mod-security-users — General discussion about mod_security

[mod-security-users] Problems compiling mod_security 1.9.1 w/ 2.0.55 on Solaris 10

[Jernej Z. <jer...@mo...>]

Hello,

this is what I get:

    [root@box:httpd-2.0.55]# make
    Making all in srclib
    make[1]: Entering directory `/root/httpd-2.0.55/srclib'
    Making all in apr
    make[2]: Entering directory `/root/httpd-2.0.55/srclib/apr'
    Making all in strings
    make[3]: Entering directory `/root/httpd-2.0.55/srclib/apr/strings'
    make[4]: Entering directory `/root/httpd-2.0.55/srclib/apr/strings'
    /bin/bash /root/httpd-2.0.55/srclib/apr/libtool --silent --mode=compile gcc -g -O2   -DHAVE_CONFIG_H -DSOLARIS2=10 -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT   -I../include -I../include/arch/unix  -c apr_cpystrn.c && touch apr_cpystrn.lo
    In file included from /usr/include/sys/wait.h:24,
                     from ../include/apr.h:131,
                     from apr_cpystrn.c:17:
    /usr/include/sys/siginfo.h:259: error: parse error before "ctid_t"
    /usr/include/sys/siginfo.h:292: error: parse error before '}' token
    /usr/include/sys/siginfo.h:294: error: parse error before '}' token
    /usr/include/sys/siginfo.h:390: error: parse error before "ctid_t"
    /usr/include/sys/siginfo.h:392: error: conflicting types for `__proc'
    /usr/include/sys/siginfo.h:261: error: previous declaration of `__proc'
    /usr/include/sys/siginfo.h:398: error: conflicting types for `__fault'
    /usr/include/sys/siginfo.h:267: error: previous declaration of `__fault'
    /usr/include/sys/siginfo.h:404: error: conflicting types for `__file'
    /usr/include/sys/siginfo.h:273: error: previous declaration of `__file'
    /usr/include/sys/siginfo.h:420: error: conflicting types for `__prof'
    /usr/include/sys/siginfo.h:287: error: previous declaration of `__prof'
    /usr/include/sys/siginfo.h:424: error: conflicting types for `__rctl'
    /usr/include/sys/siginfo.h:291: error: previous declaration of `__rctl'
    /usr/include/sys/siginfo.h:426: error: parse error before '}' token
    /usr/include/sys/siginfo.h:428: error: parse error before '}' token
    /usr/include/sys/siginfo.h:432: error: parse error before "k_siginfo_t"
    /usr/include/sys/siginfo.h:437: error: parse error before '}' token
    In file included from /usr/include/sys/procset.h:24,
                     from /usr/include/sys/wait.h:25,
                     from ../include/apr.h:131,
                     from apr_cpystrn.c:17:
    /usr/include/sys/signal.h:85: error: parse error before "siginfo_t"
    In file included from ../include/apr.h:131,
                     from apr_cpystrn.c:17:
    /usr/include/sys/wait.h:86: error: parse error before "siginfo_t"
    In file included from ../include/apr_general.h:33,
                     from ../include/apr_pools.h:39,
                     from ../include/apr_strings.h:50,
                     from apr_cpystrn.c:18:
    /usr/include/signal.h:111: error: parse error before "siginfo_t"
    /usr/include/signal.h:113: error: parse error before "siginfo_t"
    make[4]: *** [apr_cpystrn.lo] Error 1
    make[4]: Leaving directory `/root/httpd-2.0.55/srclib/apr/strings'
    make[3]: *** [all-recursive] Error 1
    make[3]: Leaving directory `/root/httpd-2.0.55/srclib/apr/strings'
    make[2]: *** [all-recursive] Error 1
    make[2]: Leaving directory `/root/httpd-2.0.55/srclib/apr'
    make[1]: *** [all-recursive] Error 1
    make[1]: Leaving directory `/root/httpd-2.0.55/srclib'
    make: *** [all-recursive] Error 1

Any pointers would be appreciated.
-- 
Jernej Zajc                                jer...@mo...
Mobitel d.d.                        Podrocje za razvoj / R&D Dept
Vilharjeva 23                                  T: +386 1 472 2038
SI-1537 Ljubljana                              F: +386 1 472 2068
 
 
SAMO NASLOVNIKU! / ONLY FOR THE INTENDED RECIPIENT!
 
To elektronsko sporocilo in pripete datoteke lahko vsebujejo informacije zaupne narave in/ali informacije, ki so varovane s pravom in so namenjene samo posamezniku ali druzbi, na katero so naslovljene. Kakrsnakoli neavtorizirana uporaba  informacij, prejetih v tem elektronskem sporocilu in pripetih datotekah, je prepovedana. 
Ce elektronsko sporocilo in pripete datoteke niso bile namenjene prejemniku sporocila, ali ce je bilo zaradi napake v naslovniku ali pri prenosu sporocilo poslano drugam, prosimo, da o tem obvestite posiljatelja, prejeto elektronsko sporocilo in pripete datoteke pa brez kakrsnekoli predhodne uporabe zbrisite. Mobitel, d. d., in z njim povezane ali od njega odvisne druzbe niso odgovorne za elektronsko sporocilo in pripete datoteke, ce je to spremenjeno, ponarejeno ali preoblikovano s strani tretje osebe. Elektronsko sporocilo in pripete datoteke so bile pregledane z antivirusno programsko opremo.


This e-mail and its attachments may contain confidential and/or privileged information and are intended solely for the use of the individual or entity to whom they are addressed. Any unauthorized use of information received in this email and its attachments is forbidden. If you are not the intended recipient, or an addressing or transmission error has misdirected this e-mail, please notify the sender by replying to this e-mail and delete it without any prior use. Neither Mobitel, d.d. nor any of its subsidiaries or affiliates shall be liable for the e-mail and its attachments if altered, changed or falsified by third parties. This e-mail and its attachments have been scanned by Anti-Virus Software.

Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

[Ryan B. <rcb...@gm...>]

Sounds like you want the functionality of the Apache mod_ext_filters (
http://httpd.apache.org/docs/2.0/mod/mod_ext_filter.html) integrated into
mod_security so that it can change data within the request, correct?  That
would be nice.  The closest that you can get in the meantime is to use
either mod_rewrite or the new setenv mod_security action to identify and ta=
g
a request and then use the ENV triggering of mod_ext_filters to manipulate
the inbound/outbound data.  I have done with with some success.  From my
experience, it works pretty good for manipulating the payload (outbound
html) but can be unstable if you set the "ftype=3D" mod_ext_filter setting =
and
start monkeying around with the HTTP headers.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache


On 1/11/06, Tom Anderson <tan...@oa...> wrote:
>
> Ivan Ristic wrote:
>
> >   Windows because of the smaller stack size. If I recall
> >   correctly PCRE uses recursion for subexpressions internally,
> >   which leads to stack space consumption when the regex
> >   is applied to a long string.
>
> For performance reasons, all regular expressions should be simplified as
> much as possible.  Under the wrong circumstances, they can end up using
> lots of resources.  For instance, expressions should be greedy whenever
> possible.  The expression /<.+>/ will match "<head>" but will also
> search "<head> blah blah blah blah blah ..." until the end of the string
> to determine if the ">" is a part of the "." or not.  It will also match
> "<head><title>HTML Injection Attack</title></head>" even though it would
> be sufficient to stop at "<head>" if you're just trying to reject HTML
> tags of any kind.  So a more efficient version that prevents all kinds
> of recursive backtracking would be the greedy one /<.+?>/.
>
> But still, any filter that looks for one or two characters followed by
> ".+" or even ".+?" is going to be a likely resource hog during false
> positives.  To cut down on this, try to add as much detail to an
> expression as possible.  Using character classes to reduce the set of
> characters that will match can both cut down on false positives and also
> significantly reduce the recursion on each string.  For instance, if an
> HTML tag cannot start with a number, then using the expression
> /<\s*[^\d].+?>/ will prevent the regex engine from searching a term such
> as "if x < 5, then z =3D 0 blah blah blah...." all the way to the end of
> the string.  We've added more detail before the ".+?" part.
>
> This might be a bad example since most HTML engines will just ignore a
> number at the beginning of a tag, but then again, an HTML tag -- being
> an enclosure of just about any size string -- is just too fungible to
> efficiently identify and flag with a filter directive anyway.  Better
> instead would be to sanitize your input so that HTML tags are made
> impossible by escaping the tag symbols themselves.  But you can't just
> do this for every input ever passed into Apache, as some maybe shouldn't
> be mutilated in this way if they're ultimately never going to be
> displayed on a web page.  Ideally, the script that handles this input
> should do its own sanitizing.  I'm not sure if you can use mod_security
> to do this, but maybe you can try something like:
>
> SecFilterSelective THE_REQUEST "vulnerable-script-name" chain
> SecFilterSelective ARG_SANITIZEME "(<|>)" "exec:html_escape.pl"
>
> But I don't think the exec'd script gets passed the info or inserts
> anything back into the string.  Ideally "html_escape.pl" would be passed
> the "ARG_SANITIZEME" content on STDIN and then mod_security would
> replace "ARG_SANITIZEME" with the output of "html_escape.pl".  That
> would be a true external filter, similar to how procmail works.  Ivan,
> correct me if I'm wrong in saying that you can't do using mod_security
> what I'm suggesting would be the right technique.  Actually, ideally you
> could do this:
>
> SecFilterSelective THE_REQUEST "vulnerable-script-name" chain
> SecFilterSelective ARG_SANITIZEME s/</&lt;/
> SecFilterSelective ARG_SANITIZEME s/>/&gt;/
>
> But that too wouldn't work in mod_security I believe.  Is this something
> that could be added in future versions?  Or maybe even a new directive
> specifically for html escaping input?  Something like:
>
> SecFilterSelective THE_REQUEST "vulnerable-script-name" chain
> SecFilterHTMLEscape ARG_SANITIZEME
>
> I think it would be extremely useful to be able to modify request
> content in this way rather than just flagging it.
>
> Tom
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=3D7637&alloc_id=3D16865&op=3Dclick
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

[Tom A. <tan...@oa...>]

Ivan Ristic wrote:

>   Windows because of the smaller stack size. If I recall
>   correctly PCRE uses recursion for subexpressions internally,
>   which leads to stack space consumption when the regex
>   is applied to a long string.

For performance reasons, all regular expressions should be simplified as 
much as possible.  Under the wrong circumstances, they can end up using 
lots of resources.  For instance, expressions should be greedy whenever 
possible.  The expression /<.+>/ will match "<head>" but will also 
search "<head> blah blah blah blah blah ..." until the end of the string 
to determine if the ">" is a part of the "." or not.  It will also match 
"<head><title>HTML Injection Attack</title></head>" even though it would 
be sufficient to stop at "<head>" if you're just trying to reject HTML 
tags of any kind.  So a more efficient version that prevents all kinds 
of recursive backtracking would be the greedy one /<.+?>/.

But still, any filter that looks for one or two characters followed by 
".+" or even ".+?" is going to be a likely resource hog during false 
positives.  To cut down on this, try to add as much detail to an 
expression as possible.  Using character classes to reduce the set of 
characters that will match can both cut down on false positives and also 
significantly reduce the recursion on each string.  For instance, if an 
HTML tag cannot start with a number, then using the expression 
/<\s*[^\d].+?>/ will prevent the regex engine from searching a term such 
as "if x < 5, then z = 0 blah blah blah...." all the way to the end of 
the string.  We've added more detail before the ".+?" part.

This might be a bad example since most HTML engines will just ignore a 
number at the beginning of a tag, but then again, an HTML tag -- being 
an enclosure of just about any size string -- is just too fungible to 
efficiently identify and flag with a filter directive anyway.  Better 
instead would be to sanitize your input so that HTML tags are made 
impossible by escaping the tag symbols themselves.  But you can't just 
do this for every input ever passed into Apache, as some maybe shouldn't 
be mutilated in this way if they're ultimately never going to be 
displayed on a web page.  Ideally, the script that handles this input 
should do its own sanitizing.  I'm not sure if you can use mod_security 
to do this, but maybe you can try something like:

SecFilterSelective THE_REQUEST "vulnerable-script-name" chain
SecFilterSelective ARG_SANITIZEME "(<|>)" "exec:html_escape.pl"

But I don't think the exec'd script gets passed the info or inserts 
anything back into the string.  Ideally "html_escape.pl" would be passed 
the "ARG_SANITIZEME" content on STDIN and then mod_security would 
replace "ARG_SANITIZEME" with the output of "html_escape.pl".  That 
would be a true external filter, similar to how procmail works.  Ivan, 
correct me if I'm wrong in saying that you can't do using mod_security 
what I'm suggesting would be the right technique.  Actually, ideally you 
could do this:

SecFilterSelective THE_REQUEST "vulnerable-script-name" chain
SecFilterSelective ARG_SANITIZEME s/</&lt;/
SecFilterSelective ARG_SANITIZEME s/>/&gt;/

But that too wouldn't work in mod_security I believe.  Is this something 
that could be added in future versions?  Or maybe even a new directive 
specifically for html escaping input?  Something like:

SecFilterSelective THE_REQUEST "vulnerable-script-name" chain
SecFilterHTMLEscape ARG_SANITIZEME

I think it would be extremely useful to be able to modify request 
content in this way rather than just flagging it.

