mod-security-users — General discussion about mod_security

Re: [mod-security-users] Getting Segmentation fault with to much rules

[Ivan R. <iv...@we...>]

ste...@gm... wrote:
> I have mod_security 1.9.2 on Gentoo Linux, compiled with hardened gcc 3.4.5.
> The system has PaX and grsecurity active. mod_security is compiled with
> "-march=athlon-tbird -O2 -pipe -mmmx -m3dnow -fforce-addr
> -fomit-frame-pointer -falign-functions=4". Apache is 2.0.55.
> 
> When I load to much rules (like the ones from
> http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf) into
> mod_security, then mod_security starts to get segmentation faults.
> 
> I don't know why? Maybe the Propolice patch is catching somethig?

  Sounds to me Apache is crashing because you don't have enough
  RAM to run all those rules.

  FYI, 1.9.3 uses less memory so you may be able to use that
  without crashing.

  Either way, you are killing the performance with such a large
  number of rules. Blacklisting, in particular, is much better
  done with an RBL-style protection.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

[mod-security-users] Getting Segmentation fault with to much rules

[<ste...@gm...>]

I have mod_security 1.9.2 on Gentoo Linux, compiled with hardened gcc 3.4.5.
The system has PaX and grsecurity active. mod_security is compiled with
"-march=athlon-tbird -O2 -pipe -mmmx -m3dnow -fforce-addr
-fomit-frame-pointer -falign-functions=4". Apache is 2.0.55.

When I load to much rules (like the ones from
http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf) into
mod_security, then mod_security starts to get segmentation faults.

I don't know why? Maybe the Propolice patch is catching somethig?

My GCC version:
gcc (GCC) 3.4.5 (Gentoo Hardened 3.4.5-r1, ssp-3.4.5-1.0, pie-8.7.9)
Copyright (C) 2004 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE


Does anyone have seen this before?

cheers

Steve

-- 
"Feel free" mit GMX FreeMail!
Monat für Monat 10 FreeSMS inklusive! http://www.gmx.net

Re: [mod-security-users] hidden fields

[Jamie K. <jkr...@gm...>]

You're better off validating the hidden fields programatically.
mod_sec won't know what the fields are let alone what values they're
supposed to be.

Jamie

On 2/24/06, Diego Pellegrino <die...@ho...> wrote:
> Using mod_security, how can i prevent that users change forms hidden fiel=
ds
> in POST requests? is it possible?
>
> I read that some web app firewalls (commercial products) checks the hidde=
n
> fields contained in the forms and validate against the POST (preventing t=
hat
> user change values)
>
> thanks you
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting langua=
ge
> that extends applications into web and mobile media. Attend the live webc=
ast
> and join the prime developer group breaking into this new coding territor=
y!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] Blocking file download attacks without blocking anything else?

[Jamie K. <jkr...@gm...>]

Its not my intention to block user agents. Its my intention to block
the common attacks sent through as parameters. Please read the entire
post next time instead of paying attention to a single word. I made no
mention of blocking user agents as a client. I mentioned blocking the
use of lynx in the request as an attack without barring access to
pages that might conlict with the filter. In my opinion, blocking
access based on user agents is over doing it. You could block access
to a legitimate web spider. I wouldn't use it unless I found that some
comercial site scraper didn't allow the user agent to be changed
(which is 99% of the software out there anyways.)

