs-setup.conf.example. If you didn’t change this setting, you don’t need to do anything. Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements. https://github.com/coreruleset/coreruleset/blob/v3.3.0-rc1/CHANGES <https://github.com/coreruleset/coreruleset/blob/v3.3.0-rc1/CHANGES> Our desire is to see the Core Rule Set project used as a baseline security feature, effectively protecting from OWASP Top 10 risks with few side effects. As such we attempt to cut down on false positives as much as possible in the default install. This RC therefore offers an opportunity for individuals to provide feedback and to report any issue they face with this release. We will then try and fix them for the upcoming full release. Please use the CRS GitHub (https://github.com/coreruleset/coreruleset <https://github.com/coreruleset/coreruleset>), our slack channel (#coreruleset on owasp.slack.com <http://owasp.slack.com/>), or the Core Rule Set mailing list to tell us about your experiences, including false positives or other issues with this release candidate. Our current timeline is to seek public feedback for the next two weeks, followed by an RC2 (if needed) and subsequently a release on June 16th. We look forward to hearing your feedback! Sincerely, Walter Hop, release manager, on behalf of the Core Rule Set development team |
|
From: Christian F. <chr...@ne...> - 2020-05-13 20:25:04
|
Dear all, The OWASP ModSecurity Core Rule Set project has moved house. The project repository is no longer residing under the Trustwave SpiderLabs GitHub, but at https://github.com/coreruleset/coreruleset. Please update your booksmarks and local copies accordingly. A blog post with some background and a link to our fabulous migration bot is at https://coreruleset.org/20200513/crs-repository-at-new-location/ (If you ever need to migrate a github, this is the script you want to use!) Many thanks to Felipe Zipitría for the wonderful piece of work. Best regards, Christian Folini, on behalf of the CRS development team -- https://coreruleset.org - Follow us on twitter via @CoreRuleSet |
|
From: baptx <bap...@gm...> - 2020-04-29 14:12:13
|
If modsecurity-crs config files are commented and not used, I can see this message in the file troubleshooting.log: "Could not set variable "IP.bf_counter" as the collection does not exist." I also noticed that I have to remove the LocationMatch tag to log the the 401 Unauthorized page in the file troubleshooting.log. On Wed, 29 Apr 2020 at 12:21, baptx <bap...@gm...> wrote: > Actually, the IP address was not blocked by the configuration I shared but > by modsecurity-crs. > If I disable modsecurity-crs config files in > /etc/apache2/mods-enabled/security2.conf and keep only modsecurity config > files, I can see that my configuration shared previously does not even > block IP addresses at all, do you know why? > > > On Tue, 28 Apr 2020 at 19:05, baptx <bap...@gm...> wrote: > >> Hello, >> >> I would like to block a user IP address after several failed login >> attempts on an Apache web server using HTTP authentication (Basic or >> Digest). >> The configuration I am using should block an IP address after 3 errors >> (HTTP 401 Unauthorized response) but I can still try as many passwords as I >> want. If I try the correct password, I can see the HTTP 403 Forbidden error >> page. And if I press Ctrl+Shift+Del in Firefox to clear "Active Logins", I >> can continue the bruteforce again. >> It looks like ModSecurity is only blocking the page behind the login but >> not an actual bruteforce. Is it a ModSecurity bug or a problem with my >> configuration? >> >> I have added the following configuration in >> /etc/modsecurity/modsecurity_custom_rules.conf, based on the "IP-Based >> Blocking" example of >> https://snippets.aktagon.com/snippets/563-brute-force-authentication-protection-with-modsecurity >> (replace /testpage with a path using HTTP authentication): >> >> <LocationMatch /testpage> >> # Uncomment to troubleshoot >> #SecDebugLogLevel 9 >> #SecDebugLog /tmp/troubleshooting.log >> >> # Enforce an existing IP address block >> SecRule IP:bf_block "@eq 1" \ >> "id:1,phase:2,deny,\ >> msg:'IP address blocked because of suspected brute-force >> attack'" >> >> # Check that this is a GET >> SecRule REQUEST_METHOD "@streq GET" >> "id:2,phase:5,chain,t:none,nolog,pass" >> # AND Check for authentication failure and increment >> counters >> SecRule RESPONSE_STATUS "^401" \ >> "setvar:IP.bf_counter=+1" >> >> # Check for too many failures from a single IP address. Block for >> 10 minutes. >> SecRule IP:bf_counter "@ge 3" \ >> "id:3,phase:5,pass,t:none, \ >> setvar:IP.bf_block,\ >> setvar:!IP.bf_counter,\ >> expirevar:IP.bf_block=600" >> </LocationMatch> >> >> Thanks. >> > |
