mod-security-users — General discussion about mod_security

Re: [mod-security-users] How to limit access rate by header?

[Luciano G. F. <luc...@gm...>]

Already tried that, but still the same message in debug log. Anyway, I'm
behind Cloudflare so I need to access that var (that contains the real IP)
from header. Moreover, I tried with global collection and same luck. Am I
missing some initialization step in modsec?

Thanks.

El vie., 7 dic. 2018 00:56, Scheblein, Adam <ada...@ma...>
escribió:

> I had a similar problem.  You need to initialize the collection with
> something like this:
>
>
>
>                 SecAction
> id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}
>
>
>
> *From: *Luciano Guillermo Fantuzzi <luc...@gm...>
> *Reply-To: *"mod...@li..." <
> mod...@li...>
> *Date: *Thursday, December 6, 2018 at 8:51 PM
> *To: *"mod...@li..." <
> mod...@li...>
> *Subject: *Re: [mod-security-users] How to limit access rate by header?
>
>
>
> I've very frustrated... I can't make it work, even for IP control. What am
> I doing wrong here? It always returns:
>
> Could not set variable "IP.access_count" as the collection does not exist.
>
>
>
> 105 <LocationMatch "^/.*">
>
> 109   SecRule REQUEST_HEADERS:CF-Connecting-IP "@unconditionalMatch"
> "phase:2,initcol:IP=%{MATCHED_VAR},pass,nolog,id:35003"
>
> 112   SecRule IP:ACCESS_COUNT "@gt 1"
> "phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:35004"
>
> 116   SecAction "phase:2,setvar:IP.access_count=+1,pass,nolog,id:35005"
>
>
>
> 119   SecAction
> "phase:5,deprecatevar:IP.access_count=1/10,pass,nolog,id:35006"
>
> 122   Header always set Retry-After "10" env=RATELIMITED
>
> 123 </LocationMatch>
>
> 124
>
> 125 ErrorDocument 503 "Service Unavailable"
>
>
>
>
>
> El jue., 6 de dic. de 2018 a la(s) 20:38, Luciano Guillermo Fantuzzi (
> luc...@gm...) escribió:
>
> Thank you for your answer, Christian. Do you think it's possible for you
> to just build the first part of the rule (in Modsec)? I'm trying but I'm
> not understanding how variables work with the global scope. I was be able
> to build some basic rules like:
>
>
>
> # Banned Bots and Crawlers
>
> SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \
>
>     "id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'"
>
>
>
> # Specific IPs
>
> SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \
>
>     "id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'"
>
>
>
> I'm trying to understand examples from stackoverflow and different places,
> but they are all intended to limit by IP and for specific resources (the
> scope of the rule). Eg.:
>
> https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_josnidhin_91d1ea9cd71fde386c27a9228476834e&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=L7iKlxwUA3exA-ByaKl7gyvQkoOevQwuEjv4ZKC6hOY&e=>
>
>
>
> I'm not asking for the entire rule, just an example of how var counters
> work in the global scope (directly in /etc/modsecurity/modsecurity.conf)
> and how can I connect them to sum by header instead of IP.
>
>
>
> Thank you!
>
>
>
> El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini (
> chr...@ne...) escribió:
>
> Hello Luciano,
>
> You have a peculiar use case, but I see your thinking.
>
> There are examples in the ModSecurity books that are really close to your
> plan. They should be easy to adopt.
>
> Other than that, you may want to look into mod_qos. It has functionality
> that might be useful in your case.
>
> Best,
>
> Christian
>
>
> On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi wrote:
> > Thank you for your answer, but maybe I'm not asking it the right way or
> > this is not the right place to ask(?).
> >
> > I need a Modsecurity rule (I'm using it through Apache) to be able to
> > control hits from clients with a specific header, like
> > "facebookexternalhit/1.1".
> > Ie. to stop some agressive bots hitting too often my webservers and
> taking
> > them down eventually. I don't want to block them at all because I need
> some
> > of them (like Facebook bot to parse shared content), but I need a way to
> > tell them "stop, retry in some seconds".
> >
> > Thanks.
> >
> > El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
> > h.r...@th...) escribió:
> >
> > >
> > >
> > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> > > > First of all, I'm new here so I'm not sure this is the right place
> for
> > > > asking for help (free modsec version). If it's not, I'll really
> > > > appreciate it if you can tell me where should I go.
> > > >
> > > > I'm trying to limit hit rate by:
> > > >
> > > > 1. Request's header (like "facebookexternalhit").
> > > > 2. (All hits to non static resources)
> > > >
> > > > And then return a friendly "429 Too Many Requests" and "Retry-After:
> 3"
> > > > (seconds).
> > > > I know I can read a file of headers like:
> > > >
> > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> > > >
> > > > But I'm getting trouble building the entire rule.
> > > >
> > > > Any help would be really appreciated. Thank you!
> > >
> > > this a non-iusse
> > >
> > > normally you have rate-limits per IP in place and they should not be
> > > within the application layer at all and in the best case not even on
> the
> > > same machine
> > >
> > > that below is from a firewall-vm on a complete /24 network before any
> > > packet reaches a server at all, and for the individual servers are
> > > simimlar rules with lower values per 2 seconds in place
> > >
> > > when the request reachs the webserver damage is long done and if no
> > > damage is done you are wasting expensive ressources with the rules
> > >
> > > Chain INBOUND (2 references)
> > >  pkts bytes target     prot opt in     out     source
> > > destination
> > >  1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>
> > > 0.0.0.0/0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>
>           recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
> > > name: limit_all_global side: source mask: 255.255.255.255
> > >  149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>
> > > 0.0.0.0/0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>
>           recent: UPDATE seconds: 2 reap hit_count: 150
> > > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
> > >
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=>
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=>
> > > http://www.modsecurity.org/projects/commercial/support/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=>
> > >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=>
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=>
> > http://www.modsecurity.org/projects/commercial/support/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=>
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=>
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=>
> http://www.modsecurity.org/projects/commercial/support/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] How to limit access rate by header?

[Scheblein, A. <ada...@ma...>]

I had a similar problem.  You need to initialize the collection with something like this:

                SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}

From: Luciano Guillermo Fantuzzi <luc...@gm...>
Reply-To: "mod...@li..." <mod...@li...>
Date: Thursday, December 6, 2018 at 8:51 PM
To: "mod...@li..." <mod...@li...>
Subject: Re: [mod-security-users] How to limit access rate by header?

I've very frustrated... I can't make it work, even for IP control. What am I doing wrong here? It always returns:
Could not set variable "IP.access_count" as the collection does not exist.

105 <LocationMatch "^/.*">
109   SecRule REQUEST_HEADERS:CF-Connecting-IP "@unconditionalMatch" "phase:2,initcol:IP=%{MATCHED_VAR},pass,nolog,id:35003"
112   SecRule IP:ACCESS_COUNT "@gt 1" "phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:35004"
116   SecAction "phase:2,setvar:IP.access_count=+1,pass,nolog,id:35005"
119   SecAction "phase:5,deprecatevar:IP.access_count=1/10,pass,nolog,id:35006"
122   Header always set Retry-After "10" env=RATELIMITED
123 </LocationMatch>
124
125 ErrorDocument 503 "Service Unavailable"


El jue., 6 de dic. de 2018 a la(s) 20:38, Luciano Guillermo Fantuzzi (luc...@gm...<mailto:luc...@gm...>) escribió:
Thank you for your answer, Christian. Do you think it's possible for you to just build the first part of the rule (in Modsec)? I'm trying but I'm not understanding how variables work with the global scope. I was be able to build some basic rules like:

# Banned Bots and Crawlers
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \
    "id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'"

# Specific IPs
SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \
    "id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'"

I'm trying to understand examples from stackoverflow and different places, but they are all intended to limit by IP and for specific resources (the scope of the rule). Eg.:
https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e<https://urldefense.proofpoint.com/v2/url?u=https-3A__gist.github.com_josnidhin_91d1ea9cd71fde386c27a9228476834e&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=L7iKlxwUA3exA-ByaKl7gyvQkoOevQwuEjv4ZKC6hOY&e=>

I'm not asking for the entire rule, just an example of how var counters work in the global scope (directly in /etc/modsecurity/modsecurity.conf) and how can I connect them to sum by header instead of IP.

Thank you!

El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini (chr...@ne...<mailto:chr...@ne...>) escribió:
Hello Luciano,

You have a peculiar use case, but I see your thinking.

There are examples in the ModSecurity books that are really close to your
plan. They should be easy to adopt.

Other than that, you may want to look into mod_qos. It has functionality
that might be useful in your case.