Jamie

On 3/6/06, Linh Vu <vu...@ph...> wrote:
> You should be more specific with your filter rules. Use HTTP_USER_AGENT
> to block user agents instead of the very generic THE_REQUEST.
>
> Linh
>
> Jamie Krasnoo wrote:
>
> >I was going through the audit logs thismorning and found that a page
> >of a customer of mine was being blocked by mod_sec for no good reson
> >other than the fact that the parameters contained lynx (Ottawa-Lynx to
> >be exact). I doubt that there would be any other conflicts with linux
> >programs when it comes to sports teams. As you can see I modified the
> >rule for lynx to make sure it doesn't match a "-" in front of it. Am I
> >opening up my server to an attack if someone does somthing clever? How
> >would I make sure something doesn't get rejected if nothing malicous
> >was intended?
> >
> >Thanks,
> >
> >Jamie
> >
> >------------------------------------------------------------------------=
-------------------------------------------------------
> >
> >   # Block various methods of downloading files to a server
> >    SecFilterSelective THE_REQUEST "wget "
> >    SecFilterSelective THE_REQUEST "[^-]lynx "
> >    SecFilterSelective THE_REQUEST "scp "
> >    SecFilterSelective THE_REQUEST "ftp "
> >    SecFilterSelective THE_REQUEST "cvs "
> >    SecFilterSelective THE_REQUEST "rcp "
> >    SecFilterSelective THE_REQUEST "curl "
> >    SecFilterSelective THE_REQUEST "telnet "
> >    SecFilterSelective THE_REQUEST "ssh "
> >    SecFilterSelective THE_REQUEST "echo "
> >    SecFilterSelective THE_REQUEST "links -dump "
> >    SecFilterSelective THE_REQUEST "links -dump-charset "
> >    SecFilterSelective THE_REQUEST "links -dump-width "
> >    SecFilterSelective THE_REQUEST "links http:// "
> >    SecFilterSelective THE_REQUEST "links ftp:// "
> >    SecFilterSelective THE_REQUEST "links -source "
> >    SecFilterSelective THE_REQUEST "mkdir "
> >    SecFilterSelective THE_REQUEST "cd /tmp "
> >    SecFilterSelective THE_REQUEST "cd /var/tmp "
> >    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by xPML, a groundbreaking scripting langu=
age
> >that extends applications into web and mobile media. Attend the live web=
cast
> >and join the prime developer group breaking into this new coding territo=
ry!
> >http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=110944&bid$1720&dat=121642
> >_______________________________________________
> >mod-security-users mailing list
> >mod...@li...
> >https://lists.sourceforge.net/lists/listinfo/mod-security-users
> >
> >
> >
>
>
> --
> -----------------------------------------------
> Linh Vu - Web/DB and Systems Support officer
> School of Physics, The University of Melbourne
> Office: 8344 8093  Email: vu...@ph...
> -----------------------------------------------
>
>

Re: [mod-security-users] How can I exclude Nagios check_http from mod_security

[Ryan B. <rcb...@gm...>]

Use the "allow" rule instead of "pass" on your Nagios filter.  Pass will
just skip that rule, while allow will not apply any other mod_security
filters.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 3/6/06, ste...@gm... <ste...@gm...> wrote:
>
> Hallo List
>
> I am unable to exclude Nagios check_http User Agent from mod_security.
>
> I have enabled the following rule:
>    # Detect manual and crude automated requests.
>    #
>    SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$"
> "id:2,rev:1,severity:2,msg:'Empty HTTP Host, User-Agent or Accept)'"
>
>
> And Nagios check_http is hitting that rule. So I wrote a rule before that
> rule to exclude Nagios User Agent. But it does not work. This is the rule=
:
>    # Nagios check_http
>    SecFilterSelective HTTP_USER_AGENT
> "check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$"
> pass,nolog
>
> I tried to shorten the rule to, but It still does not work:
>    # Nagios check_http
>    SecFilterSelective HTTP_USER_AGENT "^check_http.*$" pass,nolog
>
> I tried as well to chain the rule, but that does as well not work:
>    SecFilterSelective HTTP_USER_AGENT
> "check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$"
> chain
>    SecFilterSelective HTTP_Accept "^$" pass,nolog
>
>
>
> But I am still getting the following error:
> =3D=3D0a550566=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> Request: abc.def.ghi.jkl abc.def.ghi.jkl - - [06/Mar/2006:22:49:26 +0100]
> "GET / HTTP/1.0" 403 280 "-" "check_http/1.81 (nagios-plugins 1.4.2)" -
> "-"
> ----------------------------------------
> GET / HTTP/1.0
> User-Agent: check_http/1.81 (nagios-plugins 1.4.2)
> Host: abc.def.ghi.jkl
> mod_security-message: Access denied with code 403. Pattern match "^$" at
> HEADER("Accept") [id "2"] [rev "1"] [msg "Empty HTTP Host, User-Agent or
> Accept)"] [severity "2"]
> mod_security-action: 403
>
> HTTP/1.0 403 Forbidden
> Content-Length: 280
> Connection: close
> Content-Type: text/html; charset=3Diso-8859-1
> --0a550566--
>
>
>
> What am I doing wrong?
>
> --
> Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer!
> Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=
=3D121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

[mod-security-users] How can I exclude Nagios check_http from mod_security

[<ste...@gm...>]

Hallo List

I am unable to exclude Nagios check_http User Agent from mod_security.