|
From: baptx <bap...@gm...> - 2020-04-29 10:22:09
|
Actually, the IP address was not blocked by the configuration I shared but by modsecurity-crs. If I disable modsecurity-crs config files in /etc/apache2/mods-enabled/security2.conf and keep only modsecurity config files, I can see that my configuration shared previously does not even block IP addresses at all, do you know why? On Tue, 28 Apr 2020 at 19:05, baptx <bap...@gm...> wrote: > Hello, > > I would like to block a user IP address after several failed login > attempts on an Apache web server using HTTP authentication (Basic or > Digest). > The configuration I am using should block an IP address after 3 errors > (HTTP 401 Unauthorized response) but I can still try as many passwords as I > want. If I try the correct password, I can see the HTTP 403 Forbidden error > page. And if I press Ctrl+Shift+Del in Firefox to clear "Active Logins", I > can continue the bruteforce again. > It looks like ModSecurity is only blocking the page behind the login but > not an actual bruteforce. Is it a ModSecurity bug or a problem with my > configuration? > > I have added the following configuration in > /etc/modsecurity/modsecurity_custom_rules.conf, based on the "IP-Based > Blocking" example of > https://snippets.aktagon.com/snippets/563-brute-force-authentication-protection-with-modsecurity > (replace /testpage with a path using HTTP authentication): > > <LocationMatch /testpage> > # Uncomment to troubleshoot > #SecDebugLogLevel 9 > #SecDebugLog /tmp/troubleshooting.log > > # Enforce an existing IP address block > SecRule IP:bf_block "@eq 1" \ > "id:1,phase:2,deny,\ > msg:'IP address blocked because of suspected brute-force > attack'" > > # Check that this is a GET > SecRule REQUEST_METHOD "@streq GET" > "id:2,phase:5,chain,t:none,nolog,pass" > # AND Check for authentication failure and increment > counters > SecRule RESPONSE_STATUS "^401" \ > "setvar:IP.bf_counter=+1" > > # Check for too many failures from a single IP address. Block for > 10 minutes. > SecRule IP:bf_counter "@ge 3" \ > "id:3,phase:5,pass,t:none, \ > setvar:IP.bf_block,\ > setvar:!IP.bf_counter,\ > expirevar:IP.bf_block=600" > </LocationMatch> > > Thanks. > |
|
From: baptx <bap...@gm...> - 2020-04-28 17:06:04
|
Hello, I would like to block a user IP address after several failed login attempts on an Apache web server using HTTP authentication (Basic or Digest). The configuration I am using should block an IP address after 3 errors (HTTP 401 Unauthorized response) but I can still try as many passwords as I want. If I try the correct password, I can see the HTTP 403 Forbidden error page. And if I press Ctrl+Shift+Del in Firefox to clear "Active Logins", I can continue the bruteforce again. It looks like ModSecurity is only blocking the page behind the login but not an actual bruteforce. Is it a ModSecurity bug or a problem with my configuration? I have added the following configuration in /etc/modsecurity/modsecurity_custom_rules.conf, based on the "IP-Based Blocking" example of https://snippets.aktagon.com/snippets/563-brute-force-authentication-protection-with-modsecurity (replace /testpage with a path using HTTP authentication): <LocationMatch /testpage> # Uncomment to troubleshoot #SecDebugLogLevel 9 #SecDebugLog /tmp/troubleshooting.log # Enforce an existing IP address block SecRule IP:bf_block "@eq 1" \ "id:1,phase:2,deny,\ msg:'IP address blocked because of suspected brute-force attack'" # Check that this is a GET SecRule REQUEST_METHOD "@streq GET" "id:2,phase:5,chain,t:none,nolog,pass" # AND Check for authentication failure and increment counters SecRule RESPONSE_STATUS "^401" \ "setvar:IP.bf_counter=+1" # Check for too many failures from a single IP address. Block for 10 minutes. SecRule IP:bf_counter "@ge 3" \ "id:3,phase:5,pass,t:none, \ setvar:IP.bf_block,\ setvar:!IP.bf_counter,\ expirevar:IP.bf_block=600" </LocationMatch> Thanks. |
|
From: Unsub S. <uns...@in...> - 2020-04-28 09:18:10
