mod-security-users — General discussion about mod_security

Re: [mod-security-users] Filter Rules by IP Address

[Jeffrey K. <jef...@gm...>]

Ryan:

Just to follow up on your comment about firewall rules:
In the case of a high volume/high traffic site, would rules for
specific IP addresses -- say, a couple particularly bad spammers -- be
better handled at the IP tables level so that the hits don't even get
far enough to cause load on Apache (and mod_security) ?

-Jeff

Jeffrey Knight
Oceansuit Information Systems, LLC
www.oceansuit.com


On 10/25/05, Ryan Barnett <rcb...@gm...> wrote:
> Naveen,
> Think of the mod_security directives (SecFilter|SecFilterSelective) as yo=
u
> would firewall rules in that the order in which they are specified in the
> httpd.conf file does matter.  Again, like firewall rules, once a filter
> matches the incoming HTTP request it will trigger the actions specified.
> With this being said, if you want to "whitelist" an IP address to allow t=
his
> client access, then add in a rule like this near the top of your
> Mod_Security directives -
>
> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass
>
> Add this just below the mod_security general directives (such as
> SecFilterEngine, etc....).
>
> That should do it.
>
> --
> Ryan C. Barnett
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor: Securing Apache
> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
>
>
> On 10/25/05, Naveen Amradi <na...@gm...> wrote:
> > HI All,
> >
> >   Newbie of ModSecurity. I was wondering is there a way to
> > open up rules for certain ip addresses.
> >
> > Thanks a gazillion!
> > Naveen
>
>
>
>

Re: [mod-security-users] Filter Rules by IP Address

[Ryan B. <rcb...@gm...>]

Naveen,
Think of the mod_security directives (SecFilter|SecFilterSelective) as you
would firewall rules in that the order in which they are specified in the
httpd.conf file does matter. Again, like firewall rules, once a filter
matches the incoming HTTP request it will trigger the actions specified.
With this being said, if you want to "whitelist" an IP address to allow thi=
s
client access, then add in a rule like this near the top of your
Mod_Security directives -
 SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass
 Add this just below the mod_security general directives (such as
SecFilterEngine, etc....).
 That should do it.

--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
 On 10/25/05, Naveen Amradi <na...@gm...> wrote:
>
> HI All,
>
> Newbie of ModSecurity. I was wondering is there a way to
> open up rules for certain ip addresses.
>
> Thanks a gazillion!
> Naveen

Re: [mod-security-users] mod_security-message: Error reading POST data, error_code=104

[Ivan R. <iv...@we...>]

Tomas Hidalgo Salvador wrote:
> Hello,
> 
>  
> 
> My systems: Red Hat ES 3.0 upgrade 5 + apache 2.0.54 + mod_security 1.8.7
> 
> I’m testing a webmail Server with apache 2.0 and mod_security. This work 
> fine but , sometimes, it appears the following message.
> 
> I have verified the rules but no it makes reference to error_code=104.

   It's a system message and it stands for "Connection reset by peer",
   meaning the remote client disconnected. I've had a report or two
   about it, over the years. 1.9 should log a nice message. But since
   it's harmless and normal I will remove it from the future versions.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] mod_security-message: Error reading POST data, error_code=104

[Tomas H. S. <thi...@te...>]

Hello,

=20

My systems: Red Hat ES 3.0 upgrade 5 + apache 2.0.54 + mod_security =
1.8.7

I'm testing a webmail Server with apache 2.0 and mod_security. This work =
fine but , sometimes, it appears the following message.

=20

I have verified the rules but no it makes reference to error_code=3D104.

=20

Thanks.

=20

UNIQUE_ID: UYWZm8CoyZgAAFByE9wAAAAe

Request: 192.168.207.1 - - [24/Oct/2005:17:03:07 +0200] "POST =
/webmail/upload.php?sid=3D{435CF72C78877-435CF72C7D69C-1130166060} =
HTTP/1.0" 403 220

Handler: php-script

----------------------------------------

POST /webmail/upload.php?sid=3D{435CF72C78877-435CF72C7D69C-1130166060} =
HTTP/1.0

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, =
application/x-shockwave-flash, application/vnd.ms-excel, =
application/msword, application/vnd.ms-powerpoint, */*

Referer: =
https://correo.cajamar.es/webmail/upload.php?sid=3D{435CF72C78877-435CF72=
C7D69C-1130166060}&tid=3D0&lid=3D0