I have enabled the following rule:
    # Detect manual and crude automated requests.
    #
    SecFilterSelective HTTP_Host|HTTP_User-Agent|HTTP_Accept "^$"
"id:2,rev:1,severity:2,msg:'Empty HTTP Host, User-Agent or Accept)'"


And Nagios check_http is hitting that rule. So I wrote a rule before that
rule to exclude Nagios User Agent. But it does not work. This is the rule:
    # Nagios check_http
    SecFilterSelective HTTP_USER_AGENT
"check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$"
pass,nolog

I tried to shorten the rule to, but It still does not work:
    # Nagios check_http
    SecFilterSelective HTTP_USER_AGENT "^check_http.*$" pass,nolog

I tried as well to chain the rule, but that does as well not work:
    SecFilterSelective HTTP_USER_AGENT
"check_http/[0-9\.]+[[:space:]]+\(nagios\-plugins[[:space:]]+[0-9\.]+\)$"
chain
    SecFilterSelective HTTP_Accept "^$" pass,nolog



But I am still getting the following error:
==0a550566==============================
Request: abc.def.ghi.jkl abc.def.ghi.jkl - - [06/Mar/2006:22:49:26 +0100]
"GET / HTTP/1.0" 403 280 "-" "check_http/1.81 (nagios-plugins 1.4.2)" - "-"
----------------------------------------
GET / HTTP/1.0
User-Agent: check_http/1.81 (nagios-plugins 1.4.2)
Host: abc.def.ghi.jkl
mod_security-message: Access denied with code 403. Pattern match "^$" at
HEADER("Accept") [id "2"] [rev "1"] [msg "Empty HTTP Host, User-Agent or
Accept)"] [severity "2"]
mod_security-action: 403

HTTP/1.0 403 Forbidden
Content-Length: 280
Connection: close
Content-Type: text/html; charset=iso-8859-1
--0a550566--



What am I doing wrong?

-- 
Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer!
Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer

Re: [mod-security-users] Blocking file download attacks without blocking anything else?

[Linh Vu <vu...@ph...>]

You should be more specific with your filter rules. Use HTTP_USER_AGENT 
to block user agents instead of the very generic THE_REQUEST.

Linh

Jamie Krasnoo wrote:

>I was going through the audit logs thismorning and found that a page
>of a customer of mine was being blocked by mod_sec for no good reson
>other than the fact that the parameters contained lynx (Ottawa-Lynx to
>be exact). I doubt that there would be any other conflicts with linux
>programs when it comes to sports teams. As you can see I modified the
>rule for lynx to make sure it doesn't match a "-" in front of it. Am I
>opening up my server to an attack if someone does somthing clever? How
>would I make sure something doesn't get rejected if nothing malicous
>was intended?
>
>Thanks,
>
>Jamie
>
>-------------------------------------------------------------------------------------------------------------------------------
>
>   # Block various methods of downloading files to a server
>    SecFilterSelective THE_REQUEST "wget "
>    SecFilterSelective THE_REQUEST "[^-]lynx "
>    SecFilterSelective THE_REQUEST "scp "
>    SecFilterSelective THE_REQUEST "ftp "
>    SecFilterSelective THE_REQUEST "cvs "
>    SecFilterSelective THE_REQUEST "rcp "
>    SecFilterSelective THE_REQUEST "curl "
>    SecFilterSelective THE_REQUEST "telnet "
>    SecFilterSelective THE_REQUEST "ssh "
>    SecFilterSelective THE_REQUEST "echo "
>    SecFilterSelective THE_REQUEST "links -dump "
>    SecFilterSelective THE_REQUEST "links -dump-charset "
>    SecFilterSelective THE_REQUEST "links -dump-width "
>    SecFilterSelective THE_REQUEST "links http:// "
>    SecFilterSelective THE_REQUEST "links ftp:// "
>    SecFilterSelective THE_REQUEST "links -source "
>    SecFilterSelective THE_REQUEST "mkdir "
>    SecFilterSelective THE_REQUEST "cd /tmp "
>    SecFilterSelective THE_REQUEST "cd /var/tmp "
>    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>  
>