|
Hi, I recently installed ModSecurity on Ubuntu 18.04.4 LTS following the usual instruction available at the following links; however this time around I have noticed that ModSecurity Audit Logs are printing out some kind of hexcode instead of the source and destination IP addresses in Section-A of the log file. What could be the cause of this? The hex does not seem to be valid IPv4 addresses either. https://github.com/SpiderLabs/ModSecurity/tree/v3/master https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x#ubuntu-1504 Sample: [28/Apr/2020:02:04:59 +0500] 1588021499 0x55a9de249950 49272 0x55a9c93bb0d0 443 [28/Apr/2020:02:05:00 +0500] 1588021500 0x55a9ec102e50 49272 0x55a9ec20a4b0 443 [28/Apr/2020:02:05:01 +0500] 1588021501 0x55a9d36b63e0 49272 0x55a9ed0e6ee0 443 [28/Apr/2020:02:05:01 +0500] 1588021501 0x55a9bcb8cb00 49272 0x55a9bd55f780 443 -- *Unsub Shafiq* |
|
From: Monah B. <mon...@gm...> - 2020-04-18 13:20:28
|
Hi all, Running modsecurity 2.9.3 and got the rules from "git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git" I noticed upgrade.py is missing, so what's the best way to get new rules. Should I run in /tmp git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git then copy the new rules to my current rules folder? Thanks Monah |
|
From: Blason R <bla...@gm...> - 2020-04-15 12:03:50
|
Thanks for the help dude!! On Wed, Apr 15, 2020 at 4:59 PM Ervin Hegedüs <ai...@gm...> wrote: > Hi Blason, > > > first, please note, that this is the mod-security-users mailing > list. I think you're interesting about CRS, which has an own > list: > > > https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project > > Anyway, to getting any help for CRS, these are good places: > > https://coreruleset.org/installation/ > https://coreruleset.org/support/ > > On Wed, Apr 15, 2020 at 04:11:32PM +0530, Blason R wrote: > > Hi Folks, > > > > I would really appreciate if someone can explain me in a simpler manner > > about enabling PL levels in CR3.0? I mean > > > > I understood default installation is PL1? > > Yes. If you don't touch the crs-setup.conf, this line sets the > default value: > > > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/rules/REQUEST-901-INITIALIZATION.conf > > > What the rules activated with this then? I mean rules with specific > prefix? > > there isn't any specific prefix. You can check the rules in the > rule files. There are some specific rules with id > ...011/...012/.../.../..017/...018, which controls which rules > should be left out. > > > How do I switch to PL2? > > see the crs-setup.conf above. > > > Confused where are those settings to modify the paranoia levels? > > there are more good documentations about this topic, example: > > > https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ > > > Hope this helps, > > a. > > nb: please don't continue this topic here. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Ervin H. <ai...@gm...> - 2020-04-15 11:25:55
|
Hi Blason, first, please note, that this is the mod-security-users mailing list. I think you're interesting about CRS, which has an own list: https://groups.google.com/a/owasp.org/forum/#!forum/modsecurity-core-rule-set-project Anyway, to getting any help for CRS, these are good places: https://coreruleset.org/installation/ https://coreruleset.org/support/ On Wed, Apr 15, 2020 at 04:11:32PM +0530, Blason R wrote: > Hi Folks, > > I would really appreciate if someone can explain me in a simpler manner > about enabling PL levels in CR3.0? I mean > > I understood default installation is PL1? Yes. If you don't touch the crs-setup.conf, this line sets the default value: https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/rules/REQUEST-901-INITIALIZATION.conf > What the rules activated with this then? I mean rules with specific prefix? there isn't any specific prefix. You can check the rules in the rule files. There are some specific rules with id ...011/...012/.../.../..017/...018, which controls which rules should be left out. > How do I switch to PL2? see the crs-setup.conf above. > Confused where are those settings to modify the paranoia levels? there are more good documentations about this topic, example: https://www.netnea.com/cms/apache-tutorial-7_including-modsecurity-core-rules/ Hope this helps, a. nb: please don't continue this topic here. |