Accept-Language: es

Content-Type: multipart/form-data; =
boundary=3D---------------------------7d51d82d30216

Connection: Keep-Alive

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Host: correo.pruebas.com

Content-Length: 732163

Cache-Control: no-cache

Cookie: =
{435CF72C78877-435CF72C7D69C-1130166060}=3D%7B435CF72C78877-435CF72C7D69C=
-1130166060%7D

mod_security-message: Error reading POST data, error_code=3D104

mod_security-action: 403

=20

28

[POST payload not available]

=20

HTTP/1.0 403 Forbidden

Content-Length: 220

Connection: close

Content-Type: text/html; charset=3Diso-8859-1

=20

=20

=20

Tom=E1s Hidalgo Salvador

thi...@te...

Dpto. Sistemas Unix

Tlf.: 2333

DSF Almariya

=20

[mod-security-users] Filter Rules by IP Address

[Naveen A. <na...@gm...>]

HI All,

Newbie of ModSecurity. I was wondering is there a way to
open up rules for certain ip addresses.

Thanks a gazillion!
Naveen

Re: [mod-security-users] Supressing Warning (chained rule)" in the log ?

[Ivan R. <iv...@we...>]

Steffen wrote:
> Searched in the docu, but could not find an answer.
> 
> It it possible not to log in the Apache error.log the "Warning (chained 
> rule)" entries?
> 
> eg.:
> 
> [Thu Oct 20 10:09:16 2005] [error] [client 63.196.49.252] mod_security: 
> Warning (chained rule). Pattern match "!^(GET|HEAD)$" at REQUEST_METHOD 
> [hostname "www.apachelounge.com"] [uri "/mail/web.cgi"]

   You should be able to add "nolog" to the rule to supress it.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Supressing Warning (chained rule)" in the log ?

[Steffen <in...@ap...>]

Searched in the docu, but could not find an answer.

It it possible not to log in the Apache error.log the "Warning (chained 
rule)" entries?

eg.:

[Thu Oct 20 10:09:16 2005] [error] [client 63.196.49.252] mod_security: 
Warning (chained rule). Pattern match "!^(GET|HEAD)$" at REQUEST_METHOD 
[hostname "www.apachelounge.com"] [uri "/mail/web.cgi"]

Steffen

RE: [mod-security-users] apache 2.0, mod_security_v1.9RC and log performance

[Tomas H. S. <thi...@te...>]

Hello Ivan,

=20

Log performance work fine!!

=20

Ufff...I'sorry. I had forgotten to add the line "include =
conf/mod_security.conf" in httpd.conf !!!!

=20

Now, the log file is:

=20

[20/Oct/2005:09:13:15 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 194 1113 - 2155 10985 - 27282

[20/Oct/2005:09:13:15 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 188 1128 - 2140 10965 - 27354

[20/Oct/2005:09:13:15 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 192 1132 - 2221 11023 - 26966

[20/Oct/2005:09:13:16 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 190 1109 - 2156 11026 - 27418

[20/Oct/2005:09:15:48 +0200] "GET /docs/images/ref.gif HTTP/1.1" 304 - =
505 166 - 1067 9833 - 10882

[20/Oct/2005:09:15:50 +0200] "GET /docs/api_c/api_core.html HTTP/1.1" =
304 - 586 167 - 738 9381 - 9899

[20/Oct/2005:09:15:53 +0200] "GET /docs/api_c/db_join.html HTTP/1.1" 200 =
- 499 6825 - 732 9357 - 10143

[20/Oct/2005:09:15:53 +0200] "GET /docs/images/api.gif HTTP/1.1" 304 - =
500 165 - 675 9088 - 9544

[20/Oct/2005:09:15:56 +0200] "GET /docs/api_c/dbm.html HTTP/1.1" 200 - =
493 9788 - 702 9216 - 9872

[20/Oct/2005:09:16:00 +0200] "GET /docs/api_c/txn_list.html HTTP/1.1" =
200 - 498 3289 - 722 9321 - 9963

=20

Many thanks for you help.

=20

=20

Tom=E1s Hidalgo Salvador

thi...@te...

Dpto. Sistemas Unix

Tlf.: 2333

DSF Almariya

=20

-----Mensaje original-----
De: Ivan Ristic [mailto:iv...@we...]=20
Enviado el: mi=E9rcoles, 19 de octubre de 2005 15:11
Para: Tomas Hidalgo Salvador
CC: mod...@li...
Asunto: Re: [mod-security-users] apache 2.0, mod_security_v1.9RC and log =
performance

=20

=20

   Can you verify that mod_security is active in that part of the site?