Tom

Re: [mod-security-users] ModSecurity 1.9.1 and 1.9.2-rc3 apache2 installation problem on linux

[Ivan R. <iv...@we...>]

Karin wrote:
> Unable to install modsecurity. I presently have an older build of
> modsecurity running which was built against a threaded apache 2.2
> server. Apache is now non-threaded. Mod_Security is the only module in
> my batch of modules to refresh that refuses to install correctly. Here
> are the specs:

  That's strange. Can you try adding:

  #include <time.h>

  to the top, among the other include statements?

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

[mod-security-users] ModSecurity 1.9.1 and 1.9.2-rc3 apache2 installation problem on linux

[Karin <kar...@be...>]

Unable to install modsecurity. I presently have an older build of 
modsecurity running which was built against a threaded apache 2.2 
server. Apache is now non-threaded. Mod_Security is the only module 
in my batch of modules to refresh that refuses to install correctly. 
Here are the specs:

#uname -a
Linux 2.4.21-37.EL

#cat /etc/redhat-release
Red Hat Enterprise Linux ES release 3 (Taroon Update 6)

#httpd -V
Server version: Apache/2.2.0
Server built:   Jan 11 2006 15:29:50
Server's Module Magic Number: 20051115:0
Architecture:   32-bit
Server MPM:     Prefork
   threaded:     no
     forked:     yes (variable process count)
Server compiled with....
  -D APACHE_MPM_DIR="server/mpm/prefork"
  -D APR_HAS_SENDFILE
  -D APR_HAS_MMAP
  -D APR_USE_SYSVSEM_SERIALIZE
  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
  -D APR_HAS_OTHER_CHILD
  -D AP_HAVE_RELIABLE_PIPED_LOGS
  -D DYNAMIC_MODULE_LIMIT=128
  -D HTTPD_ROOT="/etc/httpd"
  -D SUEXEC_BIN="no"
  -D DEFAULT_PIDLOG="logs/httpd.pid"
  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
  -D DEFAULT_LOCKFILE="logs/accept.lock"
  -D DEFAULT_ERRORLOG="logs/error_log"
  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
  -D SERVER_CONFIG_FILE="conf/httpd.conf"

#httpd -l
Compiled in modules:
   core.c
   mod_ssl.c
   prefork.c
   http_core.c
   mod_so.c

#define MODULE_RELEASE "1.9.1" and #define MODULE_RELEASE "1.9.2-rc3"

Run "./apache2/apxs -cia mod_security.c"

Result:

/home/apache/build-1/libtool --silent --mode=compile gcc 
-prefer-pic   -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE 
-D_LARGEFILE64_SOURCE -DAP_DEBUG -g -O2 
-I/usr/include/httpd  -I/usr/include/httpd   -I/usr/include/httpd 
-I/usr/include  -c -o mod_security.lo mod_security.c && touch mod_security.slo
mod_security.c: In function `get_variable':
mod_security.c:1717: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1718: dereferencing pointer to incomplete type
mod_security.c:1718: dereferencing pointer to incomplete type
mod_security.c:1723: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1725: dereferencing pointer to incomplete type
mod_security.c:1725: dereferencing pointer to incomplete type
mod_security.c:1726: dereferencing pointer to incomplete type
mod_security.c:1726: dereferencing pointer to incomplete type
mod_security.c:1726: dereferencing pointer to incomplete type
mod_security.c:1726: dereferencing pointer to incomplete type
mod_security.c:1727: dereferencing pointer to incomplete type
mod_security.c:1732: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1733: dereferencing pointer to incomplete type
mod_security.c:1738: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1739: dereferencing pointer to incomplete type
mod_security.c:1744: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1745: dereferencing pointer to incomplete type
mod_security.c:1750: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1751: dereferencing pointer to incomplete type
mod_security.c:1756: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1757: dereferencing pointer to incomplete type
mod_security.c:1762: warning: assignment makes pointer from integer 
without a cast
mod_security.c:1763: dereferencing pointer to incomplete type
apxs:Error: Command failed with rc=65536

Re: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

[Ivan R. <iv...@we...>]

Servedio, Allen (Matrix) wrote:
> Just getting ready to... I am working with Ivan on it now.

  We didn't get to run truss (Allen did not have root on
  the box) but we narrowed it down pretty much to a problem
  in the Apache 1.3.x regular expression library.

  After changing the rule 'SecFilter "<(.|\n)+>" id:1002'
  to 'SecFilter "<.+>" id:1002' Apache did not hang any more.

  I have seen a similar problem once before, when I
  encountered a problem with Apache 2.x on Windows. It
  turned out to be a PCRE bug which manifested only on
  Windows because of the smaller stack size. If I recall
  correctly PCRE uses recursion for subexpressions internally,
  which leads to stack space consumption when the regex
  is applied to a long string.

  I think this is pretty much the same problem. Other
  modules that use regular expressions would probably
  suffer too. One solution is to avoid using subexpressions.
  Another might be to compile mod_security against PCRE (as
  far as I know the problem I reported was fixed a long time
  ago).

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

RE: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

[Servedio, A. (Matrix) <All...@ic...>]

Just getting ready to... I am working with Ivan on it now.

---------------------------------------------------
Allen Servedio
Internet Developer (E-Commerce)
Matrix Resources Consultant
---------------------------------------------------
 

-----Original Message-----
From: Christopher Murley [mailto:mu...@to...] 
Sent: Wednesday, January 11, 2006 3:01 PM
To: Servedio, Allen (Matrix)
Cc: 'mod...@li...'
Subject: RE: [mod-security-users] mod_security causing Apache 1.3.33 to ha
ng

Did you run an strace on the apache process to see where it's hanging?