Best,

Christian


On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi wrote:
> Thank you for your answer, but maybe I'm not asking it the right way or
> this is not the right place to ask(?).
>
> I need a Modsecurity rule (I'm using it through Apache) to be able to
> control hits from clients with a specific header, like
> "facebookexternalhit/1.1".
> Ie. to stop some agressive bots hitting too often my webservers and taking
> them down eventually. I don't want to block them at all because I need some
> of them (like Facebook bot to parse shared content), but I need a way to
> tell them "stop, retry in some seconds".
>
> Thanks.
>
> El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
> h.r...@th...<mailto:h.r...@th...>) escribió:
>
> >
> >
> > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> > > First of all, I'm new here so I'm not sure this is the right place for
> > > asking for help (free modsec version). If it's not, I'll really
> > > appreciate it if you can tell me where should I go.
> > >
> > > I'm trying to limit hit rate by:
> > >
> > > 1. Request's header (like "facebookexternalhit").
> > > 2. (All hits to non static resources)
> > >
> > > And then return a friendly "429 Too Many Requests" and "Retry-After: 3"
> > > (seconds).
> > > I know I can read a file of headers like:
> > >
> > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> > >
> > > But I'm getting trouble building the entire rule.
> > >
> > > Any help would be really appreciated. Thank you!
> >
> > this a non-iusse
> >
> > normally you have rate-limits per IP in place and they should not be
> > within the application layer at all and in the best case not even on the
> > same machine
> >
> > that below is from a firewall-vm on a complete /24 network before any
> > packet reaches a server at all, and for the individual servers are
> > simimlar rules with lower values per 2 seconds in place
> >
> > when the request reachs the webserver damage is long done and if no
> > damage is done you are wasting expensive ressources with the rules
> >
> > Chain INBOUND (2 references)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >  1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0<https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>
> > 0.0.0.0/0<https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>            recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
> > name: limit_all_global side: source mask: 255.255.255.255
> >  149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0<https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>
> > 0.0.0.0/0<https://urldefense.proofpoint.com/v2/url?u=http-3A__0.0.0.0_0&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=S69x5cd6GIukj5xdZEQNNUnYwCrOIQklblT0zUw7IVM&e=>            recent: UPDATE seconds: 2 reap hit_count: 150
> > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...<mailto:mod...@li...>
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=>
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=>
> > http://www.modsecurity.org/projects/commercial/support/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=>
> >


> _______________________________________________
> mod-security-users mailing list
> mod...@li...<mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=>
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=>
> http://www.modsecurity.org/projects/commercial/support/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=>



_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=RUDsPA0iq5WVkW20NWQOl8suSJ4RvNfYZ6TM3FXNtdM&e=>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=rQF299h7fZhdJbhudnhzjEcP4e3Aa8qCG0KvKi4CKiM&e=>
http://www.modsecurity.org/projects/commercial/support/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwMFaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=0DeHAXm5x7u_63IG4vvHEiJ7cWQqPlE3mjexyj6AoOY&s=ofF4OfFPsr3nKEMOH7j-CQmBqLgK_51fvOnQTavYK3c&e=>

Re: [mod-security-users] How to limit access rate by header?

[Luciano G. F. <luc...@gm...>]

I've very frustrated... I can't make it work, even for IP control. What am
I doing wrong here? It always returns:
Could not set variable "IP.access_count" as the collection does not exist.

105 <LocationMatch "^/.*">
109   SecRule REQUEST_HEADERS:CF-Connecting-IP "@unconditionalMatch"
"phase:2,initcol:IP=%{MATCHED_VAR},pass,nolog,id:35003"
112   SecRule IP:ACCESS_COUNT "@gt 1"
"phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:35004"
116   SecAction "phase:2,setvar:IP.access_count=+1,pass,nolog,id:35005"


119   SecAction
"phase:5,deprecatevar:IP.access_count=1/10,pass,nolog,id:35006"
122   Header always set Retry-After "10" env=RATELIMITED
123 </LocationMatch>
124
125 ErrorDocument 503 "Service Unavailable"


El jue., 6 de dic. de 2018 a la(s) 20:38, Luciano Guillermo Fantuzzi (
luc...@gm...) escribió:

> Thank you for your answer, Christian. Do you think it's possible for you
> to just build the first part of the rule (in Modsec)? I'm trying but I'm
> not understanding how variables work with the global scope. I was be able
> to build some basic rules like:
>
> # Banned Bots and Crawlers
> SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \
>     "id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'"
>
> # Specific IPs
> SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \
>     "id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'"
>
> I'm trying to understand examples from stackoverflow and different places,
> but they are all intended to limit by IP and for specific resources (the
> scope of the rule). Eg.:
> https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e
>
> I'm not asking for the entire rule, just an example of how var counters
> work in the global scope (directly in /etc/modsecurity/modsecurity.conf)
> and how can I connect them to sum by header instead of IP.
>
> Thank you!
>
> El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini (
> chr...@ne...) escribió:
>
>> Hello Luciano,
>>
>> You have a peculiar use case, but I see your thinking.
>>
>> There are examples in the ModSecurity books that are really close to your
>> plan. They should be easy to adopt.
>>
>> Other than that, you may want to look into mod_qos. It has functionality
>> that might be useful in your case.
>>
>> Best,
>>
>> Christian
>>
>>
>> On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi
>> wrote:
>> > Thank you for your answer, but maybe I'm not asking it the right way or
>> > this is not the right place to ask(?).
>> >
>> > I need a Modsecurity rule (I'm using it through Apache) to be able to
>> > control hits from clients with a specific header, like
>> > "facebookexternalhit/1.1".
>> > Ie. to stop some agressive bots hitting too often my webservers and
>> taking
>> > them down eventually. I don't want to block them at all because I need
>> some
>> > of them (like Facebook bot to parse shared content), but I need a way to
>> > tell them "stop, retry in some seconds".
>> >
>> > Thanks.
>> >
>> > El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
>> > h.r...@th...) escribió:
>> >
>> > >
>> > >
>> > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
>> > > > First of all, I'm new here so I'm not sure this is the right place
>> for
>> > > > asking for help (free modsec version). If it's not, I'll really
>> > > > appreciate it if you can tell me where should I go.
>> > > >
>> > > > I'm trying to limit hit rate by:
>> > > >
>> > > > 1. Request's header (like "facebookexternalhit").
>> > > > 2. (All hits to non static resources)
>> > > >
>> > > > And then return a friendly "429 Too Many Requests" and
>> "Retry-After: 3"
>> > > > (seconds).
>> > > > I know I can read a file of headers like:
>> > > >
>> > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
>> > > >
>> > > > But I'm getting trouble building the entire rule.
>> > > >
>> > > > Any help would be really appreciated. Thank you!
>> > >
>> > > this a non-iusse
>> > >
>> > > normally you have rate-limits per IP in place and they should not be
>> > > within the application layer at all and in the best case not even on
>> the
>> > > same machine
>> > >
>> > > that below is from a firewall-vm on a complete /24 network before any
>> > > packet reaches a server at all, and for the individual servers are
>> > > simimlar rules with lower values per 2 seconds in place
>> > >
>> > > when the request reachs the webserver damage is long done and if no
>> > > damage is done you are wasting expensive ressources with the rules
>> > >
>> > > Chain INBOUND (2 references)
>> > >  pkts bytes target     prot opt in     out     source
>> > > destination
>> > >  1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
>> > > 0.0.0.0/0            recent: UPDATE seconds: 2 hit_count: 250
>> TTL-Match
>> > > name: limit_all_global side: source mask: 255.255.255.255
>> > >  149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
>> > > 0.0.0.0/0            recent: UPDATE seconds: 2 reap hit_count: 150
>> > > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
>> > >
>> > >
>> > > _______________________________________________
>> > > mod-security-users mailing list
>> > > mod...@li...
>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> > > http://www.modsecurity.org/projects/commercial/rules/
>> > > http://www.modsecurity.org/projects/commercial/support/
>> > >
>>
>>
>> > _______________________________________________
>> > mod-security-users mailing list
>> > mod...@li...
>> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> > http://www.modsecurity.org/projects/commercial/rules/
>> > http://www.modsecurity.org/projects/commercial/support/
>>
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>

Re: [mod-security-users] How to limit access rate by header?

[Luciano G. F. <luc...@gm...>]

Thank you for your answer, Christian. Do you think it's possible for you to
just build the first part of the rule (in Modsec)? I'm trying but I'm not
understanding how variables work with the global scope. I was be able to
build some basic rules like:

# Banned Bots and Crawlers
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile blacklist-bots.data" \
    "id:350001,phase:1,t:none,deny,log,msg:'BANNED BOT'"

# Specific IPs
SecRule REMOTE_ADDR "@pmFromFile blacklist-ip.data" \
    "id:350002,phase:1,t:none,deny,log,msg:'BANNED IP'"

I'm trying to understand examples from stackoverflow and different places,
but they are all intended to limit by IP and for specific resources (the
scope of the rule). Eg.:
https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e

I'm not asking for the entire rule, just an example of how var counters
work in the global scope (directly in /etc/modsecurity/modsecurity.conf)
and how can I connect them to sum by header instead of IP.

Thank you!