=20

   In your previous email I noticed you have SecFilterEngine set to

   DynamicOnly, and that the log entries were all static resources. If

   ModSecurity does not process a request it won't be able to generate

   the timing information. Try setting SecFilterEngine to "On".

=20

   Also, turn on the debug logging (at least level 4) and see if you

   have messages like "Time #1: 1591 usec" for every request.

=20

   If all this fails we'll just have to debug it. Send a private message

   to me if it doesn't work still.

=20

--=20

Ivan Ristic

Apache Security (O'Reilly) - http://www.apachesecurity.net

Open source web application firewall - http://www.modsecurity.org

[mod-security-users] indows binary mod_security 1.9RC1

[Steffen <in...@ap...>]

I compiled a Windows binary mod_security 1.9RC1 with VC++ 8 and Apache 
2.0.55 sources . Working fine here under XP

 For download see See http://www.apachelounge.com/forum/viewtopic.php?p=4

 Steffen
http://www.apachelounge.com

Re: [mod-security-users] apache 2.0, mod_security_v1.9RC and log performance

[Ivan R. <iv...@we...>]

Tomas Hidalgo Salvador wrote:
> Hello,
> 
> Many thanks for you help, Ivan
> 
> I try the new configuration contributed in your answer but it has not worked.  :-(
> 
> My system is: 
> Red Hat Advanced Server 3.0 Upgrade 5
> Apache 2.0.54 (compiled)

   Can you verify that mod_security is active in that part of the site?

   In your previous email I noticed you have SecFilterEngine set to
   DynamicOnly, and that the log entries were all static resources. If
   ModSecurity does not process a request it won't be able to generate
   the timing information. Try setting SecFilterEngine to "On".

   Also, turn on the debug logging (at least level 4) and see if you
   have messages like "Time #1: 1591 usec" for every request.

   If all this fails we'll just have to debug it. Send a private message
   to me if it doesn't work still.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] apache 2.0, mod_security_v1.9RC and log performance

[Tomas H. S. <thi...@te...>]

Hello,

Many thanks for you help, Ivan

I try the new configuration contributed in your answer but it has not =
worked.  :-(

My system is:=20
Red Hat Advanced Server 3.0 Upgrade 5
Apache 2.0.54 (compiled)


This is the log:

 [19/Oct/2005:09:33:52 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 194 1134 - - - - 17737
[19/Oct/2005:09:33:52 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 188 1128 - - - - 17585
[19/Oct/2005:09:33:52 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 192 1111 - - - - 18087
[19/Oct/2005:09:33:52 +0200] "GET /cgi-bin/modsec-test.pl HTTP/1.0" 200 =
- 190 1130 - - - - 17420
[19/Oct/2005:09:33:53 +0200] "GET /cgi-bin/modsec-test.pl?wget%20wget =
HTTP/1.0" 200 - 149 1073 - - - - 18019
[19/Oct/2005:09:33:53 +0200] "POST /cgi-bin/modsec-test.pl HTTP/1.1" 200 =
- 450 1190 - - - - 19549
[19/Oct/2005:09:33:53 +0200] "POST /cgi-bin/modsec-test.pl HTTP/1.1" 200 =
- 449 1172 - - - - 18826


Tom=E1s Hidalgo Salvador
thi...@te...
Dpto. Sistemas Unix
Tlf.: 2333
DSF Almariya

-----Mensaje original-----
De: Ivan Ristic [mailto:iv...@we...]=20
Enviado el: martes, 18 de octubre de 2005 12:23
Para: Tomas Hidalgo Salvador
CC: mod...@li...
Asunto: [SPAM] - Re: [mod-security-users] apache 2.0, =
mod_security_v1.9RC and log performance - Email found in subject

Tomas Hidalgo Salvador wrote:
>
> LogFormat "%t \"%r\" %>s - %I %O - %{mod_security-time1}n=20
> %{mod_security-time2}n %{mod_security-time3}n %D" tiempo
> CustomLog /logs/timer_log  tiempo
>=20
 > ...
>=20
> In the file of log they do not appear the data of mod_security-time1,=20
> mod_security-time2 and mod_security-time3.
>=20
> Why it does not work? It lacks some configuration?