-- 
Regards,

 -Chris

_______________________________________________
Christopher Murley
Network Administrator
TownNews.Com
800.293.9576

Servedio, Allen (Matrix) said:
> Hi,
>
> I compiled it with:
> /apachehome/bin/apxs -cia mod_security.c
>
> Against and already compiled Apache (so, SSL was already compiled into
> it).
>
> The above made a shared object in my libexec that I included with the
> LoadModule (also did the AddModule entry as specified in your install
> instructions).
>
> Yeah, I agree with you on the redirect. The reason that I just did the
> root
> like that is that this actually handles LOTS of domains. So, I thought
> just
> sending them back to the root was the safest way to ditch their parameters
> but not give them an ugly error page. Is there a better way to do that?
>
> Thanks,
> Allen
>
> ---------------------------------------------------
> Allen Servedio
> Internet Developer (E-Commerce)
> Matrix Resources Consultant
> ---------------------------------------------------
>
>
> -----Original Message-----
> From: Ivan Ristic [mailto:iv...@we...]
> Sent: Wednesday, January 11, 2006 2:47 PM
> To: Servedio, Allen (Matrix)
> Cc: 'mod...@li...'
> Subject: Re: [mod-security-users] mod_security causing Apache 1.3.33 to
> hang
>
> Servedio, Allen (Matrix) wrote:
>> Hi,
>>
>> I am new to using mod_security so there is a high probability that I
>> messed something up with my configuration. But, I am able to get Apache
>> to hang (consistently) while using mod_security by posting the form
>> below (it is from a security scanning tool, in case the values look
>> fishy :-) ). I would appreciate any insight as to what is causing this
>> to hang. If I remove mod_security the same request passes through just
> fine.
>
>   I am unable to re-create the problem here (1.3.3 + mod_ssl 2.8.22,
>   running on Debian 3.1).
>
>   Did you compile mod_security before or after mod_ssl installation?
>   mod_ssl for Apache 1.3.x actually patches the Apache source code and
>   changes the API? Many modules work after the patch on Linux but
>   I don't know about Solaris.
>
>
>> SecFilterDefaultAction "deny,log,redirect:/"
>
>   Strictly speaking redirects should be supplied with a full
>   URL. For example: redirect:http://www.example.com/ However,
>   I notice that even / works and redirects the user to the root
>   of the web site.
>
>   There's nothing unusual in your configuration.
>
> --
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> Tel: +44 20 8141 2161, Fax: +44 87 0762 3934
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

RE: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

[Christopher M. <mu...@to...>]

Did you run an strace on the apache process to see where it's hanging?

-- 
Regards,

 -Chris

_______________________________________________
Christopher Murley
Network Administrator
TownNews.Com
800.293.9576

Servedio, Allen (Matrix) said:
> Hi,
>
> I compiled it with:
> /apachehome/bin/apxs -cia mod_security.c
>
> Against and already compiled Apache (so, SSL was already compiled into
> it).
>
> The above made a shared object in my libexec that I included with the
> LoadModule (also did the AddModule entry as specified in your install
> instructions).
>
> Yeah, I agree with you on the redirect. The reason that I just did the
> root
> like that is that this actually handles LOTS of domains. So, I thought
> just
> sending them back to the root was the safest way to ditch their parameters
> but not give them an ugly error page. Is there a better way to do that?
>
> Thanks,
> Allen
>
> ---------------------------------------------------
> Allen Servedio
> Internet Developer (E-Commerce)
> Matrix Resources Consultant
> ---------------------------------------------------
>
>
> -----Original Message-----
> From: Ivan Ristic [mailto:iv...@we...]
> Sent: Wednesday, January 11, 2006 2:47 PM
> To: Servedio, Allen (Matrix)
> Cc: 'mod...@li...'
> Subject: Re: [mod-security-users] mod_security causing Apache 1.3.33 to
> hang
>
> Servedio, Allen (Matrix) wrote:
>> Hi,
>>
>> I am new to using mod_security so there is a high probability that I
>> messed something up with my configuration. But, I am able to get Apache
>> to hang (consistently) while using mod_security by posting the form
>> below (it is from a security scanning tool, in case the values look
>> fishy :-) ). I would appreciate any insight as to what is causing this
>> to hang. If I remove mod_security the same request passes through just
> fine.
>
>   I am unable to re-create the problem here (1.3.3 + mod_ssl 2.8.22,
>   running on Debian 3.1).
>
>   Did you compile mod_security before or after mod_ssl installation?
>   mod_ssl for Apache 1.3.x actually patches the Apache source code and
>   changes the API? Many modules work after the patch on Linux but
>   I don't know about Solaris.
>
>
>> SecFilterDefaultAction "deny,log,redirect:/"
>
>   Strictly speaking redirects should be supplied with a full
>   URL. For example: redirect:http://www.example.com/ However,
>   I notice that even / works and redirects the user to the root
>   of the web site.
>
>   There's nothing unusual in your configuration.
>
> --
> Ivan Ristic, Technical Director
> Thinking Stone, http://www.thinkingstone.com
> Tel: +44 20 8141 2161, Fax: +44 87 0762 3934
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>

RE: [mod-security-users] mod_security causing Apache 1.3.33 to ha ng

[Servedio, A. (Matrix) <All...@ic...>]

Hi,

I compiled it with:
/apachehome/bin/apxs -cia mod_security.c

Against and already compiled Apache (so, SSL was already compiled into it). 

The above made a shared object in my libexec that I included with the
LoadModule (also did the AddModule entry as specified in your install
instructions).

Yeah, I agree with you on the redirect. The reason that I just did the root
like that is that this actually handles LOTS of domains. So, I thought just
sending them back to the root was the safest way to ditch their parameters
but not give them an ugly error page. Is there a better way to do that?

Thanks,
Allen

---------------------------------------------------
Allen Servedio
Internet Developer (E-Commerce)
Matrix Resources Consultant
---------------------------------------------------
 

-----Original Message-----
From: Ivan Ristic [mailto:iv...@we...] 
Sent: Wednesday, January 11, 2006 2:47 PM
To: Servedio, Allen (Matrix)
Cc: 'mod...@li...'
Subject: Re: [mod-security-users] mod_security causing Apache 1.3.33 to hang

Servedio, Allen (Matrix) wrote:
> Hi,
> 
> I am new to using mod_security so there is a high probability that I
> messed something up with my configuration. But, I am able to get Apache
> to hang (consistently) while using mod_security by posting the form
> below (it is from a security scanning tool, in case the values look
> fishy :-) ). I would appreciate any insight as to what is causing this
> to hang. If I remove mod_security the same request passes through just
fine.

  I am unable to re-create the problem here (1.3.3 + mod_ssl 2.8.22,
  running on Debian 3.1).

  Did you compile mod_security before or after mod_ssl installation?
  mod_ssl for Apache 1.3.x actually patches the Apache source code and
  changes the API? Many modules work after the patch on Linux but
  I don't know about Solaris.


> SecFilterDefaultAction "deny,log,redirect:/"   

  Strictly speaking redirects should be supplied with a full
  URL. For example: redirect:http://www.example.com/ However,
  I notice that even / works and redirects the user to the root
  of the web site.