El jue., 6 de dic. de 2018 a la(s) 10:30, Christian Folini (
chr...@ne...) escribió:

> Hello Luciano,
>
> You have a peculiar use case, but I see your thinking.
>
> There are examples in the ModSecurity books that are really close to your
> plan. They should be easy to adopt.
>
> Other than that, you may want to look into mod_qos. It has functionality
> that might be useful in your case.
>
> Best,
>
> Christian
>
>
> On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi wrote:
> > Thank you for your answer, but maybe I'm not asking it the right way or
> > this is not the right place to ask(?).
> >
> > I need a Modsecurity rule (I'm using it through Apache) to be able to
> > control hits from clients with a specific header, like
> > "facebookexternalhit/1.1".
> > Ie. to stop some agressive bots hitting too often my webservers and
> taking
> > them down eventually. I don't want to block them at all because I need
> some
> > of them (like Facebook bot to parse shared content), but I need a way to
> > tell them "stop, retry in some seconds".
> >
> > Thanks.
> >
> > El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
> > h.r...@th...) escribió:
> >
> > >
> > >
> > > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> > > > First of all, I'm new here so I'm not sure this is the right place
> for
> > > > asking for help (free modsec version). If it's not, I'll really
> > > > appreciate it if you can tell me where should I go.
> > > >
> > > > I'm trying to limit hit rate by:
> > > >
> > > > 1. Request's header (like "facebookexternalhit").
> > > > 2. (All hits to non static resources)
> > > >
> > > > And then return a friendly "429 Too Many Requests" and "Retry-After:
> 3"
> > > > (seconds).
> > > > I know I can read a file of headers like:
> > > >
> > > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> > > >
> > > > But I'm getting trouble building the entire rule.
> > > >
> > > > Any help would be really appreciated. Thank you!
> > >
> > > this a non-iusse
> > >
> > > normally you have rate-limits per IP in place and they should not be
> > > within the application layer at all and in the best case not even on
> the
> > > same machine
> > >
> > > that below is from a firewall-vm on a complete /24 network before any
> > > packet reaches a server at all, and for the individual servers are
> > > simimlar rules with lower values per 2 seconds in place
> > >
> > > when the request reachs the webserver damage is long done and if no
> > > damage is done you are wasting expensive ressources with the rules
> > >
> > > Chain INBOUND (2 references)
> > >  pkts bytes target     prot opt in     out     source
> > > destination
> > >  1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
> > > 0.0.0.0/0            recent: UPDATE seconds: 2 hit_count: 250
> TTL-Match
> > > name: limit_all_global side: source mask: 255.255.255.255
> > >  149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
> > > 0.0.0.0/0            recent: UPDATE seconds: 2 reap hit_count: 150
> > > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
> > >
> > >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > http://www.modsecurity.org/projects/commercial/rules/
> > > http://www.modsecurity.org/projects/commercial/support/
> > >
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] How to limit access rate by header?

[Christian F. <chr...@ne...>]

Hello Luciano,

You have a peculiar use case, but I see your thinking.

There are examples in the ModSecurity books that are really close to your
plan. They should be easy to adopt.

Other than that, you may want to look into mod_qos. It has functionality
that might be useful in your case.

Best,

Christian


On Wed, Dec 05, 2018 at 06:26:03PM -0300, Luciano Guillermo Fantuzzi wrote:
> Thank you for your answer, but maybe I'm not asking it the right way or
> this is not the right place to ask(?).
> 
> I need a Modsecurity rule (I'm using it through Apache) to be able to
> control hits from clients with a specific header, like
> "facebookexternalhit/1.1".
> Ie. to stop some agressive bots hitting too often my webservers and taking
> them down eventually. I don't want to block them at all because I need some
> of them (like Facebook bot to parse shared content), but I need a way to
> tell them "stop, retry in some seconds".
> 
> Thanks.
> 
> El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
> h.r...@th...) escribió:
> 
> >
> >
> > Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> > > First of all, I'm new here so I'm not sure this is the right place for
> > > asking for help (free modsec version). If it's not, I'll really
> > > appreciate it if you can tell me where should I go.
> > >
> > > I'm trying to limit hit rate by:
> > >
> > > 1. Request's header (like "facebookexternalhit").
> > > 2. (All hits to non static resources)
> > >
> > > And then return a friendly "429 Too Many Requests" and "Retry-After: 3"
> > > (seconds).
> > > I know I can read a file of headers like:
> > >
> > > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> > >
> > > But I'm getting trouble building the entire rule.
> > >
> > > Any help would be really appreciated. Thank you!
> >
> > this a non-iusse
> >
> > normally you have rate-limits per IP in place and they should not be
> > within the application layer at all and in the best case not even on the
> > same machine
> >
> > that below is from a firewall-vm on a complete /24 network before any
> > packet reaches a server at all, and for the individual servers are
> > simimlar rules with lower values per 2 seconds in place
> >
> > when the request reachs the webserver damage is long done and if no
> > damage is done you are wasting expensive ressources with the rules
> >
> > Chain INBOUND (2 references)
> >  pkts bytes target     prot opt in     out     source
> > destination
> >  1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
> > 0.0.0.0/0            recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
> > name: limit_all_global side: source mask: 255.255.255.255
> >  149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
> > 0.0.0.0/0            recent: UPDATE seconds: 2 reap hit_count: 150
> > TTL-Match name: limit_all_global side: source mask: 255.255.255.255
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > http://www.modsecurity.org/projects/commercial/rules/
> > http://www.modsecurity.org/projects/commercial/support/
> >


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] How to limit access rate by header?

[Luciano G. F. <luc...@gm...>]

Thank you for your answer, but maybe I'm not asking it the right way or
this is not the right place to ask(?).

I need a Modsecurity rule (I'm using it through Apache) to be able to
control hits from clients with a specific header, like
"facebookexternalhit/1.1".
Ie. to stop some agressive bots hitting too often my webservers and taking
them down eventually. I don't want to block them at all because I need some
of them (like Facebook bot to parse shared content), but I need a way to
tell them "stop, retry in some seconds".

Thanks.

El mié., 5 de dic. de 2018 a la(s) 16:16, Reindl Harald (
h.r...@th...) escribió:

>
>
> Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> > First of all, I'm new here so I'm not sure this is the right place for
> > asking for help (free modsec version). If it's not, I'll really
> > appreciate it if you can tell me where should I go.
> >
> > I'm trying to limit hit rate by:
> >
> > 1. Request's header (like "facebookexternalhit").
> > 2. (All hits to non static resources)
> >
> > And then return a friendly "429 Too Many Requests" and "Retry-After: 3"
> > (seconds).
> > I know I can read a file of headers like:
> >
> > SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> >
> > But I'm getting trouble building the entire rule.
> >
> > Any help would be really appreciated. Thank you!
>
> this a non-iusse
>
> normally you have rate-limits per IP in place and they should not be
> within the application layer at all and in the best case not even on the
> same machine
>
> that below is from a firewall-vm on a complete /24 network before any
> packet reaches a server at all, and for the individual servers are
> simimlar rules with lower values per 2 seconds in place
>
> when the request reachs the webserver damage is long done and if no
> damage is done you are wasting expensive ressources with the rules
>
> Chain INBOUND (2 references)
>  pkts bytes target     prot opt in     out     source
> destination
>  1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
> name: limit_all_global side: source mask: 255.255.255.255
>  149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            recent: UPDATE seconds: 2 reap hit_count: 150
> TTL-Match name: limit_all_global side: source mask: 255.255.255.255
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] How to limit access rate by header?

[Reindl H. <h.r...@th...>]

Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> First of all, I'm new here so I'm not sure this is the right place for
> asking for help (free modsec version). If it's not, I'll really
> appreciate it if you can tell me where should I go.
> 
> I'm trying to limit hit rate by:
> 
> 1. Request's header (like "facebookexternalhit").
> 2. (All hits to non static resources)
> 
> And then return a friendly "429 Too Many Requests" and "Retry-After: 3"
> (seconds).
> I know I can read a file of headers like:
> 
> SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> 
> But I'm getting trouble building the entire rule.
> 
> Any help would be really appreciated. Thank you!

this a non-iusse

normally you have rate-limits per IP in place and they should not be
within the application layer at all and in the best case not even on the
same machine

that below is from a firewall-vm on a complete /24 network before any
packet reaches a server at all, and for the individual servers are
simimlar rules with lower values per 2 seconds in place

when the request reachs the webserver damage is long done and if no
damage is done you are wasting expensive ressources with the rules

Chain INBOUND (2 references)
 pkts bytes target     prot opt in     out     source
destination
 1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
0.0.0.0/0            recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
name: limit_all_global side: source mask: 255.255.255.255
 149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
0.0.0.0/0            recent: UPDATE seconds: 2 reap hit_count: 150
TTL-Match name: limit_all_global side: source mask: 255.255.255.255

[mod-security-users] Announcement: ModSecurity version 2.9.3

[Victor H. <VH...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

We are happy to announce ModSecurity version 2.9.3!

As previously announced, libModSecurity has reached official stable stage and was released for almost an year now. Therefore, new features and major improvements will be implemented only on version 3.x. Security or *major* bugs are planned to be back ported.

Still, in a effort to keep our commitment with the community, 2.9.3 still contains a number of improvements in different areas. These include, optimizations in the code, updating all dependencies, updating the embedded CRS version of the IIS build, clean ups, support for other architectures among other changes.

In addition to these improvements, a few key issues were fixed including mpm-itk / mod_ruid2 compatibility which was a roadblock for some CPANEL ModSecurity users and many other improvements focused on improving performance, usability and code resilience.

POTENTIAL SECURITY ISSUES:

 - Fix ip tree lookup on netmask content
   [@tinselcity]
- - potential off by one in parse_arguments
   [@tinselcity]

The complete list of changes is available on our change logs:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.3

The source and binaries (and the respective hashes/signatures) are
available at:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.3

The documentation for this release is available at:
- - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29

The list of open issues is available on GitHub:
- - https://github.com/SpiderLabs/ModSecurity/labels/2.x

As with every new release, a milestone was created to host all the issues that will be fixed till we reach the given milestone. With that, we not only give the community the full transparency of the work that is being doing on ModSec, but also even more chances to participate. 
Milestones give the chance to anyone from the community to deduce when and what will be released. For instance the 2.9.4 milestone is in progress even before 2.9.3 milestone is closed.