   It appears that I made a change in RC1 that broke that functionality.
   I'll see how I can fix it before the final 1.9. In the meantime you
   can use this workaround (just tested it, works for me):

   LogFormat "%t \"%r\" %>s - %I %O - %<{mod_security-time1}n \
   %<{mod_security-time2}n %<{mod_security-time3}n %D" tiempo

   Note the "<" character before the names of notes.

--=20
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> I read somewhere from google that strace doesn't work because of the 
> mod-security chroot setup.

   Hmm, that sounds familiar, like something I may have said. I had
   a moment to try something quickly:

   Take modsec 1.9RC1, change this line (it's at the end):

   ap_hook_post_config(sec_init, NULL, NULL, APR_HOOK_REALLY_LAST);

   to

   ap_hook_post_config(sec_init, NULL, NULL, APR_HOOK_REALLY_FIRST);

   and try again. Apache does not segfault after this change is
   made and strace is used. Unfortunately, I didn't have enough
   time to test what are the other consequences of this action
   (but I've pencilled it down for later).


> Would it be any use to provide the end of 
> the strace output for others to review and see why it may not be 
> working?  It's only when I add the SecChrootDir that strace apache bombs 
> out when it's strace'd.

   Sure, go ahead. I won't have much time to do any tests in the
   next two weeks but I can respond to emails (and strace dumps).

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] apache 2.0, mod_security_v1.9RC and log performance

[Ivan R. <iv...@we...>]

Tomas Hidalgo Salvador wrote:
>
> LogFormat "%t \"%r\" %>s - %I %O - %{mod_security-time1}n 
> %{mod_security-time2}n %{mod_security-time3}n %D" tiempo
> CustomLog /logs/timer_log  tiempo
> 
 > ...
> 
> In the file of log they do not appear the data of mod_security-time1, 
> mod_security-time2 and mod_security-time3.
> 
> Why it does not work? It lacks some configuration?

   It appears that I made a change in RC1 that broke that functionality.
   I'll see how I can fix it before the final 1.9. In the meantime you
   can use this workaround (just tested it, works for me):

   LogFormat "%t \"%r\" %>s - %I %O - %<{mod_security-time1}n \
   %<{mod_security-time2}n %<{mod_security-time3}n %D" tiempo

   Note the "<" character before the names of notes.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] apache 2.0, mod_security_v1.9RC and log performance

[Tomas H. S. <thi...@te...>]

Hello,

=20

I test Apache 2.0.54 with mod_security v1.9RC1.

=20

According to the book "Security Apache", with the version of Apache 2,0 =
can be measured the yield of the requests using LogIO and =
%{mod_security-time1}n.

=20

This is my configuration of Apache:

=20

LogFormat "%t \"%r\" %>s - %I %O - %{mod_security-time1}n =
%{mod_security-time2}n %{mod_security-time3}n %D" tiempo

CustomLog /logs/timer_log  tiempo

=20

This is the generate log (timer_log):

=20

[14/Oct/2005:14:07:42 +0200] "GET /cfg2html/linuxlandia.html HTTP/1.1" =
304 - 550 168 - - - - 1604

[14/Oct/2005:14:07:42 +0200] "GET /cfg2html/cfg2html_back.jpg HTTP/1.1" =
404 - 423 425 - - - - 874

[14/Oct/2005:14:07:42 +0200] "GET /cfg2html/profbull.gif HTTP/1.1" 404 - =
418 420 - - - - 526

[14/Oct/2005:14:07:46 +0200] "GET /cfg2html/linuxlandia.html HTTP/1.1" =
304 - 550 167 - - - - 631

[14/Oct/2005:14:07:46 +0200] "GET /cfg2html/cfg2html_back.jpg HTTP/1.1" =
404 - 423 425 - - - - 545

[14/Oct/2005:14:07:46 +0200] "GET /cfg2html/profbull.gif HTTP/1.1" 404 - =
418 420 - - - - 510

[14/Oct/2005:14:11:31 +0200] "GET /cfg2html/cfg2html_back.jpg HTTP/1.1" =
404 - 423 426 - - - - 1460

[14/Oct/2005:14:11:31 +0200] "GET /cfg2html/profbull.gif HTTP/1.1" 404 - =
418 421 - - - - 3872

=20

In the file of log they do not appear the data of mod_security-time1, =
mod_security-time2 and mod_security-time3.

Why it does not work? It lacks some configuration?

=20

Thanks!!