-- 
-----------------------------------------------
Linh Vu - Web/DB and Systems Support officer
School of Physics, The University of Melbourne
Office: 8344 8093  Email: vu...@ph...
-----------------------------------------------

[mod-security-users] Blocking file download attacks without blocking anything else?

[Jamie K. <jkr...@gm...>]

I was going through the audit logs thismorning and found that a page
of a customer of mine was being blocked by mod_sec for no good reson
other than the fact that the parameters contained lynx (Ottawa-Lynx to
be exact). I doubt that there would be any other conflicts with linux
programs when it comes to sports teams. As you can see I modified the
rule for lynx to make sure it doesn't match a "-" in front of it. Am I
opening up my server to an attack if someone does somthing clever? How
would I make sure something doesn't get rejected if nothing malicous
was intended?

Thanks,

Jamie

---------------------------------------------------------------------------=
----------------------------------------------------

   # Block various methods of downloading files to a server
    SecFilterSelective THE_REQUEST "wget "
    SecFilterSelective THE_REQUEST "[^-]lynx "
    SecFilterSelective THE_REQUEST "scp "
    SecFilterSelective THE_REQUEST "ftp "
    SecFilterSelective THE_REQUEST "cvs "
    SecFilterSelective THE_REQUEST "rcp "
    SecFilterSelective THE_REQUEST "curl "
    SecFilterSelective THE_REQUEST "telnet "
    SecFilterSelective THE_REQUEST "ssh "
    SecFilterSelective THE_REQUEST "echo "
    SecFilterSelective THE_REQUEST "links -dump "
    SecFilterSelective THE_REQUEST "links -dump-charset "
    SecFilterSelective THE_REQUEST "links -dump-width "
    SecFilterSelective THE_REQUEST "links http:// "
    SecFilterSelective THE_REQUEST "links ftp:// "
    SecFilterSelective THE_REQUEST "links -source "
    SecFilterSelective THE_REQUEST "mkdir "
    SecFilterSelective THE_REQUEST "cd /tmp "
    SecFilterSelective THE_REQUEST "cd /var/tmp "
    SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "

Re: [mod-security-users] Re: apache 2.2.0 and mod_security 1.9.2 causes crash under suse 9.3

[Ivan R. <iv...@we...>]

Kamil Golombek wrote:
> Hello, 
> 
> we tried few recommended things, like compilation without optimalization. 
> Segmentation fault is still there, but looks little bit different :-(. FYI 
> the version of gcc is 3.3.5 20050117 (prerelease) (SUSE Linux). It looks like 
> mod_security evaluate request as bad and tries to generate error output and 
> errorlog. And at the same moment dies. 

  Actually, the crash happens (in the Apache code) on the first invocation of
  sec_debug_log, when it tries to retrieve the information on the file it needs to
  write to. The problem is that r->per_dir_config is NULL. My understanding
  is that this must never happen. I also looked through the default
  Apache modules - there are no checks whether per_dir_config is NULL
  or not in any of them. Practically, any module that invokes:

     ap_get_module_config(r->per_dir_config, ...)

  (most do) would crash. As it happens, in your case it is mod_security that
  runs first.

  I could add a bit of code to detect this situation, but if the internal
  Apache structures are corrupted, that would only move the crash to
  some other location.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

[mod-security-users] Re: apache 2.2.0 and mod_security 1.9.2 causes crash under suse 9.3

[Kamil G. <kam...@bd...>]

Hello, 

we tried few recommended things, like compilation without optimalization. 
Segmentation fault is still there, but looks little bit different :-(. FYI 
the version of gcc is 3.3.5 20050117 (prerelease) (SUSE Linux). It looks like 
mod_security evaluate request as bad and tries to generate error output and 
errorlog. And at the same moment dies. 