Some of the active milestones from the ModSecurity project follows:

- - milestone v2.9.3: https://github.com/SpiderLabs/ModSecurity/milestone/10
- - milestone v2.9.4:
https://github.com/SpiderLabs/ModSecurity/milestone/14

Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches and so on.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEENVJvmdv3xZcwKAX5LzS6oLmekUFAlwIAmoACgkQ5LzS6oLm
ekWTzQ//cIX68Y2HIBaR7nFvxsY199acxxKyJdoop3bVpJkZfBPUzgO7pUPGWPJj
LF3FD8yKqnNJkI2iArJqGWBCa4b9UQi01JLLWiiOdTRWOtHfU8miVOIKFD7nTRGj
DgNna1j8DEn8mrFcXyZctnhNfQu0Fp7sI2PLf5H4RyO58NpDyVxxquZwmLmc0ZQb
LIAz0td/pNl3O2anJzIimXusQe9qba/qqxC/W7W5ZqEBrqIR/UJ9s7qDxMaReyQ4
MGBvxxjqg3GLNV43v5M9RtaBcYTf3hT55AyG78MHqK+sZop+UhLUL+m6HU1F7FN/
4FvEfu/tq5ntHtCrh4xGk9JIbF4R7EdJEG9ruNbHZfKEPpJ5YNp2SScFRB/PQqAB
EL7wTetkKLpQiGPFEV6+W6vKV8BjTJFakEzdOojcELqmza/KslHMIlZoqcdwN1ln
iUxxeHW1txNWhfPvi8X1P6nxl10LaYTCHcUesHgjDvwhDgYX2FHYKwtALwVUgRVB
oOZjiyLpuMqNHDUdOBCkUlFIAxQj3EZ2ujORBXmD+SXhy5Su+S59hrT/iju37NgK
miwpbDNc1NwZQqoUSS+WG5W3TwqCCLzEcJIIwGqyW9K6HhM/Jyuadszvx5XzguyD
sZNz9cOmlSeGENJ5PMrEgVXN4v00k1FRpsqjErSlN3BlCglqpzY=
=F1hT
-----END PGP SIGNATURE-----

[mod-security-users] How to limit access rate by header?

[Luciano G. F. <luc...@gm...>]

First of all, I'm new here so I'm not sure this is the right place for
asking for help (free modsec version). If it's not, I'll really appreciate
it if you can tell me where should I go.

I'm trying to limit hit rate by:

1. Request's header (like "facebookexternalhit").
2. (All hits to non static resources)

And then return a friendly "429 Too Many Requests" and "Retry-After: 3"
(seconds).
I know I can read a file of headers like:

SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"

But I'm getting trouble building the entire rule.

Any help would be really appreciated. Thank you!

Re: [mod-security-users] NEWBIE to modsecurity... No error messaged BUT the wrong site is displayed.

[Mike L. <mi...@ne...>]

The matter has been resolved by moving the problem website to a different
folder... not sure why that matters... but it is now working. 

-----Original Message-----
From: Christian Folini [mailto:chr...@ne...] 
Sent: Wednesday, December 5, 2018 1:00 PM
To: mod...@li...
Subject: Re: [mod-security-users] NEWBIE to modsecurity... No error messaged
BUT the wrong site is displayed.

Hey Mike,

Now should there be any log/error messages? Do you have any rules installed
at all?

Also: The messages that you sent show an incompatibility problem with APR
and PCRE. This is an issue and you should fix it.

Feeling lost, you may want to turn to the tutorials at
https://netnea.com/apache-tutorials/

They provide you with a step by step introduction to ModSecurity. You do not
need to follow the self-compilation approach of the tutorials. But the first
examples will at least tell you what to expect in the log files.

Good luck,

Christian


On Wed, Dec 05, 2018 at 12:32:06PM +0800, Mike Lieberman wrote:
> I have an apache2 install and have had three virtual hosts running on 
> the site successfully for other three years.
> 
> I installed modsecurity on Linux Mint 18.3..
> 
> THERE ARE NO error messages.
> 
>  
> 
> my@FamilyServer /var/log/apache2 # apachectl -M | grep --color 
> security
> 
> security2_module (shared)
> 
>  
> 
> The mode security log shows no errors.
> 
>  
> 
> The apache2 error log does show an error, but I had read it is not a 
> problem. See log snippet below in this email.
> 
> There are three virtual host config files... identical in 
> sites-available and sites allowed.
> 
> http requests for all three URLs "work," by that there are no error 
> messages, no 403 or 404.
> 
> Typing the URL's for two result in correct results.
> 
> Typing in the URL for the third displays one of the other sites. This 
> NEVER HAPPENED until modsecurity was installed.
> 
>  
> 
> I am lost and don't even know where to look.
> 
>  
> 
> [Wed Dec 05 11:31:38.000649 2018] [:notice] [pid 6194] ModSecurity for
> Apache/2.9.0 (http://www.modsecurity.org/) configured.
> 
> [Wed Dec 05 11:31:38.000852 2018] [:notice] [pid 6194] ModSecurity: 
> APR compiled version="1.5.1"; loaded version="1.5.2"
> 
> [Wed Dec 05 11:31:38.000864 2018] [:warn] [pid 6194] ModSecurity: 
> Loaded APR do not match with compiled!
> 
> [Wed Dec 05 11:31:38.000876 2018] [:notice] [pid 6194] ModSecurity: 
> PCRE compiled version="8.35 "; loaded version="8.41 2017-07-05"
> 
> [Wed Dec 05 11:31:38.000901 2018] [:warn] [pid 6194] ModSecurity: 
> Loaded PCRE do not match with compiled!
> 
> [Wed Dec 05 11:31:38.000910 2018] [:notice] [pid 6194] ModSecurity: 
> LUA compiled version="Lua 5.1"
> 
> [Wed Dec 05 11:31:38.000919 2018] [:notice] [pid 6194] ModSecurity: 
> YAJL compiled version="2.1.0"
> 
> [Wed Dec 05 11:31:38.000928 2018] [:notice] [pid 6194] ModSecurity: 
> LIBXML compiled version="2.9.2"
> 
> [Wed Dec 05 11:31:38.001043 2018] [:notice] [pid 6194] ModSecurity:
> StatusEngine call: "2.9.0,Apache/2.4.18 (Ubuntu),1.5.1/1.5.2,8.35/8.41 
> 2017-07-05,Lua 5.1,2.9.2,139cd0575fbb1eb666d44f3080f7c68a40ce8da9"
> 
> [Wed Dec 05 11:31:38.238158 2018] [:notice] [pid 6194] ModSecurity:
> StatusEngine call successfully sent. For more information visit:
> http://status.modsecurity.org/
> 
> [Wed Dec 05 11:31:39.010423 2018] [mpm_prefork:notice] [pid 6195] AH00163:
> Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
> 
> [Wed Dec 05 11:31:39.010518 2018] [core:notice] [pid 6195] AH00094: 
> Command
> line: '/usr/sbin/apache2'
> 
>  
> 
> Here are the contents of the two virtual host files which are at issues. 
> 
>  
> 
> <VirtualHost www.gensanexpat.org:80>
> 
>         ServerAdmin mi...@ne...
> 
>         ServerName www.gensanexpat.org
> 
>         NameVirtualHost www.gensanexpat.org
> 
>         ServerAlias gensanexpat.org
> 
>         DocumentRoot /var/www/html/gensan
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
> 
>         CustomLog ${APACHE_LOG_DIR}/gensan.log combined
> 
> </VirtualHost>
> 
>  
> 
> <VirtualHost www.netwright.net:80>
> 
>         ServerAdmin mi...@ne...
> 
>         ServerName www.netwright.net
> 
>         NameVirtualHost www.netwright.net
> 
>         ServerAlias netwright.net
> 
>         DocumentRoot /var/www/html
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
> 
>         CustomLog ${APACHE_LOG_DIR}/nw.log combined
> 
> </VirtualHost>
> 
>  
> 
> AND here is the contents of the nw.log file!
> 
> my@FamilyServer /var/log/apache2 # cat nw.log
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET / HTTP/1.1" 200 967 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, 
> like
> Gecko) Chrome/71.0.3578.80 Safari/537.36"
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET /favicon.ico?v=2 
> HTTP/1.1" 200 476 "http://www.gensanexpat.org/" "Mozilla/5.0 (Windows 
> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/71.0.3578.80 Safari/537.36"
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET / HTTP/1.1" 200 966 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, 
> like
> Gecko) Chrome/71.0.3578.80 Safari/537.36"
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET /favicon.ico?v=2 
> HTTP/1.1" 200 475 "http://www.gensanexpat.org/" "Mozilla/5.0 (Windows 
> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
> Chrome/71.0.3578.80 Safari/537.36"
> 
>  
> 
> ===========================
> 
> Michael "Mike" Lieberman |  
> <http://lieberman.blog.netwright.net:7080/> Blog
> 
> Purok 13, Morales Subd.
> Brgy Mabuhay, General Santos City, 9500 Philippines  
> <https://map.what3words.com/overexposed.pedestals.rakes> See MAP
> 
> Cell:  <tel:%2B63%20%28917%29%20358-1442> +63 (917) 311-0674 (Voice 
> and
> Text) 
> LandLine:   <tel:%2B63%20%2883%29%20552-1153> +63 (083) 887-2154 (Voice
> Only)
> 


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/



_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] NEWBIE to modsecurity... No error messaged BUT the wrong site is displayed.