=20

This is my file mod_security.conf

<paste>

#

    SecFilterEngine DynamicOnly

=20

# Reject requests with status 403

SecFilterDefaultAction "deny,log,status:403"

=20

# Some sane defaults

=20

    SecFilterScanPOST             On

    SecFilterCheckURLEncoding     On

    SecFilterCheckCookieFormat    Off

    SecFilterCheckUnicodeEncoding Off

=20

# Rango de Caracteres ASCII aceptados

=20

    SecFilterForceByteRange       1 255

=20

# Server masking is optional

    SecServerResponseToken      Off

#    SecServerSignature          "Microsoft-IIS/5.0"

=20

    SecUploadDir       /tmp

    SecUploadKeepFiles Off

=20

# Solo audita las peticiones mas relevantes

=20

    SecAuditEngine RelevantOnly

    SecAuditLog    logs/modsecurity.log

=20

# Salida debug en un log

=20

    SecFilterDebugLevel 0

    SecFilterDebugLog   logs/modsec_debug_log

=20

# Only accept request encodings we know how to handle we exclude GET =
requests from

# from this because some (automated) clients supply "text/html" as =
Content-Type

#

    SecFilterSelective REQUEST_METHOD "!^GET$" chain

    SecFilterSelective HTTP_Content-Type =
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

=20

# Require Content-Length to be provided withi every POST request

#

    SecFilterSelective REQUEST_METHOD "^POST$" chain

    SecFilterSelective HTTP_Content-Length "^$"

=20

# Don't accept transfer encodings we know we don't handle (and you don't =
need it anyway)

#

    SecFilterSelective HTTP_Transfer-Encoding "!^$"

=20

# Prevenir ataques via QueryString que desea llamar a PERL

#

    SecFilterSelective QUERY_STRING perl

=20

# Prevenir LWP::Simple user agents from requesting files

#

    SecFilterSelective HTTP_USER_AGENT lwp

</paste>

=20

=20

=20

Tom=E1s Hidalgo Salvador

thi...@te...

Dpto. Sistemas Unix

Tlf.: 2333

DSF Almariya

=20

Re: [mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

I read somewhere from google that strace doesn't work because of the 
mod-security chroot setup.  Would it be any use to provide the end of 
the strace output for others to review and see why it may not be 
working?  It's only when I add the SecChrootDir that strace apache bombs 
out when it's strace'd.

I understand if you don't want to go that far.

Thanks for your help so far.

Jinn



Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> No luck, I even tried all the other libs on p46 (PDF p33).  These 
>> included:
>>
>> "/usr/lib/apache2/suexec2", "/lib/libnss_files.so*", "/bin/ls", 
>> "/etc/nsswitch.conf", "/etc/passwd", "/etc/group", "/etc/shadow", 
>> "/lib/libnss_dns*", "/etc/hosts", "/etc/resolv.conf", "/etc/localtime"
>>
>> plus:
>>
>> packages=["perl", "perl-base", "perl-modules", "rcs", "imagemagick", 
>> "libnss-db"]
>>
>>
>> Same error appears:
>>
>> [Mon Oct 17 23:40:45 2005] [error] [client w.x.y.z] Premature end of 
>> script headers: test
>>
>> *** suexec.log ***[2005-10-17 23:40:45]: crit: invalid uid: (33)
>>
>> Any other ideas?
> 
> 
>   No. You should try to get strace to work, and then you would be
>   able to see what is that suexec is attempting (and failing)
>   to access.
> 

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> No luck, I even tried all the other libs on p46 (PDF p33).  These included:
> 
> "/usr/lib/apache2/suexec2", "/lib/libnss_files.so*", "/bin/ls", 
> "/etc/nsswitch.conf", "/etc/passwd", "/etc/group", "/etc/shadow", 
> "/lib/libnss_dns*", "/etc/hosts", "/etc/resolv.conf", "/etc/localtime"
> 
> plus:
> 
> packages=["perl", "perl-base", "perl-modules", "rcs", "imagemagick", 
> "libnss-db"]
> 
> 
> Same error appears:
> 
> [Mon Oct 17 23:40:45 2005] [error] [client w.x.y.z] Premature end of 
> script headers: test
> 
> *** suexec.log ***[2005-10-17 23:40:45]: crit: invalid uid: (33)
> 
> Any other ideas?