|
From: Blason R <bla...@gm...> - 2020-04-15 10:41:58
|
Hi Folks, I would really appreciate if someone can explain me in a simpler manner about enabling PL levels in CR3.0? I mean I understood default installation is PL1? What the rules activated with this then? I mean rules with specific prefix? How do I switch to PL2? Confused where are those settings to modify the paranoia levels? TIA Blason R |
|
From: Blason R <bla...@gm...> - 2020-04-14 04:14:05
|
Well with v2.9.0-RC1 it seems it supports load content served by an HTTPS server. On Mon, Apr 13, 2020 at 6:46 PM homesh joshi <ho...@gm...> wrote: > Hi Blason, > > If you can keep a IP list in a txt file e.g bad-ip.txt e.g > cat bad-ip.txt > 1.1.1.1 > 2.2.2.2 > . > . > n.n.n.n > > The you can call this list in a modsec rule like below mention example. > > SecRule REMOTE_ADDR "@ipMatchFromFile /file-path-for bad-ip.txt/bad-ip.txt" "id:6005,\ > phase:request,log,\ > msg:'Threat Intel',\ > tag:'Local-bad-reputation',\ > severity:'CRITICAL',\ > maturity:'9',\ > accuracy:'9',\ > rev:'1',\ > capture,\ > drop" > > I have set action as "drop" which will do "tcp reset" and hence save my Apache sessions from getting full by these bad IPs > > After every time you update the file you will need to reload / restart the Apache service. > > I am running this with Apache 2.4 and modsecurity 2.9.3 for past 1 year with out any issue. > > Hope this helps. > > Thanks, > > Homesh > > > > On Mon, Apr 13, 2020 at 4:38 PM Blason R <bla...@gm...> wrote: > >> Hi Folks, >> >> Wondering if we can consume any third party IP reputation list through >> modsec? >> Just like we internally generate our own IP reputation list through >> honeypot and wanted to know if I can use that? >> >> TIA >> Blason R >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2020-04-13 14:40:53
|
Am 13.04.20 um 16:36 schrieb Blason R: > Thanks man and really appreciate your detailed response. However I am > very much fine with Nginx but just starting with Modsec and needs to > build solid understanding. > > Any tips would be much appreciated :)) just don't insist have modsec running on the proxy modsec on the final destinations works like a charm for over 10 years here and you have config option you can't do on a reverse proxy anyways like wrap modsec options in <Directory> > On Mon, Apr 13, 2020 at 7:54 PM homesh joshi <ho...@gm... > <mailto:ho...@gm...>> wrote: > > Hi Blason, > > I have not used Nginx because as per Modsec official site modsec > 3.0 is not yet fully stable for Nginx. ( > https://modsecurity.org/download.html ) > You are referring to Modsec 3.2.0 is Modsec CSR rule version. > Your modsec version will be 3.0.X > I will suggest to use Apache 2.4 in reverse proxy with modsecurity > 2.9.3 which is very stable. > You can configure modsecurity 2.9.3 to log in JSON format and send > the logs to elasticsearch using filebeat and view it on Kibana.( > Warning ! managing ELK requires some good training and experience :) > ) Consider adding kafka or redis to manage the spike in log volume ( > e.g when someone rungs vulnerability scan on your web app, modsec > will generate lots of logs) > > Below lines will be required in your config to log in JSON format. > > SecAuditLogParts ABEFHIJZ > SecAuditLogFormat JSON > > Hope this helps. > > Thanks, > Homesh > > > On Mon, Apr 13, 2020 at 7:14 PM Blason R <bla...@gm... > <mailto:bla...@gm...>> wrote: > > That is good idea Homesh and many thanks for the Input. However > I am using nginx as reverse proxy and just starting with > modsecurity in reverse proxy. > > Just curious to know how are you analyzing the log files? ELK or > any other? > > On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm... > <mailto:ho...@gm...>> wrote: > > Dear Blason, > > This is how I am using with Apache 2.4 and modsec 2.9.3 > > SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat > SecRule REMOTE_ADDR "@geoLookup" > "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" > SecRule GEO:COUNTRY_CODE "@pm PK CN PE" > > Yes with modsec 2.9 you need the db file in legacy dat format. > On searching it on google I found this third party URL where > maxmind db file in DAT format is available. > > https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz > > Hope this helps > > Thanks, > Homesh > > > > > On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm... > <mailto:bla...