[Mike L. <mi...@ne...>]

Hi Christian,

 

This is a plain vanilla install. I have not set up any rules yet. I just
wanted to get it installed and make sure all was running.

 

I checked on PRCE issue and found this:

We have run into the same issue. It is because we have installed php and
apache from ppa.launchpad.net/ondrej/php/ubuntu repository and it comes with
libpcre3 Version: 2:8.41-4+ubuntu16.04.1+deb.sury.org+1 I don't now if PCRE
8.41 instead of 8.38 is a struggle for modsecurity, but it seems to work
fine. As we can't downgrade PCRE, because of dependencies from PPA
repository, we will go with this warning until we realize some real issues
with modsecurity - Stephan Oct 27 at 10:00

 

I checked on the APR issue and found this from Apache:

That does not matter/harm, no API change between APR 1.5.1 and 1.5.2. 

 

The tutorial you mentioned is not how modsecurity installs in Ubuntu and
Mint. Even simple things such as httpd.conf is different and is replaced
with /etc/apache2/apache2.conf. The packages are installed via apt and
"make" and related issues are not dealt with. The dpkg process establishes
user ownership and much else. To that extent, exactly where this tutorial
fits in is unclear to me.

 

Still scratching my head. 

Mike

 

-----Original Message-----
From: Christian Folini [mailto:chr...@ne...] 
Sent: Wednesday, December 5, 2018 1:00 PM
To: mod...@li...
Subject: Re: [mod-security-users] NEWBIE to modsecurity... No error messaged
BUT the wrong site is displayed.

 

Hey Mike,

 

Now should there be any log/error messages? Do you have any rules installed
at all?

 

Also: The messages that you sent show an incompatibility problem with APR
and PCRE. This is an issue and you should fix it.

 

Feeling lost, you may want to turn to the tutorials at
<https://netnea.com/apache-tutorials/> https://netnea.com/apache-tutorials/

 

They provide you with a step by step introduction to ModSecurity. You do not
need to follow the self-compilation approach of the tutorials. But the first
examples will at least tell you what to expect in the log files.

 

Good luck,

 

Christian

 

 

On Wed, Dec 05, 2018 at 12:32:06PM +0800, Mike Lieberman wrote:

> I have an apache2 install and have had three virtual hosts running on 

> the site successfully for other three years.

> 

> I installed modsecurity on Linux Mint 18.3..

> 

> THERE ARE NO error messages.

> 

>  

> 

> my@FamilyServer /var/log/apache2 # apachectl -M | grep --color 

> security

> 

> security2_module (shared)

> 

>  

> 

> The mode security log shows no errors.

> 

>  

> 

> The apache2 error log does show an error, but I had read it is not a 

> problem. See log snippet below in this email.

> 

> There are three virtual host config files... identical in 

> sites-available and sites allowed.

> 

> http requests for all three URLs "work," by that there are no error 

> messages, no 403 or 404.

> 

> Typing the URL's for two result in correct results.

> 

> Typing in the URL for the third displays one of the other sites. This 

> NEVER HAPPENED until modsecurity was installed.

> 

>  

> 

> I am lost and don't even know where to look.

> 

>  

> 

> [Wed Dec 05 11:31:38.000649 2018] [:notice] [pid 6194] ModSecurity for

> Apache/2.9.0 ( <http://www.modsecurity.org/> http://www.modsecurity.org/)
configured.

> 

> [Wed Dec 05 11:31:38.000852 2018] [:notice] [pid 6194] ModSecurity: 

> APR compiled version="1.5.1"; loaded version="1.5.2"

> 

> [Wed Dec 05 11:31:38.000864 2018] [:warn] [pid 6194] ModSecurity: 

> Loaded APR do not match with compiled!

> 

> [Wed Dec 05 11:31:38.000876 2018] [:notice] [pid 6194] ModSecurity: 

> PCRE compiled version="8.35 "; loaded version="8.41 2017-07-05"

> 

> [Wed Dec 05 11:31:38.000901 2018] [:warn] [pid 6194] ModSecurity: 

> Loaded PCRE do not match with compiled!

> 

> [Wed Dec 05 11:31:38.000910 2018] [:notice] [pid 6194] ModSecurity: 

> LUA compiled version="Lua 5.1"

> 

> [Wed Dec 05 11:31:38.000919 2018] [:notice] [pid 6194] ModSecurity: 

> YAJL compiled version="2.1.0"

> 

> [Wed Dec 05 11:31:38.000928 2018] [:notice] [pid 6194] ModSecurity: 

> LIBXML compiled version="2.9.2"

> 

> [Wed Dec 05 11:31:38.001043 2018] [:notice] [pid 6194] ModSecurity:

> StatusEngine call: "2.9.0,Apache/2.4.18 (Ubuntu),1.5.1/1.5.2,8.35/8.41 

> 2017-07-05,Lua 5.1,2.9.2,139cd0575fbb1eb666d44f3080f7c68a40ce8da9"

> 

> [Wed Dec 05 11:31:38.238158 2018] [:notice] [pid 6194] ModSecurity:

> StatusEngine call successfully sent. For more information visit:

>  <http://status.modsecurity.org/> http://status.modsecurity.org/

> 

> [Wed Dec 05 11:31:39.010423 2018] [mpm_prefork:notice] [pid 6195] AH00163:

> Apache/2.4.18 (Ubuntu) configured -- resuming normal operations

> 

> [Wed Dec 05 11:31:39.010518 2018] [core:notice] [pid 6195] AH00094: 

> Command

> line: '/usr/sbin/apache2'

> 

>  

> 

> Here are the contents of the two virtual host files which are at issues. 

> 

>  

> 

> <VirtualHost  <http://www.gensanexpat.org:80> www.gensanexpat.org:80>

> 

>         ServerAdmin  <mailto:mi...@ne...> mi...@ne...

> 

>         ServerName  <http://www.gensanexpat.org> www.gensanexpat.org

> 

>         NameVirtualHost  <http://www.gensanexpat.org> www.gensanexpat.org

> 

>         ServerAlias gensanexpat.org

> 

>         DocumentRoot /var/www/html/gensan

> 

>         ErrorLog ${APACHE_LOG_DIR}/error.log

> 

>         CustomLog ${APACHE_LOG_DIR}/gensan.log combined

> 

> </VirtualHost>

> 

>  

> 

> <VirtualHost  <http://www.netwright.net:80> www.netwright.net:80>

> 

>         ServerAdmin  <mailto:mi...@ne...> mi...@ne...

> 

>         ServerName  <http://www.netwright.net> www.netwright.net

> 

>         NameVirtualHost  <http://www.netwright.net> www.netwright.net

> 

>         ServerAlias netwright.net

> 

>         DocumentRoot /var/www/html

> 

>         ErrorLog ${APACHE_LOG_DIR}/error.log

> 

>         CustomLog ${APACHE_LOG_DIR}/nw.log combined

> 

> </VirtualHost>

> 

>  

> 

> AND here is the contents of the nw.log file!

> 

> my@FamilyServer /var/log/apache2 # cat nw.log

> 

> 192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET / HTTP/1.1" 200 967 "-"

> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, 

> like

> Gecko) Chrome/71.0.3578.80 Safari/537.36"

> 

> 192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET /favicon.ico?v=2 

> HTTP/1.1" 200 476 " <http://www.gensanexpat.org/>
http://www.gensanexpat.org/" "Mozilla/5.0 (Windows 

> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 

> Chrome/71.0.3578.80 Safari/537.36"

> 

> 192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET / HTTP/1.1" 200 966 "-"

> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, 

> like

> Gecko) Chrome/71.0.3578.80 Safari/537.36"

> 

> 192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET /favicon.ico?v=2 

> HTTP/1.1" 200 475 " <http://www.gensanexpat.org/>
http://www.gensanexpat.org/" "Mozilla/5.0 (Windows 

> NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 

> Chrome/71.0.3578.80 Safari/537.36"

> 

>  

> 

> ===========================

> 

> Michael "Mike" Lieberman |  

> < <http://lieberman.blog.netwright.net:7080/>
http://lieberman.blog.netwright.net:7080/> Blog

> 

> Purok 13, Morales Subd.

> Brgy Mabuhay, General Santos City, 9500 Philippines  

> < <https://map.what3words.com/overexposed.pedestals.rakes>
https://map.what3words.com/overexposed.pedestals.rakes> See MAP

> 

> Cell:  < <tel:%2B63%20%28917%29%20358-1442>
tel:%2B63%20%28917%29%20358-1442> +63 (917) 311-0674 (Voice 

> and

> Text) 

> LandLine:   < <tel:%2B63%20%2883%29%20552-1153>
tel:%2B63%20%2883%29%20552-1153> +63 (083) 887-2154 (Voice

> Only)

> 

 

 

> _______________________________________________

> mod-security-users mailing list

>  <mailto:mod...@li...>
mod...@li...

>  <https://lists.sourceforge.net/lists/listinfo/mod-security-users>
https://lists.sourceforge.net/lists/listinfo/mod-security-users

> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

>  <http://www.modsecurity.org/projects/commercial/rules/>
http://www.modsecurity.org/projects/commercial/rules/

>  <http://www.modsecurity.org/projects/commercial/support/>
http://www.modsecurity.org/projects/commercial/support/

 

 

 

_______________________________________________

mod-security-users mailing list

 <mailto:mod...@li...>
mod...@li...