   No. You should try to get strace to work, and then you would be
   able to see what is that suexec is attempting (and failing)
   to access.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

No luck, I even tried all the other libs on p46 (PDF p33).  These included:

"/usr/lib/apache2/suexec2", "/lib/libnss_files.so*", "/bin/ls", 
"/etc/nsswitch.conf", "/etc/passwd", "/etc/group", "/etc/shadow", 
"/lib/libnss_dns*", "/etc/hosts", "/etc/resolv.conf", "/etc/localtime"

plus:

packages=["perl", "perl-base", "perl-modules", "rcs", "imagemagick", 
"libnss-db"]


Same error appears:

[Mon Oct 17 23:40:45 2005] [error] [client w.x.y.z] Premature end of 
script headers: test

*** suexec.log ***[2005-10-17 23:40:45]: crit: invalid uid: (33)

Any other ideas?

Jinn




Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> Hi Ivan,
>>
>> Thanks for your response.
>>
>> I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
>> into the jail with no luck - still the same error.
> 
> 
>   Have a look at page 46 of Apache Security (ch2): you may need
>   /etc/nsswitch.conf and /lib/libnss_files.so too.
> 
> 
>> Thanks for the link to the upcoming O'rielly Apache security book.
> 
> 
>   It's been published in March this year :)
> 
> 
>> I am considering this approach as a last resort, however I would 
>> ideally like to achieve the chroot without having to put all of 
>> Apache2 into the jail.
> 
> 
>   Considering you want to start new processes - that may not be possible.
> 

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> Hi Ivan,
> 
> Thanks for your response.
> 
> I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
> into the jail with no luck - still the same error.

   Have a look at page 46 of Apache Security (ch2): you may need
   /etc/nsswitch.conf and /lib/libnss_files.so too.


> Thanks for the link to the upcoming O'rielly Apache security book.

   It's been published in March this year :)


> I am 
> considering this approach as a last resort, however I would ideally like 
> to achieve the chroot without having to put all of Apache2 into the jail.

   Considering you want to start new processes - that may not be possible.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

Hi Ivan,

Thanks for your response.

I have tried copying the /etc/passwd, /etc/group and /etc/shadow files 
into the jail with no luck - still the same error.

Thanks for the link to the upcoming O'rielly Apache security book.  I am 
considering this approach as a last resort, however I would ideally like 
to achieve the chroot without having to put all of Apache2 into the jail.

The only point I still don't understand is why the perl script doesn't 
receive the user_id when it's in the jail without suexec.  This leads me 
to believe that it may have something to do with why suexec doesn't like 
the CGI executing either.

Any ideas?

Jinn



Ivan Ristic wrote:
> Jinn Koriech wrote:
> 
>> Hi all,
>>
>> Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
>> chroot jail on Debian Sarge.  From the changelog it appears this 
>> should be possible.  Other than that I haven't managed to find any 
>> notes on how to achieve this on google.  Hopefully modsecurity is the 
>> place to ask this question?
> 
> 
>   Yes, it is.
> 
>   It is challenging to use the mod_security chroot facility to
>   a create a jail that will be used as a "birth place" for new
>   processes. Depending on the CGI script you may find that you
>   need to copy certain shared libraries into the jail. Once
>   you start doing that the "mod_security chroot magic" starts
>   to wear off.
> 
> 
>> I have tested this testenv script from TWiki in 3 scenarios.  I am 
>> trying to keep my general configs reasonably simple for now until I 
>> get it working.
>>
>> 1. Apache2 with suexec.  No chroot.  Everything works fine.
>>
>> 2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
>> doesn't appear to see the UID it is running as.
>>
>> 3. Apache2 with SecChrootDir plus suexec.  The requires generates a 
>> 500 error and the only logs apparent are:
> 
> 
>   I think you are experiencing these problems because the user and
>   group files (/etc/passwd and /etc/group) are not available from
>   within the jail. Try copying them into the jail. (After you copy
>   them you can strip away most of the user information, leave only
>   information suexec needs.)
> 
>   BTW, a detailed, step-by-step chrooting guide is available at
>   the address below, should you need it:
> 
>   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf
> 

Re: [mod-security-users] mod-security, SecChroot & suexec

[Ivan R. <iv...@we...>]

Jinn Koriech wrote:
> Hi all,
> 
> Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
> chroot jail on Debian Sarge.  From the changelog it appears this should 
> be possible.  Other than that I haven't managed to find any notes on how 
> to achieve this on google.  Hopefully modsecurity is the place to ask 
> this question?

   Yes, it is.