I'm not aware of any other module compiled via DSO, but I have to check, if 
SuSE make something like that.


I don't know if it helps ... any ideas?

Thanks

Kamil Golombek

[mod-security-users] To perform rule before "?"

[PERA, C. (S. TRANSICIEL) <chr...@ai...>]

Hi,

I implement rules which must be performed before a "?" and not after.

I would like to use an attribute like SCRIPT_URI but ModSecurity seems to not understand it.

The syntax i use is like the following:

--> In httpd.conf:

SecFilterSelective [ATTRIBUTE] "[character to deny]" id:1000
...
SecFilter "[character to deny]" id:1010

--> In mapping.conf:

<Location /URI/>
SecFilterRemove 1001 1005
</Location>

Any ideas?

Regards,
Christophe






This e-mail is intended only for the above addressee. It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it. If you have
received it in error please delete it and immediately notify the sender.
Security Notice: all e-mail, sent to or from this address, may be
accessed by someone other than the recipient, for system management and
security reasons. This access is controlled under Regulation of
Investigatory Powers Act 2000, Lawful Business Practises.

Re: [mod-security-users] Access denied with code 403. IP Info: Failed to open IP Address DB

[Jeff H. <ja...@mi...>]

I thought I had tried 1.9.2 with the same results but obviously I was mistaken.  I'm not sure how I got confused about that but it's probably got something to do with having two Apache installations running on this machine, each in separate jails, doing the chroot myself and having to copy installation directories around.  Anyway - as expected, it works fine with mod_security 1.9.2.  Thanks for putting me back on track Ivan, sorry to have bothered you with this careless mistake.

And thanks for writing such an incredible piece of software :)

>Jeff Haney wrote:
>> I'm trying to upgrade my Apache, PHP & mod_security installs to the
>> latest versions
>
>  BTW, if you are looking for production-quality code stick
>  with 1.9.x. What you got from the CVS is 2.0.0-dev1.
>
>
>> and I'm getting the following error:
>> 
>> Access denied with code 403. IP Info: Failed to open IP Address DB
>> (2): No such file or directory
>
>  ModSecurity will attempt to open/create an IP database in
>  <SERVER_ROOT>/logs/. This is not yet configurable.
>
>
>> The frustrating thing is I don't see this mentioned in the doc
>> anywhere, if it is I haven't been able to find it.
>
>  As I said, it's the development branch. The docs will be available
>  in a few days.
>
>-- 
>Ivan Ristic, Technical Director
>Thinking Stone, http://www.thinkingstone.com
>ModSecurity: Open source Web Application Firewall
>Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] apache 2.2.0 and mod_security 1.9.2 causes crash under suse 9.3

[Ivan R. <iv...@we...>]

Kam...@bd... wrote:
> Hello all, 
> 
> I would like to ask, if somebody have met similar problem like us:
> 
> The combination of apache 2.2.0 and mod_security 1.9.2 causes crash
> under SuSE 9.3. 

  FYI, I am successfully using Apache 2.2.0 on Debian 3.1.


> Both apache and mod_security compiles w/o errors, but every request with
> mod_security enabled causes SIGSEGV in current thread.
> The reason is, that function ap_get_module_config is called with zero in
> the module pointer (m).
> The bug is the same under worker and prefork mpms.

  This sounds like some Apache problem. The NULL value is supplied
  by Apache.


> We have this problem since upgrade from apache 2.0 to 2.2 (mainly
> because we needed to use new features in mod_proxy). For 2.0 we compiled
> (and created RPM) mod_security 1.9.2 with no problems, but the similar
> process failed with 2.2. We are not sure if problem could be more in
> SuSE or mod_security. 

  Are you able to run any other third-party modules compiled via DSO?

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] Access denied with code 403. IP Info: Failed to open IP Address DB

[Ivan R. <iv...@we...>]

Jeff Haney wrote:
> I'm trying to upgrade my Apache, PHP & mod_security installs to the
> latest versions

  BTW, if you are looking for production-quality code stick
  with 1.9.x. What you got from the CVS is 2.0.0-dev1.


> and I'm getting the following error:
> 
> Access denied with code 403. IP Info: Failed to open IP Address DB
> (2): No such file or directory

  ModSecurity will attempt to open/create an IP database in
  <SERVER_ROOT>/logs/. This is not yet configurable.


