mod-security-users Mailing List for ModSecurity (Page 561)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Thai D. <th...@gm...> - 2005-05-13 21:53:18
|
Sorry, I forgot to mention that problems only occur when I use=20 mod_security's internal chroot mechanism. Without chroot, everything's ok. On 5/14/05, Thai Duong <th...@gm...> wrote: >=20 > FYI, I encountered a lot of problems when using mod_security as a static= =20 > module of both apache 1.3.x and httpd 2.x. Most of the problems are with= =20 > the mod_ssl module (also compiled statically). mod_ssl complained that it= =20 > could not open its SSLMutext, and when I set SSLMutext to none, it contin= ued=20 > complained that it could not write to the scache directory, which I have= =20 > created both in the chroot jail and the original path. I also chowned the= se=20 > directories to apache but still no luck. It seems that mod_security is no= t=20 > made to use as a static module/in a static server (I meant a server that = all=20 > modules are compiled statically), rite? >=20 > -T >=20 > On 5/13/05, Thai Duong <th...@gm...> wrote: > >=20 > > Hi David, > >=20 > > I have created that directory with a correct permission but it doest=20 > > work. Anyway, I found a solution, just set SSLMutex directive to none, = it=20 > > works like a charm. > >=20 > > -T > >=20 > >=20 > > On 5/12/05, David Fletcher <Da...@me... > wrote: > > >=20 > > > Hi TIA, > > >=20 > > > I could be on the wrong track, but I think I was getting this error= =20 > > > until I > > > created the directory > > >=20 > > > /chroot/apache/usr/local/apache/logs/ssl_scache > > >=20 > > > where the chroot is to /chroot/apache > > >=20 > > > If I remember correctly, Apache wants to write there after the chroot= =20 > > > has taken > > > place, by which time it cannot open new files in the log directory in= =20 > > > the main > > > file system. Ensure Apache has write permissions even if the director= y=20 > > >=20 > > > already exists. > > >=20 > > > It's a while since I had the problem so I could have this wrong, but= =20 > > > it might > > > help. > > >=20 > > > David > > >=20 > > > >Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex= =20 > > > lockfile > > > >Reply-To: mod...@li... > > > > > > > >------=3D_Part_2042_9626190.1115640236279=20 > > > >Content-Type: text/plain; charset=3DISO-8859-1 > > > >Content-Transfer-Encoding: quoted-printable=20 > > > >Content-Disposition: inline > > > > > > > >Hi guys, > > > > > > > >When I chroot my Apache 1.3.x with mod_security, it kept reporting= =20 > > > that=3D20 > > > >error. I have searched through this list and found that this error= =20 > > > had been=3D=20 > > > >=3D20 > > > >reported one but still there is no solution rite?=3D20 > > >=20 > > > -- > > > --------------------------------------- > > > Email da...@me... > > > ---------------------------------------=20 > > >=20 > > > ------------------------------------------------------- > > > This SF.Net <http://SF.Net> email is sponsored by Oracle Space=20 > > > Sweepstakes=20 > > > Want to be the first software developer in space? > > > Enter now for the Oracle Space Sweepstakes!=20 > > > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > > > _______________________________________________ > > > mod-security-users mailing list=20 > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users=20 > > >=20 > >=20 > >=20 > |
|
From: Thai D. <th...@gm...> - 2005-05-12 18:22:41
|
Hi David, I have created that directory with a correct permission but it doest work.= =20 Anyway, I found a solution, just set SSLMutex directive to none, it works= =20 like a charm. -T On 5/12/05, David Fletcher <Da...@me...> wrote: >=20 > Hi TIA, >=20 > I could be on the wrong track, but I think I was getting this error until= =20 > I > created the directory >=20 > /chroot/apache/usr/local/apache/logs/ssl_scache >=20 > where the chroot is to /chroot/apache >=20 > If I remember correctly, Apache wants to write there after the chroot has= =20 > taken > place, by which time it cannot open new files in the log directory in the= =20 > main > file system. Ensure Apache has write permissions even if the directory > already exists. >=20 > It's a while since I had the problem so I could have this wrong, but it= =20 > might > help. >=20 > David >=20 > >Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex=20 > lockfile > >Reply-To: mod...