  There's nothing unusual in your configuration.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

Re: [mod-security-users] mod_security causing Apache 1.3.33 to hang

[Ivan R. <iv...@we...>]

Servedio, Allen (Matrix) wrote:
> Hi,
> 
> I am new to using mod_security so there is a high probability that I
> messed something up with my configuration. But, I am able to get Apache
> to hang (consistently) while using mod_security by posting the form
> below (it is from a security scanning tool, in case the values look
> fishy :-) ). I would appreciate any insight as to what is causing this
> to hang. If I remove mod_security the same request passes through just fine.

  I am unable to re-create the problem here (1.3.3 + mod_ssl 2.8.22,
  running on Debian 3.1).

  Did you compile mod_security before or after mod_ssl installation?
  mod_ssl for Apache 1.3.x actually patches the Apache source code and
  changes the API? Many modules work after the patch on Linux but
  I don't know about Solaris.


> SecFilterDefaultAction "deny,log,redirect:/"   

  Strictly speaking redirects should be supplied with a full
  URL. For example: redirect:http://www.example.com/ However,
  I notice that even / works and redirects the user to the root
  of the web site.

  There's nothing unusual in your configuration.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

[mod-security-users] mod_security causing Apache 1.3.33 to hang

[Servedio, A. (Matrix) <All...@ic...>]

Hi,

 

I am new to using mod_security so there is a high probability that I messed
something up with my configuration. But, I am able to get Apache to hang
(consistently) while using mod_security by posting the form below (it is
from a security scanning tool, in case the values look fishy :-) ). I would
appreciate any insight as to what is causing this to hang. If I remove
mod_security the same request passes through just fine.

 

Here are the particulars of my installation:

 

Solaris (release 5.8)

Apache 1.3.33 (mod_ssl [2.8.22] OpenSSL [0.9.6m])

Mod_security (tried both 1.9.1 and 1.9.2-rc3)

 

*** MOD_SECURITY.CONF file ***

 

<IfModule mod_security.c>

    SecFilterEngine On

    SecAuditEngine RelevantOnly

    SecAuditLog logs/audit_log

    SecFilterDebugLog logs/modsec_debug_log

    SecFilterDebugLevel 0

    SecFilterScanPOST On

    SecFilterDefaultAction "deny,log,redirect:/"    

    SecFilterSignatureAction "deny,log,redirect:/"

    SecFilter "<[[:space:]]*script" id:1001

    SecFilter "<(.|\n)+>" id:1002

    SecFilterSignatureAction deny,log,redirect:/h/d/pc/1/en/removecookies

    SecFilterSelective HTTP_Cookie "<[[:space:]]*script" id:1003

    SecFilterSelective HTTP_Cookie "<[[:space:]]*img" id:1004

    SecFilterSelective HTTP_Cookie "<[[:space:]]*iframe" id:1005

    SecFilterSelective HTTP_Cookie "<[[:space:]]*frame" id:1006

    SecFilterSelective HTTP_Cookie "<[[:space:]]*object" id:1007

    SecFilterSelective HTTP_Cookie "<[[:space:]]*applet" id:1008

    SecFilterSelective HTTP_Cookie "<[[:space:]]*link" id:1009

    SecFilterSelective HTTP_Cookie "<[[:space:]]*embed" id:1010

    SecFilterSelective HTTP_Cookie "<[[:space:]]*form" id:1011

            <LocationMatch "/h/d/pc/1/en/removecookies">

              SecFilterInheritance Off

      SecFilterEngine Off

            </LocationMatch>

            <LocationMatch "/decWebServices/*">

              SecFilterInheritance Off

      SecFilterEngine Off

            </LocationMatch>    

</IfModule>

 

*** FORM THAT HANGS APACHE ***

 

<form action="http://localhost" method="POST"> 

<input type="hidden" name="newSearch"
value="<!--#exec%20cmd='/bin/cat%20/etc/passwd'-->" />

<input type="hidden" name="countryRequired" value="yes" />

<input type="hidden" name="errorURL"
value="%2fh%2fd%2f6c%2f1%2fen%2fhome%3fquickResCache%3dasd" />

<input type="hidden" name="successURL"
value="%2fh%2fd%2f6c%2f1%2fen%2fhotelsearchresults" />

<input type="hidden" name="clarifyDestinationURL"
value="%2fh%2fd%2f6c%2f1%2fen%2fhotelsearchclarify" />

<input type="hidden" name="availabilitySearchSuccessURL"
value="%2fh%2fd%2f6c%2f1%2fen%2favailsearch%3ferrorURL%3d%2fh%2fd%2f6c%2f1%2
fen%2fhome%253FquickResCache%253Dasd" />

<input type="hidden" name="resetAdditionalRequirements" value="true" />

<input type="hidden" name="currentBrandId" value="6C" />

<input type="hidden" name="searchGroupCodes" value="IN" />

<input type="hidden" name="searchGroupCodes" value="CW" />

<input type="hidden" name="searchGroupCodes" value="EX" />

<input type="hidden" name="searchGroupCodes" value="HI" />

<input type="hidden" name="searchGroupCodes" value="RS" />

<input type="hidden" name="searchGroupCodes" value="SL" />

<input type="hidden" name="searchGroupCodes" value="SS" />

<input type="hidden" name="searchGroupCodes" value="FS" />

<input type="hidden" name="searchGroupCodes" value="SB" />

<input type="hidden" name="searchGroupCodes" value="CP" />

<input type="hidden" name="searchGroupCodes" value="IC" />

<input type="hidden" name="rateGroupCode" value="bh" />

<input type="hidden" name="brandGroupCode" value="6c" />

<input type="hidden" name="mapItSearch"
value="777-777-1911form%40value777.com" />

<input type="hidden" name="city" value="Atlanta" />

<input type="hidden" name="stateId" value="" />

<input type="hidden" name="countryId" value="" />

<input type="hidden" name="checkInDate"
value="777-777-1911form%40value777.com" />

<input type="hidden" name="checkInMonthYear"
value="777-777-1911form%40value777.com" />

<input type="hidden" name="checkOutDate"
value="777-777-1911form%40value777.com" />

<input type="hidden" name="checkOutMonthYear"
value="777-777-1911form%40value777.com" />

<input type="hidden" name="numberOfAdults" value="1" />

<input type="hidden" name="numberOfChildren" value="0" />

<input type="hidden" name="numberOfRooms" value="1" />

<input type="hidden" name="rateTypeCodes"
value="777-777-1911form%40value777.com" />

<input type="hidden" name="smartQuickSearch"
value="777-777-1911form%40value777.com" />

<input type="submit" />

</form>

 

Thanks!