   It is challenging to use the mod_security chroot facility to
   a create a jail that will be used as a "birth place" for new
   processes. Depending on the CGI script you may find that you
   need to copy certain shared libraries into the jail. Once
   you start doing that the "mod_security chroot magic" starts
   to wear off.


> I have tested this testenv script from TWiki in 3 scenarios.  I am 
> trying to keep my general configs reasonably simple for now until I get 
> it working.
> 
> 1. Apache2 with suexec.  No chroot.  Everything works fine.
> 
> 2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
> doesn't appear to see the UID it is running as.
> 
> 3. Apache2 with SecChrootDir plus suexec.  The requires generates a 500 
> error and the only logs apparent are:

   I think you are experiencing these problems because the user and
   group files (/etc/passwd and /etc/group) are not available from
   within the jail. Try copying them into the jail. (After you copy
   them you can strip away most of the user information, leave only
   information suexec needs.)

   BTW, a detailed, step-by-step chrooting guide is available at
   the address below, should you need it:

   http://www.apachesecurity.net/download/apachesecurity-ch02.pdf

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] mod-security, SecChroot & suexec

[Jinn K. <mod...@ma...>]

Hi all,

Trying to get Apache2 running with mod-security-1.8.7 and suexec in a 
chroot jail on Debian Sarge.  From the changelog it appears this should 
be possible.  Other than that I haven't managed to find any notes on how 
to achieve this on google.  Hopefully modsecurity is the place to ask 
this question?  suexec doesn't have any config options other than 
setting the user/group - and the compile time options don't appear to be 
causing any problems.

I have tested this testenv script from TWiki in 3 scenarios.  I am 
trying to keep my general configs reasonably simple for now until I get 
it working.

1. Apache2 with suexec.  No chroot.  Everything works fine.

2. Apache2 with SecChrootDir.  No suexec.  Works fine, but the script 
doesn't appear to see the UID it is running as.

3. Apache2 with SecChrootDir plus suexec.  The requires generates a 500 
error and the only logs apparent are:


*** /etc/apache2/logs/suexec.log ***
[2005-10-16 19:47:05]: crit: invalid uid: (33)

*** vhost_log ***
[Sun Oct 16 19:47:05 2005] [error] [client w.x.y.z] Premature end of 
script headers: testenv


The UID 33 is www-data on Debian Sarge - this is the user Apache2 is 
running as.  The script being requested has a UID & GID over 1000.

I am unable to run 'strace apache2 -X' - apache2 bombs out before it can 
receive any requests.


Thanks for reading.
Jinn

Re: [mod-security-users] Problems with SecFilterSelective ARG_xxx

[Ivan R. <iv...@we...>]

WALRAVE Stephane wrote:
> Hi
> I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST
> variables.
 >
 > ...
> 
> Here is a basic configuration :
> ...
> SecFilterEngine On
> SecFilterDefaultAction "deny,log,status:403"
> SecFilterCheckURLEncoding On
> SecFilterForceByteRange 1 255
> SecAuditEngine RelevantOnly
> SecFilterDebugLog /var/log/apache2/modsec_debug_log
> SecFilterDebugLevel 2
> SecFilterScanPOST On
> 
> <Location /app/login.cfm>
> #Check for POST method only
> SecFilterSelective REQUEST_METHOD !^POST$
> SecFilterSelective ARG_VAR1 !^value1$
> SecFilterSelective ARG_VAR2 !^value2$
> </Location>
> ...
 >
> curl -d "VAR1=value1" http://site.com/app/login.cfm
> -> strange behavior : request accepted and the log is
 >
 > ...
 >
> Does it means that in the case of a missing variable the rule concerning this
> variable is just ignored ?

   In 1.8.x - yes. But I did not like that either so in 1.9.x if a variable
   is missing the rule is applied to an empty string.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

[mod-security-users] Problems with SecFilterSelective =?utf-8?b?QVJHX3h4eA==?=

[WALRAVE S. <st...@ti...>]

Hi
I use mod_security (1.8.7) with SecFilterScanPOST set to "on" to filter POST
variables.

Here is a basic configuration :
...
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:403"
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2
SecFilterScanPOST On

<Location /app/login.cfm>
#Check for POST method only
SecFilterSelective REQUEST_METHOD !^POST$
SecFilterSelective ARG_VAR1 !^value1$
SecFilterSelective ARG_VAR2 !^value2$
</Location>
...