@li... > > > >------=3D_Part_2042_9626190.1115640236279 > >Content-Type: text/plain; charset=3DISO-8859-1 > >Content-Transfer-Encoding: quoted-printable > >Content-Disposition: inline > > > >Hi guys, > > > >When I chroot my Apache 1.3.x with mod_security, it kept reporting=20 > that=3D20 > >error. I have searched through this list and found that this error had= =20 > been=3D > >=3D20 > >reported one but still there is no solution rite?=3D20 >=20 > -- > --------------------------------------- > Email da...@me... > --------------------------------------- >=20 > ------------------------------------------------------- > This SF.Net <http://SF.Net> email is sponsored by Oracle Space Sweepstake= s > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: David F. <Da...@me...> - 2005-05-12 09:24:20
|
Hi TIA, I could be on the wrong track, but I think I was getting this error until I created the directory /chroot/apache/usr/local/apache/logs/ssl_scache where the chroot is to /chroot/apache If I remember correctly, Apache wants to write there after the chroot has taken place, by which time it cannot open new files in the log directory in the main file system. Ensure Apache has write permissions even if the directory already exists. It's a while since I had the problem so I could have this wrong, but it might help. David >Subject: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile >Reply-To: mod...@li... > >------=_Part_2042_9626190.1115640236279 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: quoted-printable >Content-Disposition: inline > >Hi guys, > >When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20 >error. I have searched through this list and found that this error had been= >=20 >reported one but still there is no solution rite?=20 -- --------------------------------------- Email da...@me... --------------------------------------- |
|
From: Thai D. <th...@gm...> - 2005-05-11 17:50:38
|
Hi guys, When I chroot my Apache 1.3.x with mod_security, it kept reporting that=20 error. I have searched through this list and found that this error had been= =20 reported one but still there is no solution rite?=20 It seems that this problem only occurs in Apache 1.3, I have sucessfully=20 chroot Apache 2.0 with mod_ssl without any problem before. Here is my=20 modsec.conf which is included at the end of httpd.conf -----------snip------------- # Yes, we want to use mod_security ClearModuleList AddModule mod_security.c AddModule mod_env.c AddModule mod_log_config.c AddModule mod_mime.c AddModule mod_negotiation.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_setenvif.c AddModule mod_ssl.c AddModule mod_php4.c SecFilterEngine On SecServerSignature "Microsoft IIS/5.0" SecChrootDir /chroot/jail ---snip------------ Any suggestion? TIA, -T |
|
From: Evert <ev...@di...> - 2005-05-10 08:39:03
|
since there were nog audit_log parsers around i wrote one myself. is somebody interrested in the code? then i can put it online somewhere. the ouput is like this: http://evert.dyndns.org/modsec/ kind regards, Evert Daman |
|
From: Christian M. <cma...@is...> - 2005-05-03 11:16:38
|
Ivan Ristic wrote:
> Christian Martorella wrote:
>
>> Hi, i was looking others Application firewalls and i saw that some of=20
>> them use tokens to sign forms or variables with a hash.
>
>
> Can you be more specific? What are they signing? The hidden fields,
> the names of the fields?
>
>
What you sign with a hash is the values of the hidden fields, or the=20
values of the URL parameters.
For example if you have=20
=20
<input name=3D"year" type=3D"hidden"=20
value=3D"1984?MSEC=3DOurhashOurhashOurHash">
So if someone change 1984 to 1982, when you recalculate the hash for=20
year it will be different and you deny the request.
I know this would bring more performance issues, but it will be good for=20
Parameter Tampering, Cookie Tampering, and all tampering that could be do=
ne.