 <https://lists.sourceforge.net/lists/listinfo/mod-security-users>
https://lists.sourceforge.net/lists/listinfo/mod-security-users

Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

 <http://www.modsecurity.org/projects/commercial/rules/>
http://www.modsecurity.org/projects/commercial/rules/

 <http://www.modsecurity.org/projects/commercial/support/>
http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] NEWBIE to modsecurity... No error messaged BUT the wrong site is displayed.

[Christian F. <chr...@ne...>]

Hey Mike,

Now should there be any log/error messages? Do you have any rules installed at
all?

Also: The messages that you sent show an incompatibility problem with APR and
PCRE. This is an issue and you should fix it.

Feeling lost, you may want to turn to the tutorials at
https://netnea.com/apache-tutorials/

They provide you with a step by step introduction to ModSecurity. You do not
need to follow the self-compilation approach of the tutorials. But the first
examples will at least tell you what to expect in the log files.

Good luck,

Christian


On Wed, Dec 05, 2018 at 12:32:06PM +0800, Mike Lieberman wrote:
> I have an apache2 install and have had three virtual hosts running on the
> site successfully for other three years.
> 
> I installed modsecurity on Linux Mint 18.3..
> 
> THERE ARE NO error messages.
> 
>  
> 
> my@FamilyServer /var/log/apache2 # apachectl -M | grep --color security 
> 
> security2_module (shared)
> 
>  
> 
> The mode security log shows no errors.
> 
>  
> 
> The apache2 error log does show an error, but I had read it is not a
> problem. See log snippet below in this email.
> 
> There are three virtual host config files... identical in sites-available
> and sites allowed.
> 
> http requests for all three URLs "work," by that there are no error
> messages, no 403 or 404.
> 
> Typing the URL's for two result in correct results.
> 
> Typing in the URL for the third displays one of the other sites. This NEVER
> HAPPENED until modsecurity was installed.
> 
>  
> 
> I am lost and don't even know where to look.
> 
>  
> 
> [Wed Dec 05 11:31:38.000649 2018] [:notice] [pid 6194] ModSecurity for
> Apache/2.9.0 (http://www.modsecurity.org/) configured.
> 
> [Wed Dec 05 11:31:38.000852 2018] [:notice] [pid 6194] ModSecurity: APR
> compiled version="1.5.1"; loaded version="1.5.2"
> 
> [Wed Dec 05 11:31:38.000864 2018] [:warn] [pid 6194] ModSecurity: Loaded APR
> do not match with compiled!
> 
> [Wed Dec 05 11:31:38.000876 2018] [:notice] [pid 6194] ModSecurity: PCRE
> compiled version="8.35 "; loaded version="8.41 2017-07-05"
> 
> [Wed Dec 05 11:31:38.000901 2018] [:warn] [pid 6194] ModSecurity: Loaded
> PCRE do not match with compiled!
> 
> [Wed Dec 05 11:31:38.000910 2018] [:notice] [pid 6194] ModSecurity: LUA
> compiled version="Lua 5.1"
> 
> [Wed Dec 05 11:31:38.000919 2018] [:notice] [pid 6194] ModSecurity: YAJL
> compiled version="2.1.0"
> 
> [Wed Dec 05 11:31:38.000928 2018] [:notice] [pid 6194] ModSecurity: LIBXML
> compiled version="2.9.2"
> 
> [Wed Dec 05 11:31:38.001043 2018] [:notice] [pid 6194] ModSecurity:
> StatusEngine call: "2.9.0,Apache/2.4.18 (Ubuntu),1.5.1/1.5.2,8.35/8.41
> 2017-07-05,Lua 5.1,2.9.2,139cd0575fbb1eb666d44f3080f7c68a40ce8da9"
> 
> [Wed Dec 05 11:31:38.238158 2018] [:notice] [pid 6194] ModSecurity:
> StatusEngine call successfully sent. For more information visit:
> http://status.modsecurity.org/
> 
> [Wed Dec 05 11:31:39.010423 2018] [mpm_prefork:notice] [pid 6195] AH00163:
> Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
> 
> [Wed Dec 05 11:31:39.010518 2018] [core:notice] [pid 6195] AH00094: Command
> line: '/usr/sbin/apache2'
> 
>  
> 
> Here are the contents of the two virtual host files which are at issues. 
> 
>  
> 
> <VirtualHost www.gensanexpat.org:80>
> 
>         ServerAdmin mi...@ne...
> 
>         ServerName www.gensanexpat.org
> 
>         NameVirtualHost www.gensanexpat.org
> 
>         ServerAlias gensanexpat.org
> 
>         DocumentRoot /var/www/html/gensan
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
> 
>         CustomLog ${APACHE_LOG_DIR}/gensan.log combined
> 
> </VirtualHost>
> 
>  
> 
> <VirtualHost www.netwright.net:80>
> 
>         ServerAdmin mi...@ne...
> 
>         ServerName www.netwright.net
> 
>         NameVirtualHost www.netwright.net
> 
>         ServerAlias netwright.net
> 
>         DocumentRoot /var/www/html
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
> 
>         CustomLog ${APACHE_LOG_DIR}/nw.log combined
> 
> </VirtualHost>
> 
>  
> 
> AND here is the contents of the nw.log file!
> 
> my@FamilyServer /var/log/apache2 # cat nw.log
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET / HTTP/1.1" 200 967 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/71.0.3578.80 Safari/537.36"
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET /favicon.ico?v=2
> HTTP/1.1" 200 476 "http://www.gensanexpat.org/" "Mozilla/5.0 (Windows NT
> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80
> Safari/537.36"
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET / HTTP/1.1" 200 966 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
> Gecko) Chrome/71.0.3578.80 Safari/537.36"
> 
> 192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET /favicon.ico?v=2
> HTTP/1.1" 200 475 "http://www.gensanexpat.org/" "Mozilla/5.0 (Windows NT
> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80
> Safari/537.36"
> 
>  
> 
> ===========================
> 
> Michael "Mike" Lieberman |  <http://lieberman.blog.netwright.net:7080/> Blog
> 
> Purok 13, Morales Subd.
> Brgy Mabuhay, General Santos City, 9500 Philippines
>  <https://map.what3words.com/overexposed.pedestals.rakes> See MAP
> 
> Cell:  <tel:%2B63%20%28917%29%20358-1442> +63 (917) 311-0674 (Voice and
> Text) 
> LandLine:   <tel:%2B63%20%2883%29%20552-1153> +63 (083) 887-2154 (Voice
> Only)
> 


> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] NEWBIE to modsecurity... No error messaged BUT the wrong site is displayed.

[Mike L. <mi...@ne...>]

I have an apache2 install and have had three virtual hosts running on the
site successfully for other three years.

I installed modsecurity on Linux Mint 18.3..

THERE ARE NO error messages.

 

my@FamilyServer /var/log/apache2 # apachectl -M | grep --color security 

security2_module (shared)

 

The mode security log shows no errors.

 

The apache2 error log does show an error, but I had read it is not a
problem. See log snippet below in this email.

There are three virtual host config files... identical in sites-available
and sites allowed.

http requests for all three URLs "work," by that there are no error
messages, no 403 or 404.

Typing the URL's for two result in correct results.

Typing in the URL for the third displays one of the other sites. This NEVER
HAPPENED until modsecurity was installed.

 

I am lost and don't even know where to look.

 

[Wed Dec 05 11:31:38.000649 2018] [:notice] [pid 6194] ModSecurity for
Apache/2.9.0 (http://www.modsecurity.org/) configured.

[Wed Dec 05 11:31:38.000852 2018] [:notice] [pid 6194] ModSecurity: APR
compiled version="1.5.1"; loaded version="1.5.2"

[Wed Dec 05 11:31:38.000864 2018] [:warn] [pid 6194] ModSecurity: Loaded APR
do not match with compiled!

[Wed Dec 05 11:31:38.000876 2018] [:notice] [pid 6194] ModSecurity: PCRE
compiled version="8.35 "; loaded version="8.41 2017-07-05"

[Wed Dec 05 11:31:38.000901 2018] [:warn] [pid 6194] ModSecurity: Loaded
PCRE do not match with compiled!

[Wed Dec 05 11:31:38.000910 2018] [:notice] [pid 6194] ModSecurity: LUA
compiled version="Lua 5.1"

[Wed Dec 05 11:31:38.000919 2018] [:notice] [pid 6194] ModSecurity: YAJL
compiled version="2.1.0"

[Wed Dec 05 11:31:38.000928 2018] [:notice] [pid 6194] ModSecurity: LIBXML
compiled version="2.9.2"

[Wed Dec 05 11:31:38.001043 2018] [:notice] [pid 6194] ModSecurity:
StatusEngine call: "2.9.0,Apache/2.4.18 (Ubuntu),1.5.1/1.5.2,8.35/8.41
2017-07-05,Lua 5.1,2.9.2,139cd0575fbb1eb666d44f3080f7c68a40ce8da9"

[Wed Dec 05 11:31:38.238158 2018] [:notice] [pid 6194] ModSecurity:
StatusEngine call successfully sent. For more information visit:
http://status.modsecurity.org/

[Wed Dec 05 11:31:39.010423 2018] [mpm_prefork:notice] [pid 6195] AH00163:
Apache/2.4.18 (Ubuntu) configured -- resuming normal operations

[Wed Dec 05 11:31:39.010518 2018] [core:notice] [pid 6195] AH00094: Command
line: '/usr/sbin/apache2'

 

Here are the contents of the two virtual host files which are at issues. 