Allen

 

---------------------------------------------------
Allen Servedio
Internet Developer (E-Commerce)
Matrix Resources Consultant
---------------------------------------------------

 

Re: [mod-security-users] length of an arguments

[Ivan R. <iv...@we...>]

Diego Pellegrino wrote:
> Hi.
>   I'm running mod_security version 1.9 under Fedora Core 3, and i need
> to know
> how can I get the length of the arguments and check them against any
> condition.
> 
> For example: argument zip
> 
> SecFilterSelective ARGS_zip < 8 deny

  Try this for less than 8 digits:

  SecFilterSelective ARG_zip !^[0-9]{8,}$

  For more information see: http://www.pcre.org/pcre.txt

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

[mod-security-users] length of an arguments

[Diego P. <die...@ho...>]

<html><div style='background-color:'><P>Hi.<BR>&nbsp; I'm running mod_security version 1.9 under Fedora Core 3, and i need to know <BR>how can I get the length of the arguments and check them against any condition.</P>
<P>For example: argument zip</P>
<P>SecFilterSelective ARGS_zip &lt; 8 deny</P>
<P>Thanks<BR><STRONG></STRONG></P>
<P><STRONG>Diego A. Vera<BR></STRONG>Afip<BR>Seguridad Informática<BR><BR><FONT face="Courier New, Courier, Monospace"><BR></FONT><BR></P></div></html>

Re: [mod-security-users] rotating the index file using concurrent logging.

[Ivan R. <iv...@we...>]

Alon Agmon wrote:
> Hi,
> 
> I'm using the new "concurrent" logging option to aggregate and collect
> audit logs ,
> 
> Since we are using mod_sec as a web application firewall, on a very
> loaded farm (100 request per second almost 24/7),
> 
> Our farm is based on public web services,
> 
> Now the question is whether there is an option to rotate the "index"
> file, without causing a downtime to the system, or restart apache
> 
> Since our index file becomes like 500mb after one week. And sys down
> time is critical.

  Starting with 1.9.2 (now in rc3, due to be released as stable on
  Monday) you should be able to use any piped-logging rotate script
  there is to rotate the index file.

  Also, in the util/ subfolder there is a proof-of-concept script
  modsec-auditlog-collector.pl that submits audit log entries to
  a central server (via HTTP PUT) in real time. The script isn't
  written for heavy usage such as yours, but it is something you
  can look at if you want to wrap your own rotate script.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

[mod-security-users] rotating the index file using concurrent logging.

[Alon A. <aa...@we...>]

Hi,=20

I'm using the new "concurrent" logging option to aggregate and collect
audit logs ,=20

Since we are using mod_sec as a web application firewall, on a very
loaded farm (100 request per second almost 24/7),=20

Our farm is based on public web services,=20

Now the question is whether there is an option to rotate the "index"
file, without causing a downtime to the system, or restart apache

Since our index file becomes like 500mb after one week. And sys down
time is critical.=20

=20

Thanks=20

=20

Alon Agmon.

=20

Using:=20

Apache 2.2 .

Mod_sec 1.9=20

Mod_unique .

Linux fedora core 4.

=20

Re: [mod-security-users] Problems with phpMyAdmin and mod_security

[Ivan R. <iv...@we...>]

Gerwin Krist -|- Digitalus Webhosting wrote:
> Heya,
> 
> Customers of us using phpmyadmin are getting a 406 error, the log file says:
> 
> Error processing request body: Multipart: part header line over 1024 bytes 
> long
> 
> No clue what this mean, anyone?

  The size of multipart/form-data part headers is limited. These headers
  are normally very simple so I find it very unusual the limit has been
  triggered. You can change this limit yourself by editing the line that
  says:

  #define MULTIPART_BUF_SIZE              1024

  To make sure it is not a bug of some kind, please increase the
  limit to 4096 and record one request using the audit log.

  Thanks!

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

[mod-security-users] Problems with phpMyAdmin and mod_security

[Gerwin K. -|- D. W. <ge...@di...>]

Heya,

Customers of us using phpmyadmin are getting a 406 error, the log file says:

Error processing request body: Multipart: part header line over 1024 bytes 
long

No clue what this mean, anyone?

-- 
Met vriendelijke groet/With kind regards,

Gerwin Krist

Digitalus
First-class Internet Webhosting

(w) http://www.digitalus.nl
(e) gerwin at digitalus.nl
(p) PGP-ID: 79B325D4
(t) +31 (0) 598 630000
(f) +31 (0) 598 631860


***************************************************************************************
This message may contain information which is confidential or privileged.
If you are not the intended recipient, please advise the sender immediately
by reply e-mail and delete this message and any attachments without
retaining
a copy.
***************************************************************************************

Re: [mod-security-users] Problems compiling mod_security on debian 3.1

[Tim K. <tim...@gm...>]

Just comment out lines 51 (#if MODULE_MAGIC_NUMBER >= 20050127)
  and 58 (#endif). I'll add the fix into 1.9.2.

  Thanks for letting me know.

-- Ivan Ristic, Technical Director Thinking Stone, 
http://www.thinkingstone.com Tel: +44 20 8141 2161, Fax: +44 87 0762 3934




Tim Koelman schreef:

> Problems compiling mod_security on debian 3.1 (SARGE) Linux debian 
> 2.6.8-2-386
> Server version: Apache/2.0.54
> Server built:   Sep  5 2005 11:15:09
>
> Compiled in modules:
> core.c
> mod_access.c
> mod_auth.c
> mod_log_config.c
> mod_logio.c
> mod_env.c
> mod_setenvif.c
> prefork.c
> http_core.c
> mod_mime.c
> mod_status.c
> mod_autoindex.c
> mod_negotiation.c
> mod_dir.c
> mod_alias.c
> mod_so.c
>
> I get this error:
>
> debian:~/modsecurity-apache-1.9.1/apache2# apxs2 -cai mod_security.c
> /usr/bin/libtool --silent --mode=compile gcc -prefer-pic -pipe 
> -I/usr/include/xmltok -I/usr/include/openssl -Wall -O2 
> -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT 
> -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pipe 
> -I/usr/include/xmltok -I/usr/include/openssl -Wall -O2 -pthread 
> -I/usr/include/apache2  -I/usr/include/apr-0   -I/usr/include/apr-0 
> -I/usr/include  -c -o mod_security.lo mod_security.c && touch 
> mod_security.slo
> mod_security.c:353: error: syntax error before "regex_t"
> mod_security.c:353: warning: no semicolon at end of struct or union
> mod_security.c:374: error: syntax error before '}' token
> mod_security.c:374: warning: type defaults to `int' in declaration of 
> `signature'
> mod_security.c:374: warning: data definition has no type or storage class
> mod_security.c:419: error: syntax error before "regex_t"
> mod_security.c:419: warning: no semicolon at end of struct or union
> mod_security.c:462: error: syntax error before '}' token
> mod_security.c:633: error: syntax error before "signature"
> mod_security.c:644: error: syntax error before "signature"
> mod_security.c:645: error: syntax error before "signature"
> mod_security.c:682: error: syntax error before "signature"
> mod_security.c:683: error: syntax error before "signature"
> mod_security.c:698: error: syntax error before "signature"
> mod_security.c:1059: error: syntax error before "signature"
> ................................................ (cut a lot of error 
> lines)
> mod_security.c:7732: error: dereferencing pointer to incomplete type
> mod_security.c:7800: error: dereferencing pointer to incomplete type
> mod_security.c:7809: error: dereferencing pointer to incomplete type
> mod_security.c:7809: error: dereferencing pointer to incomplete type
> mod_security.c: In function `sec_insert_filter':
> mod_security.c:7940: error: dereferencing pointer to incomplete type
> apxs:Error: Command failed with rc=65536
>
> Not sure what to do, got this error also on a clean install in VMWARE 
> session.
> Installed apache2-dev
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>