@gm...>> wrote: > > Hi Folks, > > Can someone please divert me to the documentation for > configuring Geo blocking with CRS modsec rules? I tried > downloading the maxmind db but > > 1. After change of maxmind DB what is the way to > download the maxmind GeoIP2 database? How can we enable > scheduling as well? > 2. Since default GeoIpv2 downloads in .mmdb format I > guess nginx refuse to start > > Nginx 1.17.9 > Modsec 3.2.0 > > TIA > blason R > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from > Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Blason R <bla...@gm...> - 2020-04-13 14:36:39
|
Thanks man and really appreciate your detailed response. However I am very much fine with Nginx but just starting with Modsec and needs to build solid understanding. Any tips would be much appreciated :)) On Mon, Apr 13, 2020 at 7:54 PM homesh joshi <ho...@gm...> wrote: > Hi Blason, > > I have not used Nginx because as per Modsec official site modsec 3.0 is > not yet fully stable for Nginx. ( https://modsecurity.org/download.html ) > You are referring to Modsec 3.2.0 is Modsec CSR rule version. > Your modsec version will be 3.0.X > I will suggest to use Apache 2.4 in reverse proxy with modsecurity 2.9.3 > which is very stable. > You can configure modsecurity 2.9.3 to log in JSON format and send the > logs to elasticsearch using filebeat and view it on Kibana.( Warning ! > managing ELK requires some good training and experience :) ) Consider > adding kafka or redis to manage the spike in log volume ( e.g when someone > rungs vulnerability scan on your web app, modsec will generate lots of logs) > > Below lines will be required in your config to log in JSON format. > > SecAuditLogParts ABEFHIJZ > SecAuditLogFormat JSON > > Hope this helps. > > Thanks, > Homesh > > > On Mon, Apr 13, 2020 at 7:14 PM Blason R <bla...@gm...> wrote: > >> That is good idea Homesh and many thanks for the Input. However I am >> using nginx as reverse proxy and just starting with modsecurity in reverse >> proxy. >> >> Just curious to know how are you analyzing the log files? ELK or any >> other? >> >> On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm...> wrote: >> >>> Dear Blason, >>> >>> This is how I am using with Apache 2.4 and modsec 2.9.3 >>> >>> SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat >>> SecRule REMOTE_ADDR "@geoLookup" >>> "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" >>> SecRule GEO:COUNTRY_CODE "@pm PK CN PE" >>> >>> Yes with modsec 2.9 you need the db file in legacy dat format. >>> On searching it on google I found this third party URL where maxmind db >>> file in DAT format is available. >>> >>> https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz >>> >>> Hope this helps >>> >>> Thanks, >>> Homesh >>> >>> >>> >>> >>> On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...> wrote: >>> >>>> Hi Folks, >>>> >>>> Can someone please divert me to the documentation for configuring Geo >>>> blocking with CRS modsec rules? I tried downloading the maxmind db but >>>> >>>> 1. After change of maxmind DB what is the way to download the maxmind >>>> GeoIP2 database? How can we enable scheduling as well? >>>> 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse >>>> to start >>>> >>>> Nginx 1.17.9 >>>> Modsec 3.2.0 >>>> >>>> TIA >>>> blason R >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: homesh j. <ho...@gm...> - 2020-04-13 14:21:38
|
Hi Blason, I have not used Nginx because as per Modsec official site modsec 3.0 is not yet fully stable for Nginx. ( https://modsecurity.org/download.html ) You are referring to Modsec 3.2.0 is Modsec CSR rule version. Your modsec version will be 3.0.X I will suggest to use Apache 2.4 in reverse proxy with modsecurity 2.9.3 which is very stable. You can configure modsecurity 2.9.3 to log in JSON format and send the logs to elasticsearch using filebeat and view it on Kibana.( Warning ! managing ELK requires some good training and experience :) ) Consider adding kafka or redis to manage the spike in log volume ( e.g when someone rungs vulnerability scan on your web app, modsec will generate lots of logs) Below lines will be required in your config to log in JSON format. SecAuditLogParts ABEFHIJZ SecAuditLogFormat JSON Hope this helps. Thanks, Homesh On Mon, Apr 13, 2020 at 7:14 PM Blason R <bla...