 

<VirtualHost www.gensanexpat.org:80>

        ServerAdmin mi...@ne...

        ServerName www.gensanexpat.org

        NameVirtualHost www.gensanexpat.org

        ServerAlias gensanexpat.org

        DocumentRoot /var/www/html/gensan

        ErrorLog ${APACHE_LOG_DIR}/error.log

        CustomLog ${APACHE_LOG_DIR}/gensan.log combined

</VirtualHost>

 

<VirtualHost www.netwright.net:80>

        ServerAdmin mi...@ne...

        ServerName www.netwright.net

        NameVirtualHost www.netwright.net

        ServerAlias netwright.net

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log

        CustomLog ${APACHE_LOG_DIR}/nw.log combined

</VirtualHost>

 

AND here is the contents of the nw.log file!

my@FamilyServer /var/log/apache2 # cat nw.log

192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET / HTTP/1.1" 200 967 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/71.0.3578.80 Safari/537.36"

192.168.1.73 - - [05/Dec/2018:12:21:56 +0800] "GET /favicon.ico?v=2
HTTP/1.1" 200 476 "http://www.gensanexpat.org/" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80
Safari/537.36"

192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET / HTTP/1.1" 200 966 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/71.0.3578.80 Safari/537.36"

192.168.1.73 - - [05/Dec/2018:12:21:57 +0800] "GET /favicon.ico?v=2
HTTP/1.1" 200 475 "http://www.gensanexpat.org/" "Mozilla/5.0 (Windows NT
10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80
Safari/537.36"

 

===========================

Michael "Mike" Lieberman |  <http://lieberman.blog.netwright.net:7080/> Blog

Purok 13, Morales Subd.
Brgy Mabuhay, General Santos City, 9500 Philippines
 <https://map.what3words.com/overexposed.pedestals.rakes> See MAP

Cell:  <tel:%2B63%20%28917%29%20358-1442> +63 (917) 311-0674 (Voice and
Text) 
LandLine:   <tel:%2B63%20%2883%29%20552-1153> +63 (083) 887-2154 (Voice
Only)

[mod-security-users] OWASP ModSecurity Core Rule Set Version 3.1.0 released

[Christian F. <chr...@ne...>]

Dear all,

The OWASP Core Rule Set team is happy to announce the CRS release v3.1.0
at last.

A wee bit over 2 years in the making, this major release represents a big step
forward in terms of capabilities, usability and protection. 

Key features include:

* A new set of rules defending against Java injections
* Initial set of file upload checks
* Add built-in exceptions for Dokuwiki, Owncloud, Nextcloud and CPanel
* Easier handling of the paranoia mode
* Many false positives fixed
* Successful source code archaeology with regular expressions
* Detailed rule cleanup for easier maintenance
* Speed improvements via the removal of unneeded regex capture groups
* Regression tests for rules, Travis support
* CRS docker image based on Ubuntu

For a complete list of new features and the changes in this release, see
the CHANGES document:
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1/dev/CHANGES

CRS 3.1 is the best stable release of the OWASP ModSecurity Core Rule Set.
We advise all users and providers of boxed CRS versions to update their
setups.  CRS 3.0 won't see any future updates and we recommend you to
migrate onto our new release.

CRS 3.1 requires an Apache/IIS/NGINX web server with ModSecurity 2.8.0 or
higher. CRS 3.1 will run on libModSecurity 3.0 on NGINX.

Our GitHub repository is the preferred way to download and update CRS:
$> wget
https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.1.0.tar.gz

For detailed installation instructions, see the INSTALL document.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.1/dev/INSTALL

Our desire is to see the Core Rules project as a simple baseline security
feature, effectively fighting OWASP TOP 10 weaknesses with few side effects.
We are committed to cut down on false positives as much as possible in the
default install. We welcome reports of false positives on github.

For more information about our project, please go to https://coreruleset.org.

Sincerely,

Chaim Sanders, Walter Hop and Christian Folini on behalf of the Core Rule Set
development team


-- 
https://coreruleset.or://coreruleset.org

[mod-security-users] CRS News for November 2018 published

[Christian F. <chr...@ne...>]

Hello everybody,

I just published the news of the OWASP ModSecurity Core Rule Set project
for the month of November:

https://coreruleset.org/20181114/crs-project-news-november-2018/

It includes the CRS 3.1-RC2 release, the announcement of the full release for
November 24 and many online articles about CRS and ModSecurity.

Best,

Christian


-- 
A man must be big enough to admit to his mistakes, smart enough to
profit from them and strong enough to correct them.
-- Probably by John C. Maxwell

Re: [mod-security-users] Protection against Bash injection

[Christian F. <chr...@ne...>]

+1

On Fri, Nov 09, 2018 at 07:27:58AM +0000, Marc Stern wrote:
> Hi Christian,
> 
> It can be compiled and used as a stand-alone module.
> If you want to integrate it into 2.9.3, you're obviously welcome.
> 
> *Marc Stern
> Cyber-Security Consulting Director*
> Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium/*
> Inspiring the cyber-security community
> 
> */
> On 09-11-18 07:59, Christian Folini wrote:
> > Hey Marc,
> >
> > Wow. This is very cool. Just to be clear. You published this as an add-on
> > module for Apache that will integrate with ModSec 2.x on Apache.
> >
> > Ideally your code contribution will be taken and integrated into the
> > upcoming (and final) 2.9.3 and hopefully into the libModSecurity 3.x release
> > line.
> >
> > Am I correct?
> >
> > Cheers,
> >
> > Christian
> >
> > On Thu, Nov 08, 2018 at 02:13:57PM +0000, Marc Stern wrote:
> >> For those who remember, we (Approach Belgium) published in 2011 the
> >> "cmdLine" transformation that handles most Windows cmd injections (and
> >> some basic bash injections). The "cmdLine" transformation is now
> >> officially part of ModSecurity for years.
> >>
> >> We were also using, to protect our customers for some years, an
> >> additional transformation blocking several other bash injections.
> >> We decided to also give it to the community.
> >> The source code and the explanations are available on
> >> https://www.approach.be/en/modsecurity.html
> >>
> >> Enjoy
> >>
> >>
> >> 	*Marc Stern
> >> Cyber-Security Consulting Director*
> >> Approach Belgium <https://www.approach.be>
> >> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> >> Follow us: <https://www.linkedin.com/company/16513/>
> >> <https://twitter.com/ApproachBe>
> >> /*Inspiring the cyber-security community*/
> >>
> >>
> >> This e-mail and any attachment are confidential and intended solely for
> >> the use of the individual to whom it is addressed. If you are not the
> >> intended recipient, please contact the sender and delete this message
> >> and any attachment from your system. Unauthorised publication, use,
> >> dissemination, forwarding, printing or copying of this e-mail and its
> >> associated attachments is strictly prohibited.
> >>
> >> _______________________________________________
> >> mod-security-users mailing list
> >> mod...@li...
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> >> http://www.modsecurity.org/projects/commercial/rules/
> >> http://www.modsecurity.org/projects/commercial/support/
> 
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Protection against Bash injection

[Marc S. <mar...@ap...>]

Hi Christian,

It can be compiled and used as a stand-alone module.
If you want to integrate it into 2.9.3, you're obviously welcome.

*Marc Stern
Cyber-Security Consulting Director*
Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium/*
Inspiring the cyber-security community

*/
On 09-11-18 07:59, Christian Folini wrote:
> Hey Marc,
>
> Wow. This is very cool. Just to be clear. You published this as an add-on
> module for Apache that will integrate with ModSec 2.x on Apache.
>
> Ideally your code contribution will be taken and integrated into the
> upcoming (and final) 2.9.3 and hopefully into the libModSecurity 3.x release
> line.
>
> Am I correct?
>
> Cheers,
>
> Christian
>
> On Thu, Nov 08, 2018 at 02:13:57PM +0000, Marc Stern wrote:
>> For those who remember, we (Approach Belgium) published in 2011 the
>> "cmdLine" transformation that handles most Windows cmd injections (and
>> some basic bash injections). The "cmdLine" transformation is now
>> officially part of ModSecurity for years.
>>
>> We were also using, to protect our customers for some years, an
>> additional transformation blocking several other bash injections.
>> We decided to also give it to the community.
>> The source code and the explanations are available on
>> https://www.approach.be/en/modsecurity.html
>>
>> Enjoy
>>
>>
>> 	*Marc Stern
>> Cyber-Security Consulting Director*
>> Approach Belgium <https://www.approach.be>
>> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
>> Follow us: <https://www.linkedin.com/company/16513/>
>> <https://twitter.com/ApproachBe>
>> /*Inspiring the cyber-security community*/
>>
>>
>> This e-mail and any attachment are confidential and intended solely for
>> the use of the individual to whom it is addressed. If you are not the
>> intended recipient, please contact the sender and delete this message
>> and any attachment from your system. Unauthorised publication, use,
>> dissemination, forwarding, printing or copying of this e-mail and its
>> associated attachments is strictly prohibited.
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Protection against Bash injection

[Christian F. <chr...@ne...>]

Hey Marc,

Wow. This is very cool. Just to be clear. You published this as an add-on
module for Apache that will integrate with ModSec 2.x on Apache.

Ideally your code contribution will be taken and integrated into the
upcoming (and final) 2.9.3 and hopefully into the libModSecurity 3.x release
line.

Am I correct?