> The frustrating thing is I don't see this mentioned in the doc
> anywhere, if it is I haven't been able to find it.

  As I said, it's the development branch. The docs will be available
  in a few days.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

[mod-security-users] Access denied with code 403. IP Info: Failed to open IP Address DB

[Jeff H. <ja...@mi...>]

I'm trying to upgrade my Apache, PHP & mod_security installs to the latest versions and I'm getting the following error:

Access denied with code 403. IP Info: Failed to open IP Address DB (2): No such file or directory

I'm running Apache 2.2.0, PHP  5.1.2 and mod_security nightly cvs snapshot from March 1 (tried mod_security 1.9.2 too).  I installed mod_security using the "Static installation with Apache 2.x" method.

This occurs on every page and any time mod_security is enabled, even with no rules specified.  I'm running Apache in a chrooted jail but was having some difficulty getting the mod_security chroot working.  I have it working with another installation and intend to work through it on this install but for now I've copied libraries to the chroot jail and I'm doing it the old fashioned way.

The error seems to indicate it's looking for some sort of file, an IP database of some type?  The frustrating thing is I don't see this mentioned in the doc anywhere, if it is I haven't been able to find it.

I have another installation on a different server with a similar environment and I'm not having this problem.  That environment is using php 4.4.1 and is using mod_security's chroot function.  Those two things are the major differences, everything else is very similar to the environment with the problem.

Any help would be greatly appreciated.

Thanks,

-jah

[mod-security-users] apache 2.2.0 and mod_security 1.9.2 causes crash under suse 9.3

[<Kam...@bd...>]

Hello all,=20

I would like to ask, if somebody have met similar problem like us:


The combination of apache 2.2.0 and mod_security 1.9.2 causes crash
under SuSE 9.3.=20
Both apache and mod_security compiles w/o errors, but every request with
mod_security enabled causes SIGSEGV in current thread.
The reason is, that function ap_get_module_config is called with zero in
the module pointer (m).
The bug is the same under worker and prefork mpms.

More details are included in attachment.=20


We have this problem since upgrade from apache 2.0 to 2.2 (mainly
because we needed to use new features in mod_proxy). For 2.0 we compiled
(and created RPM) mod_security 1.9.2 with no problems, but the similar
process failed with 2.2. We are not sure if problem could be more in
SuSE or mod_security.=20

Any help is appreciated

Thanks

Kamil Golombek & BDO IT team

Re: [mod-security-users] 403 Forbidden error

[Ivan R. <iv...@we...>]

Steve McKinney wrote:
> I am running hardened-gentoo (with grsecurity) and have apache 2.0.55. I
> have installed mod_security 1.87 (the latest version gentoo has marked
> stable) and am using the chroot feature.
> 
> When I try to access a page using:
> 
> links http://127.0.0.1
> 
> I receive a 403 Forbidden error saying that I do not have permission to
> access / on this server.
> 
> I can access the page if I turn off mod_security
> 
> My current DocumentRoot is set to /var/www/localhost/htdocs/
> 
> So my html files are in:
> 
> /var/chroot/apache2/var/www/localhost/htdocs/
> 
> The permissions are the same on the real DocumentRoot as they are on the
> DocumentRoot inside the jail.

  For the list: the permissions on /var/chroot/apache2 were incorrect.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] 403 Forbidden error

[Ivan R. <iv...@we...>]

Steve McKinney wrote:
> I am running hardened-gentoo (with grsecurity) and have apache 2.0.55. I
> have installed mod_security 1.87 (the latest version gentoo has marked
> stable) and am using the chroot feature.
> 
> When I try to access a page using:
> 
> links http://127.0.0.1
> 
> I receive a 403 Forbidden error saying that I do not have permission to
> access / on this server.
> 
> I can access the page if I turn off mod_security
> 
> My current DocumentRoot is set to /var/www/localhost/htdocs/
> 
> So my html files are in:
> 
> /var/chroot/apache2/var/www/localhost/htdocs/
> 
> The permissions are the same on the real DocumentRoot as they are on the
> DocumentRoot inside the jail.
> 
> Any thoughts?