@gm...> wrote: > That is good idea Homesh and many thanks for the Input. However I am using > nginx as reverse proxy and just starting with modsecurity in reverse proxy. > > Just curious to know how are you analyzing the log files? ELK or any other? > > On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm...> wrote: > >> Dear Blason, >> >> This is how I am using with Apache 2.4 and modsec 2.9.3 >> >> SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat >> SecRule REMOTE_ADDR "@geoLookup" >> "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" >> SecRule GEO:COUNTRY_CODE "@pm PK CN PE" >> >> Yes with modsec 2.9 you need the db file in legacy dat format. >> On searching it on google I found this third party URL where maxmind db >> file in DAT format is available. >> >> https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz >> >> Hope this helps >> >> Thanks, >> Homesh >> >> >> >> >> On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...> wrote: >> >>> Hi Folks, >>> >>> Can someone please divert me to the documentation for configuring Geo >>> blocking with CRS modsec rules? I tried downloading the maxmind db but >>> >>> 1. After change of maxmind DB what is the way to download the maxmind >>> GeoIP2 database? How can we enable scheduling as well? >>> 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse >>> to start >>> >>> Nginx 1.17.9 >>> Modsec 3.2.0 >>> >>> TIA >>> blason R >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Blason R <bla...@gm...> - 2020-04-13 13:41:28
|
That is good idea Homesh and many thanks for the Input. However I am using nginx as reverse proxy and just starting with modsecurity in reverse proxy. Just curious to know how are you analyzing the log files? ELK or any other? On Mon, Apr 13, 2020 at 6:56 PM homesh joshi <ho...@gm...> wrote: > Dear Blason, > > This is how I am using with Apache 2.4 and modsec 2.9.3 > > SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat > SecRule REMOTE_ADDR "@geoLookup" > "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" > SecRule GEO:COUNTRY_CODE "@pm PK CN PE" > > Yes with modsec 2.9 you need the db file in legacy dat format. > On searching it on google I found this third party URL where maxmind db > file in DAT format is available. > > https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz > > Hope this helps > > Thanks, > Homesh > > > > > On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...> wrote: > >> Hi Folks, >> >> Can someone please divert me to the documentation for configuring Geo >> blocking with CRS modsec rules? I tried downloading the maxmind db but >> >> 1. After change of maxmind DB what is the way to download the maxmind >> GeoIP2 database? How can we enable scheduling as well? >> 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse >> to start >> >> Nginx 1.17.9 >> Modsec 3.2.0 >> >> TIA >> blason R >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: homesh j. <ho...@gm...> - 2020-04-13 13:23:30
|
Dear Blason, This is how I am using with Apache 2.4 and modsec 2.9.3 SecGeoLookupDb /File-path-for-maxmind4.dat/maxmind4.dat SecRule REMOTE_ADDR "@geoLookup" "phase:1,chain,id:28,drop,msg:'Geolocation Blocked'" SecRule GEO:COUNTRY_CODE "@pm PK CN PE" Yes with modsec 2.9 you need the db file in legacy dat format. On searching it on google I found this third party URL where maxmind db file in DAT format is available. https://dl.miyuru.lk/geoip/maxmind/city/maxmind4.dat.gz Hope this helps Thanks, Homesh On Mon, Apr 13, 2020 at 6:15 PM Blason R <bla...@gm...> wrote: > Hi Folks, > > Can someone please divert me to the documentation for configuring Geo > blocking with CRS modsec rules? I tried downloading the maxmind db but > > 1. After change of maxmind DB what is the way to download the maxmind > GeoIP2 database? How can we enable scheduling as well? > 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse to > start > > Nginx 1.17.9 > Modsec 3.2.0 > > TIA > blason R > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: homesh j. <ho...@gm...> - 2020-04-13 13:14:24
|