Cheers,

Christian

On Thu, Nov 08, 2018 at 02:13:57PM +0000, Marc Stern wrote:
> For those who remember, we (Approach Belgium) published in 2011 the 
> "cmdLine" transformation that handles most Windows cmd injections (and 
> some basic bash injections). The "cmdLine" transformation is now 
> officially part of ModSecurity for years.
> 
> We were also using, to protect our customers for some years, an 
> additional transformation blocking several other bash injections.
> We decided to also give it to the community.
> The source code and the explanations are available on 
> https://www.approach.be/en/modsecurity.html
> 
> Enjoy
> 
> 
> 	*Marc Stern
> Cyber-Security Consulting Director*
> Approach Belgium <https://www.approach.be>
> Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
> Follow us: <https://www.linkedin.com/company/16513/> 
> <https://twitter.com/ApproachBe>
> /*Inspiring the cyber-security community*/
> 
> 
> This e-mail and any attachment are confidential and intended solely for 
> the use of the individual to whom it is addressed. If you are not the 
> intended recipient, please contact the sender and delete this message 
> and any attachment from your system. Unauthorised publication, use, 
> dissemination, forwarding, printing or copying of this e-mail and its 
> associated attachments is strictly prohibited.
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

[mod-security-users] Protection against Bash injection

[Marc S. <mar...@ap...>]

For those who remember, we (Approach Belgium) published in 2011 the 
"cmdLine" transformation that handles most Windows cmd injections (and 
some basic bash injections). The "cmdLine" transformation is now 
officially part of ModSecurity for years.

We were also using, to protect our customers for some years, an 
additional transformation blocking several other bash injections.
We decided to also give it to the community.
The source code and the explanations are available on 
https://www.approach.be/en/modsecurity.html

Enjoy


	*Marc Stern
Cyber-Security Consulting Director*
Approach Belgium <https://www.approach.be>
Axis Park - Rue Edouard Belin 7 - 1435 Mont-Saint-Guibert - Belgium
Follow us: <https://www.linkedin.com/company/16513/> 
<https://twitter.com/ApproachBe>
/*Inspiring the cyber-security community*/


This e-mail and any attachment are confidential and intended solely for 
the use of the individual to whom it is addressed. If you are not the 
intended recipient, please contact the sender and delete this message 
and any attachment from your system. Unauthorised publication, use, 
dissemination, forwarding, printing or copying of this e-mail and its 
associated attachments is strictly prohibited.

Re: [mod-security-users] compiling modsecurity module for nginx under aws linux (centos clone)

[Eero V. <eer...@ik...>]

Well. not really. trying to compile module with same parameters like:

./configure --prefix=/usr/share/nginx
--add-dynamic-module=../ModSecurity-nginx   --sbin-path=/usr/sbin/nginx
--modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf
--error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid
--lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx
--with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module
--with-http_realip_module --with-http_addition_module
--with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic
--with-http_geoip_module=dynamic --with-http_sub_module
--with-http_dav_module --with-http_flv_module --with-http_mp4_module
--with-http_gunzip_module --with-http_gzip_static_module
--with-http_random_index_module --with-http_secure_link_module
--with-http_degradation_module --with-http_slice_module
--with-http_stub_status_module --with-http_perl_module=dynamic
--with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit
--with-stream=dynamic --with-stream_ssl_module
--with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
--with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-Wl,-E'

that worked. it's was **** in the ***

Eero

On Wed, Nov 7, 2018 at 9:27 AM Ervin Hegedüs <ai...@gm...> wrote:

> Hi,
>
> On Wed, Nov 07, 2018 at 09:10:35AM +0200, Eero Volotinen wrote:
> > Looks like problem is with compile parameters. they must match nginx
> binary?
> >
> > like this:
> >
> https://dzhorov.com/2017/04/compiling-dynamic-modules-into-nginx-centos-7
>
> as I see, on this example the nGinx had recompiled from source
> with additional modules, so I can't interpret "match nginx
> binary" :).
>
> I've follow this idea - I'm a Debian user, grabbed the source of
> current nginx _package_, added the modsec module path, and build
> a new package.
>
> That's it.
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] compiling modsecurity module for nginx under aws linux (centos clone)

[Ervin H. <ai...@gm...>]

Hi,

On Wed, Nov 07, 2018 at 09:10:35AM +0200, Eero Volotinen wrote:
> Looks like problem is with compile parameters. they must match nginx binary?
> 
> like this:
> https://dzhorov.com/2017/04/compiling-dynamic-modules-into-nginx-centos-7

as I see, on this example the nGinx had recompiled from source
with additional modules, so I can't interpret "match nginx
binary" :).

I've follow this idea - I'm a Debian user, grabbed the source of
current nginx _package_, added the modsec module path, and build
a new package.

That's it.


a.
 

Re: [mod-security-users] compiling modsecurity module for nginx under aws linux (centos clone)

[Eero V. <eer...@ik...>]

Looks like problem is with compile parameters. they must match nginx binary?

like this:
https://dzhorov.com/2017/04/compiling-dynamic-modules-into-nginx-centos-7

Eero

On Wed, Nov 7, 2018 at 9:03 AM Ervin Hegedüs <ai...@gm...> wrote:

> Hi Eero,
>
> On Wed, Nov 07, 2018 at 07:34:51AM +0200, Eero Volotinen wrote:
> > Hi List,
> >
> > Trying to compile modsecurity for nginx, using these instructions:
> >
> >
> https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
> >
> > but module always fails to load:
> > nginx: [emerg] module "/etc/nginx/modules/ngx_http_modsecurity_module.so"
> > is not binary compatible in /etc/nginx/nginx.conf:10
>
> I've followed this documentation:
>
> https://github.com/SpiderLabs/ModSecurity-nginx
>
> and got a working nGinx with ModSecurity.
>
>
> a.
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

Re: [mod-security-users] compiling modsecurity module for nginx under aws linux (centos clone)

[Ervin H. <ai...@gm...>]

Hi Eero,

On Wed, Nov 07, 2018 at 07:34:51AM +0200, Eero Volotinen wrote:
> Hi List,
> 
> Trying to compile modsecurity for nginx, using these instructions:
> 
> https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/
> 
> but module always fails to load:
> nginx: [emerg] module "/etc/nginx/modules/ngx_http_modsecurity_module.so"
> is not binary compatible in /etc/nginx/nginx.conf:10

I've followed this documentation:

https://github.com/SpiderLabs/ModSecurity-nginx

and got a working nGinx with ModSecurity.


a. 

[mod-security-users] compiling modsecurity module for nginx under aws linux (centos clone)

[Eero V. <eer...@ik...>]

Hi List,

Trying to compile modsecurity for nginx, using these instructions:

https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/

but module always fails to load:
nginx: [emerg] module "/etc/nginx/modules/ngx_http_modsecurity_module.so"
is not binary compatible in /etc/nginx/nginx.conf:10

I am using source packages from aws linux. I mroanaged get module working
with full recompline of nginx package, but not single module. any clues how
to fix this issue.

Someone said that it might be related to compile parameters:
https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/,
but how to pick correct ones from large list that nginx -V produces?

Eero

[mod-security-users] ModSecurity version 3.0.3 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


It is a pleasure to announce the release of ModSecurity version 3.0.3
(libModSecurity). This version contains a number of improvements in different
areas. These include, clean ups, better practices for improved code
readability, resilience and overall performance.

In addition to these improvements, support to a few missing features such as
SecRuleUpdateTargetById, SecRuleUpdateActionById, full support to
ctl:requestBodyProcessor and other versions of Lua, (including LuaJIT) as well
as fixes on other actions and transformations that were also added since 3.0.2
was released.

The API now supports the ability to have the unique id informed on
transactions, making possible to match an id that it is already in use by the
consuming application (the connector).

Special thanks to @tinselcity who pointed us to an uneducated memory usage that
could lead to a security issue.

The list with the full changes can be found on the project CHANGES file,
available here:
 - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.3/CHANGES

The list of open issues is available on GitHub:
 - https://github.com/SpiderLabs/ModSecurity/labels/3.x

As with every new release, a milestone was created to host all the issues that
will be fixed till we reach the given milestone. With that, we not only give
the community the full transparency of the work that is being done on ModSec,
but also even more chances to participate.
Milestones give the chance to anyone from the community to deduce when and what
will be released. For instance the 3.0.4 milestone is in progress even before
3.0.3 milestone is closed.

Some of the active milestones from the ModSecurity project follows:

- - milestone v3.0.3: https://github.com/SpiderLabs/ModSecurity/milestone/12
- - milestone v3.0.4: https://github.com/SpiderLabs/ModSecurity/milestone/13

Thanks to everybody who helped in this process: reporting issues, making
comments and suggestions, sending patches and so on.

Further details on the compilation process for ModSecurity v3, can be found on
the project README:
 - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation

Complementary documentation for the connectors are available here:
 - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation
 - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation

IMPORTANT: ModSecurity version 2 will be available and maintained parallel to
version 3. There is no ETA to deprecate the version 2.x. New features and major
improvements will be implemented on version 3.x. Security or major bugs are
planned to be back ported. Version 2 and version 3 has a completely independent
development/release cycle.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, Lead Developer ModSecurity

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com

Recognized by industry analysts as a leader in managed security services.



-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCW+Co8AAKCRDm37CM6LES
d8zdAJsEDkLqG9POMF4kIt9vliPL69AxCgCfdIzGiiDtoxGPejBwPgCYN+CidMM=
=OTGt
-----END PGP SIGNATURE-----