I made some requests on the machine, using curl :

curl -d "VAR1=value1&VAR2=value2" http://site.com/app/login.cfm
-> correct behavior (request accepted)

curl -d "VAR1=value1&VAR2=foo" http://site.com/app/login.cfm
-> correct behavior (request denied)

curl -d "VAR1=value1" http://site.com/app/login.cfm
-> strange behavior : request accepted and the log is

[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
sec_check_access, path=/app/login.cfm
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Parsing arguments...
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
read_post_payload: Added mod_security-note to 8420280
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Checking signature "!^POST$" at REQUEST_METHOD
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
Checking signature "!^value1$" at ARG(VAR1)
[07/Oct/2005:09:59:27 +0200] [site.com/sid#82e1bd8][rid#8420280][/app/login.cfm]
sec_pre: output filtering is off here
[07/Oct/2005:09:59:27 +0200]
[che.cordis.lu/sid#82e1bd8][rid#8420280][/app/login.cfm] sec_logger: start



Does it means that in the case of a missing variable the rule concerning this
variable is just ignored ?

Thanks for your answer

Stephane Walrave

[mod-security-users] [ANNOUNCE] ModSecurity 1.9RC1 has been released

[Ivan R. <iv...@we...>]

ModSecurity 1.9RC1 has been released. It is available for immediate
download from:

     http://www.modsecurity.org/download/

This is the first release candidate in the 1.9.x branch. A stable
release is expected on Monday, October 31. Users are encouraged to
test this release thoroughly to catch any potentially remaining
problems.


Changes (since 1.9dev4)
-----------------------

A new SecFilterSignatureAction directive was added to allow for the
separation of policy and rule metadata. It allows rules that have
custom action lists to use the list defined with this directive as
a template. Improvements were made to the multipart parser, which
is now more robust and more strict in what it accepts. Several bugs
were fixed. Code clean-ups were made and a new regression testing
tool was added.


About ModSecurity
-----------------
ModSecurity is a web application firewall, designed to protect
vulnerable applications and reject manual and automated attacks.
It is an open source intrusion detection and prevention system. It
can work embedded in Apache, or as a standalone security device when
configured to work as part of an Apache-based reverse proxy.

Optionally, ModSecurity creates application audit logs, which contain
the full request body in addition to all other details. Requests are
filtered using regular expressions. Some of the things possible are:

   * Apply filters against any part of the request (URI,
     headers, either GET or POST)
   * Apply filters against individual parameters
   * Reject SQL injection attacks
   * Reject Cross site scripting attacks
   * Store the files uploaded through the web server, and have them
     checked by external scripts

With few general rules ModSecurity can protect from both known
and unknown vulnerabilities. A Java version is also available, which
works with any Servlet 2.3 compatible web server.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] whitelisting XSS/HTML-injection defense

[Ivan R. <iv...@we...>]

Rude Yak wrote:
> I've read the portion of the doc that covers XSS, i.e.
> 
> <Location /cms/article-update.php>
> SecFilterInheritance Off
> # other filters here ...
> SecFilterSelective "ARGS|!ARG_body" "<.+>"
> </Location>
> 
> What I would like to know is if anyone has gotten more sophisticated with XSS
> defense and tried to whitelist certain tags.  I'm trying to set up a policy
> that will allow a few harmless tags (let's say, for argument's sake, that <B>
> and <PRE> are considered harmless) but not others.  This has proven to be quite
> a challenge.  So far, I've come up with:
> 
> SecFilterSelective "ARGS|!ARG_blog-text" "<.+>" id:1501
> SecFilterSelective "ARG_blog-text" "<" chain,id:1502
> SecFilterSelective "ARG_blog-text" "!<([Bb]|[Pp][Rr][Ee])([ >])" id:1503
> SecFilterForceByteRange 9 126
> 
> But this (needless to say) doesn't work because a QUERY_STRING that has
> 
> blog-text=Abc+def+<B>
> 
> will still find the "Abc+def" matching <([Bb]|[Pp][Rr][Ee])([ >]) and be
> blocked by the filter.  Has anyone come up with a clever way to whitelist input
> this way?  I'm going to keep trying but I'm feeling close-to-stumped right now
> :-)

   Brave attempt but I don't think it is possible to reliably whitelist
   HTML tags using regular expressions only. In this case I think custom
   programming is the way to go. This is something I want to add to a
   future ModSecurity release: create a hook to allow custom code to
   be plugged-in to verify the incoming data.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org