Hi Blason, If you can keep a IP list in a txt file e.g bad-ip.txt e.g cat bad-ip.txt 1.1.1.1 2.2.2.2 . . n.n.n.n The you can call this list in a modsec rule like below mention example. SecRule REMOTE_ADDR "@ipMatchFromFile /file-path-for bad-ip.txt/bad-ip.txt" "id:6005,\ phase:request,log,\ msg:'Threat Intel',\ tag:'Local-bad-reputation',\ severity:'CRITICAL',\ maturity:'9',\ accuracy:'9',\ rev:'1',\ capture,\ drop" I have set action as "drop" which will do "tcp reset" and hence save my Apache sessions from getting full by these bad IPs After every time you update the file you will need to reload / restart the Apache service. I am running this with Apache 2.4 and modsecurity 2.9.3 for past 1 year with out any issue. Hope this helps. Thanks, Homesh On Mon, Apr 13, 2020 at 4:38 PM Blason R <bla...@gm...> wrote: > Hi Folks, > > Wondering if we can consume any third party IP reputation list through > modsec? > Just like we internally generate our own IP reputation list through > honeypot and wanted to know if I can use that? > > TIA > Blason R > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Reindl H. <h.r...@th...> - 2020-04-13 12:55:04
|
Am 13.04.20 um 14:19 schrieb Blason R: > Hi there, > > Sorry for the confusion. What I mean about third party is; I saw modsec > can only consume rbl but since we are running our own honeypot we are > generating out own feeds and waned to know if those can be consumed > instead of default one. > > Since I am pretty novice my apology for any confusion. there is nothing like "default one" https://www.corpit.ru/mjt/rbldnsd.html systemctl status rbldnsd.service ● rbldnsd.service - DNSBL/DNSWL Daemon Loaded: loaded (/etc/systemd/system/rbldnsd.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/rbldnsd.service.d └─ordering.conf Active: active (running) since Tue 2020-04-07 18:14:31 CEST; 5 days ago Main PID: 601 (rbldnsd) Tasks: 1 (limit: 512) Memory: 21.8M CPU: 54.016s CGroup: /system.slice/rbldnsd.service └─601 /usr/sbin/rbldnsd -f -n -r/var/lib/rbldnsd -c 90s -t 60:60:7200 -e -v -a -q -4 -b 127.0.0.1/153 uribl.example.com:dnset:uribl.example.com dnsbl.example.com:ip4set:dnsbl.example.com dnsbl-modsecurity.example.com:ip4set:dnsbl-modsecurity.example.com dnswl-aggregate.example.com:ip4set:dnswl-aggregate.example.com dnswl.example.com:ip4set:dnswl.example.com dnswl-high.example.com:ip4set:dnswl-high.example.com dnswl-medium.example.com:ip4set:dnswl-medium.example.com dnswl-low.example.com:ip4set:dnswl-low.example.com dnswl-untrusted.example.com:ip4set:dnswl-untrusted.example.com dnsbl-ix.example.com:ip4set:dnsbl-ix.example.com dnsbl-backscatterer.example.com:ip4set:dnsbl-backscatterer.example.com dnswl-whitelisted-org.example.com:ip4set:dnswl-whitelisted-org.example.com dnsbl-uce.example.com:ip4set:dnsbl-uce.example.com dnsbl-uce-2.example.com:ip4set:dnsbl-uce-2.example.com dnsbl-surriel.example.com:ip4set:dnsbl-surriel.example.com Apr 13 14:46:01 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-modsecurity.example.com: 20200413 124402: e32/24/16/8=6465/0/0/0 Apr 13 14:46:01 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-ix.example.com: 20200413 124104: e32/24/16/8=2275/0/0/0 Apr 13 14:46:01 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-uce.example.com: 20200413 124005: e32/24/16/8=211593/0/17/1 Apr 13 14:46:01 localhost rbldnsd[601]: rbldnsd: zones reloaded, time 0.2e/0.2u sec, mem arena=13600 free=6396 mmap=5976 Kb Apr 13 14:50:31 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl.example.com: 20200413 124902: e32/24/16/8=30993/0/0/0 Apr 13 14:50:31 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-modsecurity.example.com: 20200413 124902: e32/24/16/8=6491/0/0/0 Apr 13 14:50:31 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-ix.example.com: 20200413 124704: e32/24/16/8=2320/0/0/0 Apr 13 14:50:31 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-uce.example.com: 20200413 124504: e32/24/16/8=211593/0/17/1 Apr 13 14:50:31 localhost rbldnsd[601]: rbldnsd: ip4set:dnsbl-surriel.example.com: 20200413 124706: e32/24/16/8=17146/0/0/0 |
|
From: Blason R <bla...@gm...> - 2020-04-13 12:41:26
|
Hi Folks, Can someone please divert me to the documentation for configuring Geo blocking with CRS modsec rules? I tried downloading the maxmind db but 1. After change of maxmind DB what is the way to download the maxmind GeoIP2 database? How can we enable scheduling as well? 2. Since default GeoIpv2 downloads in .mmdb format I guess nginx refuse to start Nginx 1.17.9 Modsec 3.2.0 TIA blason R |
139 messages has been excluded from this view by a project administrator.