[mod-security-users] Installation Error

[Chris M. <cj...@op...>]

Hello,

I have the following installed on the box as per another person's
suggestion, and it still wont work:

gcc libgcc gcc-c++ glibc glibc-devel glibc-kernheaders glibc-common
glibc-headers glibc-utils compat-gcc gcc-objc compat-gcc-c++ glibc-profile

Am I still missing something? Any help is greatly appreciated.
Thanks,
Chris Mazza

Re: [mod-security-users] Installation Error

[Ivan R. <iv...@we...>]

Chris Mazza wrote:
> Hello,
> 
> I am trying to install mod_security an I am getting the following error:
> 
> [root@web apache1]# /hsphere/shared/apache/bin/apxs -cia mod_security.c
> gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm
> -DDEV_RANDOM=/dev/random -DMOD_SSL=208125 -DUSE_HSREGEX -DEAPI -DEAPI_MM
> -I/usr/kerberos/include -fpic -DSHARED_MODULE
> -I/hsphere/shared/apache/include  -c mod_security.c
> gcc -shared -o mod_security.so mod_security.o
> [activating module `security' in /hsphere/local/config/httpd/httpd.conf]
> cp mod_security.so /hsphere/shared/apache/libexec/mod_security.so
> cp: cannot stat `mod_security.so': No such file or directory
> apxs:Break: Command failed with rc=1

  I don't think it's a mod_security problem. You are probably unable
  to compile any third-party Apache module. Is there a compiler at
  all on that box? Does invoking apxs generate any files at all (in
  the same folder as the source code)?

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

Re: [mod-security-users] Problems compiling mod_security on debian 3.1

[Ivan R. <iv...@we...>]

Tim Koelman wrote:
> Problems compiling mod_security on debian 3.1 (SARGE) Linux debian

  Just comment out lines 51 (#if MODULE_MAGIC_NUMBER >= 20050127)
  and 58 (#endif). I'll add the fix into 1.9.2.

  Thanks for letting me know.

-- 
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
Tel: +44 20 8141 2161, Fax: +44 87 0762 3934

[mod-security-users] Problems compiling mod_security on debian 3.1

[Tim K. <tim...@gm...>]

Problems compiling mod_security on debian 3.1 (SARGE) Linux debian 
2.6.8-2-386
Server version: Apache/2.0.54
Server built:   Sep  5 2005 11:15:09

Compiled in modules:
 core.c
 mod_access.c
 mod_auth.c
 mod_log_config.c
 mod_logio.c
 mod_env.c
 mod_setenvif.c
 prefork.c
 http_core.c
 mod_mime.c
 mod_status.c
 mod_autoindex.c
 mod_negotiation.c
 mod_dir.c
 mod_alias.c
 mod_so.c

I get this error:

debian:~/modsecurity-apache-1.9.1/apache2# apxs2 -cai mod_security.c
/usr/bin/libtool --silent --mode=compile gcc -prefer-pic -pipe 
-I/usr/include/xmltok -I/usr/include/openssl -Wall -O2 
-DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT 
-D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -pipe 
-I/usr/include/xmltok -I/usr/include/openssl -Wall -O2 -pthread 
-I/usr/include/apache2  -I/usr/include/apr-0   -I/usr/include/apr-0 
-I/usr/include  -c -o mod_security.lo mod_security.c && touch 
mod_security.slo
mod_security.c:353: error: syntax error before "regex_t"
mod_security.c:353: warning: no semicolon at end of struct or union
mod_security.c:374: error: syntax error before '}' token
mod_security.c:374: warning: type defaults to `int' in declaration of 
`signature'
mod_security.c:374: warning: data definition has no type or storage class
mod_security.c:419: error: syntax error before "regex_t"
mod_security.c:419: warning: no semicolon at end of struct or union
mod_security.c:462: error: syntax error before '}' token
mod_security.c:633: error: syntax error before "signature"
mod_security.c:644: error: syntax error before "signature"
mod_security.c:645: error: syntax error before "signature"
mod_security.c:682: error: syntax error before "signature"
mod_security.c:683: error: syntax error before "signature"
mod_security.c:698: error: syntax error before "signature"
mod_security.c:1059: error: syntax error before "signature"
................................................ (cut a lot of error lines)
mod_security.c:7732: error: dereferencing pointer to incomplete type
mod_security.c:7800: error: dereferencing pointer to incomplete type
mod_security.c:7809: error: dereferencing pointer to incomplete type
mod_security.c:7809: error: dereferencing pointer to incomplete type
mod_security.c: In function `sec_insert_filter':
mod_security.c:7940: error: dereferencing pointer to incomplete type
apxs:Error: Command failed with rc=65536

Not sure what to do, got this error also on a clean install in VMWARE 
session.
Installed apache2-dev

[mod-security-users] Installation Error

[Chris M. <cj...@op...>]

Hello,

I am trying to install mod_security an I am getting the following error:

[root@web apache1]# /hsphere/shared/apache/bin/apxs -cia mod_security.c
gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm
-DDEV_RANDOM=/dev/random -DMOD_SSL=208125 -DUSE_HSREGEX -DEAPI -DEAPI_MM
-I/usr/kerberos/include -fpic -DSHARED_MODULE
-I/hsphere/shared/apache/include  -c mod_security.c
gcc -shared -o mod_security.so mod_security.o
[activating module `security' in /hsphere/local/config/httpd/httpd.conf]
cp mod_security.so /hsphere/shared/apache/libexec/mod_security.so
cp: cannot stat `mod_security.so': No such file or directory
apxs:Break: Command failed with rc=1


My info is as follows:

Linux web.hspherenet.com 2.4.21-37.ELsmp #1 SMP Wed Sep 28 14:05:46 EDT 2005
i686 i686 i386 GNU/Linux

[root@web bin]# ./httpd -V
Server version: Apache/1.3.34 (Unix)
Server built:   Nov  4 2005 19:46:33
Server's Module Magic Number: 19990320:18
Server compiled with....
 -D EAPI
 -D EAPI_MM
 -D EAPI_MM_CORE_PATH="/hsphere/local/var/httpd/logs/httpd.mm"
 -D HAVE_MMAP
 -D HAVE_SHMGET
 -D USE_SHMGET_SCOREBOARD
 -D USE_MMAP_FILES
 -D HAVE_FCNTL_SERIALIZED_ACCEPT
 -D HAVE_SYSVSEM_SERIALIZED_ACCEPT
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D DYNAMIC_MODULE_LIMIT=64
 -D HARD_SERVER_LIMIT=1024
 -D HTTPD_ROOT="/hsphere/shared/apache"
 -D SUEXEC_BIN="/hsphere/shared/apache/bin/suexec"
 -D DEFAULT_PIDLOG="/hsphere/local/var/httpd/logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="/hsphere/local/var/httpd/logs/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="/hsphere/local/var/httpd/logs/httpd.lock"
 -D DEFAULT_ERRORLOG="/hsphere/local/var/httpd/logs/error_log"
 -D TYPES_CONFIG_FILE="/hsphere/local/config/httpd/mime.types"
 -D SERVER_CONFIG_FILE="/hsphere/local/config/httpd/httpd.conf"
 -D ACCESS_CONFIG_FILE="/hsphere/local/config/httpd/access.conf"
 -D RESOURCE_CONFIG_FILE="/hsphere/local/config/httpd/srm.conf"


[root@web bin]# ./httpd -l
Compiled-in modules:
  http_core.c
  mod_vhost_alias.c
  mod_env.c
  mod_define.c
  mod_log_config.c
  mod_mime_magic.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_info.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_speling.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_auth_anon.c
  mod_auth_dbm.c
  mod_digest.c
  mod_proxy.c
  mod_cern_meta.c
  mod_expires.c
  mod_headers.c
  mod_usertrack.c
  mod_log_forensic.c
  mod_unique_id.c
  mod_so.c
  mod_setenvif.c
  mod_ssl.c
  mod_frontpage.c
suexec: enabled; valid wrapper /hsphere/shared/apache/bin/suexec

Using current Stable release of mod_security. This is for a web server and I
cant figure out what is causing the install to fail.
 Any advice is greatly appreciated.

Thanks,
Chris

Re: [mod-security-users] ad-on for mod_security

[Jason E. <jed...@ca...>]

On an interesting , but possibly relevant note:

I've noticed that the number of web spam attempts on my server has 
dropped by 90% since Jan 2. I'm not sure if this is relevant or not.

Just thought I would share.

Jason

dubai wrote:

>to your information see:
>https://events.ccc.de/congress/2005/wiki/Gulliddos
>----------
>Hi there,
>
>We now get Step2 of the ddos! We get udp-floods to
>port 80. We have currently no own router in front of,
>so we cant block the requests. Services on all
>websites (antispam, computerbetrug and antispam) down
>for 1-2 hours. Update: Our ISP is blocking the
>udp-flood for us.
>
>[1] is the biggest german "underground portal". We and
>3 other german customer protection websites
>(dialerschutz.de, antispam.de and computerbetrug.de)
>get currently a big ddos by an unknown attacker. We
>have collected a lot of information, and want to make
>them public here.
>
>It seems that the attacker build a botnet with about
>5.000 zombies. We found a way to identify most of the
>affected hosts. Now we blacklist all those hosts by
>hi-pac (an iptables-replacement), so the site is still
>up.
>
>Here is a list with all clients we currently block:
>https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt
>
>(anyone knows how to upload some stuff with no
>"/images" in the url? :) )
>
>Our current setup includes the following:
>
>mod_security is activated in apache. Then we do the
>following match:
>
>SecFilterEngine On SecFilterSelective "FOOBAR"
>"uninteresting"
>"log,status:500,exec:/usr/local/bin/mod_security/wrapper"
>
>/usr/local/bin/mod_security/wrapper is an modified
>wrapper, which gets the ip of the attacker as an
>argument. Those ips are added to our blacklist with
>iptables.
>
>
>The most of those hosts should be owned by some
>rootkit or trojan horse. So feel free to investigate.
>Maybe something interessting is there ;-)
>
>
>If you have some questions or informations: contact
>deg...@ja... or icq 169800965 or mail:
>cd...@wa...
>
>
>Our new wrapper is available at
>http://download.wavecon.de - its gpl, so use it! :) 
>
>
>	
>
>	
>		
>___________________________________________________________ 
>Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>  
>

[mod-security-users] ad-on for mod_security

[dubai <sev...@ya...>]

to your information see:
https://events.ccc.de/congress/2005/wiki/Gulliddos
----------
Hi there,

We now get Step2 of the ddos! We get udp-floods to
port 80. We have currently no own router in front of,
so we cant block the requests. Services on all
websites (antispam, computerbetrug and antispam) down
for 1-2 hours. Update: Our ISP is blocking the
udp-flood for us.

[1] is the biggest german "underground portal". We and
3 other german customer protection websites
(dialerschutz.de, antispam.de and computerbetrug.de)
get currently a big ddos by an unknown attacker. We
have collected a lot of information, and want to make
them public here.

It seems that the attacker build a botnet with about
5.000 zombies. We found a way to identify most of the
affected hosts. Now we blacklist all those hosts by
hi-pac (an iptables-replacement), so the site is still
up.

Here is a list with all clients we currently block:
https://events.ccc.de/congress/2005/mediawiki/images/a/a1/Ipliste.txt

(anyone knows how to upload some stuff with no
"/images" in the url? :) )

Our current setup includes the following:

mod_security is activated in apache. Then we do the
following match:

SecFilterEngine On SecFilterSelective "FOOBAR"
"uninteresting"
"log,status:500,exec:/usr/local/bin/mod_security/wrapper"

/usr/local/bin/mod_security/wrapper is an modified
wrapper, which gets the ip of the attacker as an
argument. Those ips are added to our blacklist with
iptables.


The most of those hosts should be owned by some
rootkit or trojan horse. So feel free to investigate.
Maybe something interessting is there ;-)


If you have some questions or informations: contact
deg...@ja... or icq 169800965 or mail:
cd...@wa...


Our new wrapper is available at
http://download.wavecon.de - its gpl, so use it! :) 


	

	
		
___________________________________________________________ 
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de