  The message in the error log will give you a clue as to
  what might be the problem.

  My guess is that you need something like:

  <Directory /var/www/localhost/htdocs/>
      Order allow,deny
      Allow from all
  </Directory>

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

[mod-security-users] 403 Forbidden error

[Steve M. <sj...@po...>]

I am running hardened-gentoo (with grsecurity) and have apache 2.0.55. 
I have installed mod_security 1.87 (the latest version gentoo has marked 
stable) and am using the chroot feature.

When I try to access a page using:

links http://127.0.0.1

I receive a 403 Forbidden error saying that I do not have permission to 
access / on this server.

I can access the page if I turn off mod_security

My current DocumentRoot is set to /var/www/localhost/htdocs/

So my html files are in:

/var/chroot/apache2/var/www/localhost/htdocs/

The permissions are the same on the real DocumentRoot as they are on the 
DocumentRoot inside the jail.

Any thoughts?

Thanks,
Steve

Re: [mod-security-users] SecGuardianLog per virtual host?

[Linh Vu <vu...@ph...>]

Thanks for clearing that up. I get it now.

Cheers,
Linh

Ivan Ristic wrote:

>Linh Vu wrote:
>  
>
>>Hi,
>>
>>Thanks for your reply. I currently have 1 AuditLog at httpd.conf level
>>to log all virtual hosts. I take it that if I add SecGuardianLog
>>/path/to/httpd-guardian at that same level, it will scan every request
>>that gets logged in AuditLog and act accordingly?
>>    
>>
>
>  The idea is to send information about *every* request to the
>  guardian log.
>
>
>  
>
>>I'm confused by this
>>paragraph in httpd-guardian script:
>>
>># NOTE: In order for this script to be effective it must be able to
>>#       see all requests coming to the web server. This will not happen
>>#       if you are using per-virtual host logging. In such cases either
>>#       use the ModSecurity 1.9 SecGuardianLog directive (which was designed
>>#       for this very purpose).
>>
>>So does "per-virtual host logging" here refer to the Audit Log?
>>    
>>
>
>  No, it refers to the case when you are using this facility without
>  ModSecurity. In that case you will need to ensure all requests are
>  sent to httpd-guardian.
>
>  If you are using ModSecurity - it does that for you.
>
>
>  
>
>>Which
>>means that if I have multiple AuditLogs for the virtual hosts,
>>SecGuardianLog won't be effective, right?
>>    
>>
>
>  No, audit log and guardian log are not related.
>
>  
>


-- 
-----------------------------------------------
Linh Vu - Web/DB and Systems Support officer
School of Physics, The University of Melbourne
Office: 8344 8093  Email: vu...@ph...
-----------------------------------------------

Re: [mod-security-users] SecGuardianLog per virtual host?

[Ivan R. <iv...@we...>]

Linh Vu wrote:
> Hi,
> 
> Thanks for your reply. I currently have 1 AuditLog at httpd.conf level
> to log all virtual hosts. I take it that if I add SecGuardianLog
> /path/to/httpd-guardian at that same level, it will scan every request
> that gets logged in AuditLog and act accordingly?

  The idea is to send information about *every* request to the
  guardian log.


> I'm confused by this
> paragraph in httpd-guardian script:
> 
> # NOTE: In order for this script to be effective it must be able to
> #       see all requests coming to the web server. This will not happen
> #       if you are using per-virtual host logging. In such cases either
> #       use the ModSecurity 1.9 SecGuardianLog directive (which was designed
> #       for this very purpose).
> 
> So does "per-virtual host logging" here refer to the Audit Log?

  No, it refers to the case when you are using this facility without
  ModSecurity. In that case you will need to ensure all requests are
  sent to httpd-guardian.

  If you are using ModSecurity - it does that for you.


> Which
> means that if I have multiple AuditLogs for the virtual hosts,
> SecGuardianLog won't be effective, right?

  No, audit log and guardian log are not related.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

Re: [mod-security-users] SecGuardianLog per virtual host?

[Linh Vu <vu...@ph...>]

Hi,

Thanks for your reply. I currently have 1 AuditLog at httpd.conf level 
to log all virtual hosts. I take it that if I add SecGuardianLog 
/path/to/httpd-guardian at that same level, it will scan every request 
that gets logged in AuditLog and act accordingly? I'm confused by this 
paragraph in httpd-guardian script:

# NOTE: In order for this script to be effective it must be able to
#       see all requests coming to the web server. This will not happen
#       if you are using per-virtual host logging. In such cases either
#       use the ModSecurity 1.9 SecGuardianLog directive (which was designed
#       for this very purpose).

So does "per-virtual host logging" here refer to the Audit Log? Which 
means that if I have multiple AuditLogs for the virtual hosts, 
SecGuardianLog won't be effective, right? With my current setup (single 
AuditLog for the whole server), it will work? I was thinking of my 
access/error logging per virtual host, which probably shouldn't have 
anything to do with this.

Cheers,
Linh

Ivan Ristic wrote:

>Linh Vu wrote:
>  
>
>>Hi all,
>>
>>I'm a bit confused about this part in the documentation and the
>>instruction at the top of httpd-guardian. I'm using per-virtual-host
>>logging so if I want to use httpd-guardian, I need to have
>>
>>SecGuardianLog |/path/to/httpd-guardian
>>
>>in every VirtualHost config?
>>    
>>
>
>  No. Only one guardian log can be used for the whole web server. I
>  designed it to protect the web server, not individual sites.
>
>
>  
>
>>And I can have both AuditLog and GuardianLog?
>>    
>>
>
>  You can have as many audit logs as you want. Per-virtual host
>  included...
>
>  
>


-- 
-----------------------------------------------
Linh Vu - Web/DB and Systems Support officer
School of Physics, The University of Melbourne
Office: 8344 8093  Email: vu...@ph...
-----------------------------------------------

Re: [mod-security-users] SecGuardianLog per virtual host?

[Ivan R. <iv...@we...>]

Linh Vu wrote:
> Hi all,
> 
> I'm a bit confused about this part in the documentation and the
> instruction at the top of httpd-guardian. I'm using per-virtual-host
> logging so if I want to use httpd-guardian, I need to have
> 
> SecGuardianLog |/path/to/httpd-guardian
> 
> in every VirtualHost config?

  No. Only one guardian log can be used for the whole web server. I
  designed it to protect the web server, not individual sites.


> And I can have both AuditLog and GuardianLog?

  You can have as many audit logs as you want. Per-virtual host
  included...

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net

[mod-security-users] SecGuardianLog per virtual host?

[Linh Vu <vu...@ph...>]

Hi all,

I'm a bit confused about this part in the documentation and the 
instruction at the top of httpd-guardian. I'm using per-virtual-host 
logging so if I want to use httpd-guardian, I need to have

SecGuardianLog |/path/to/httpd-guardian

in every VirtualHost config?

And I can have both AuditLog and GuardianLog?

Cheers,
Linh

-- 
-----------------------------------------------
Linh Vu - Web/DB and Systems Support officer
School of Physics, The University of Melbourne
Office: 8344 8093  Email: vu...@ph...
-----------------------------------------------

Re: [mod-security-users] Hidden Fields

[Ivan R. <iv...@we...>]

Markus Rietzler wrote:
>>> 2) another
>>> way would be to use md5-hashes for hidden fields. compute md5-hashes of each
>>> or all hidden fields and send it also as hidden field. so you can recompute
>>> the hash and check whether values have changed or not.
>>   Note that hashing alone isn't sufficient because it's trivial for
>>   the attacker to recompute the hash. You have to encrypt the hash too.
>>
> 
> ok, just the md5-hash is not sufficient, but if you use an additional
> "salt"-value then it should be good enough. eg.
> 
> 	<input name="id" type="hidden" value="1234">
> 
> then generate an md5-hash from "id1234mySecretSalt". this should be good
> enough as "mySecretSalt" could not be guessed that easy...

  Agreed, that would also work.

  Finally, you would also need a mandatory per-form field so
  that, when you receive the form data from the user, you
  know how many hidden fields were there.

  Since you are also likely to rotate the encryption key (or the
  salt), this field also needs to contain a timestamp to help
  you find the key.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net