>> There are plans to implement this on Mod_Security? or there is=20
>> someone already working on it?
>
>
> No. I am not convinced such feature would have significant value in
> real life. I can see how it can help in a specific case (e.g. when
> someone has an app with a hidden field that should never change). But
> I do not think it can work as a generic protection measure people can
> turn on and forget about it. In this day and age many applications ar=
e
> creating forms dynamically at runtime, and using JavaScript to change
> the values in the hidden fields.
>
Maybe you are right, but what about cookies? or session Ids? or url=20
parameters that if you change a value you will be take to a private zone=20
for example..? My examples are for badly designed applications
that a company couldnt secure.
I just was seeing what other Application Firewalls were doing, and i=20
found this functionality.
Cheers!
--=20
_________________________________
Christian Martorella
e-Security Engineer
cma...@is...
Internet Security Auditors, S.L.
c. Santander, 101. Edif. A. 2=BA 1=AA.
08030 Barcelona
Tel: 93 305 13 18
Fax: 93 278 22 48
www.isecauditors.com
____________________________________
Este mensaje y los documentos que, en su caso lleve anexos, pueden
contener informaci=F3n confidencial. Por ello, se informa a quien lo
reciba por error que la informaci=F3n contenida en el mismo es reservada
y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal
caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono
(93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo
o entregarlo a otra persona y proceda a borrarlo de inmediato.
En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de
protecci=F3n de datos de car=E1cter personal, Internet Security Auditors
S.L., le informa de que sus datos personales se han incluido en
ficheros informatizados titularidad de Internet Security Auditors
S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida=
d
exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n
comercial, y de que tiene la posibilidad de ejercer los derechos de
acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley
mediante carta dirigida a Internet Security Auditors, c. Santander,
101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente
direcci=F3n de correo: le...@is...
|
|
From: toby <to...@ke...> - 2005-05-02 21:36:22
|
Ivan
Thanks, that's cured it!
toby
-----Original Message-----
From: mod...@li...
[mailto:mod...@li...] On Behalf Of =
Ivan
Ristic
Sent: 02 May 2005 19:38
To: mod...@li...
Subject: Re: [mod-security-users] Squirrelmail problem.
to...@ke... wrote:
> Hi
Hi Toby,
> I have recently installed mod_security on my Apache 2.0 server and it
> works very well. However, I am having a major problem getting=20
> Squirrelmail to work. I can log in, read emails but any attempt to =
send=20
> results in mod_security blocking the request with the default 500 =
message.
>=20
> I have scoured the Internet and found no-one with the same problem and
> no solution.
>=20
> ...
>
> As you can see I am relatively new to this and am looking for someone
> who can simply point me in the right direction. I have been through =
the=20
> FAQ, the manual and any other resource I could find.
From the log samples you provide, it seems like your mod_security
configuration contains a few rules from the regression tests. So the
solution is simple - just remove them :)
> I inserted the rule SecFilter "/squirrelmail/" allow
What you really want is:
# disable mod_security for Squirrel mail
<Location /squirrelmail/>
SecFilterEngine Off
</Location>
Bye,
Ivan
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, =
4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to =
win
an NEC 61 plasma display. Visit http://www.necitguy.com/?r=3D20
_______________________________________________
mod-security-users mailing list mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
|
|
From: Ivan R. <iv...@we...> - 2005-05-02 18:36:39
|
to...@ke... wrote:
> Hi
Hi Toby,
> I have recently installed mod_security on my Apache 2.0 server and it
> works very well. However, I am having a major problem getting
> Squirrelmail to work. I can log in, read emails but any attempt to send
> results in mod_security blocking the request with the default 500 message.
>
> I have scoured the Internet and found no-one with the same problem and
> no solution.
>
> ...
>
> As you can see I am relatively new to this and am looking for someone
> who can simply point me in the right direction. I have been through the
> FAQ, the manual and any other resource I could find.
From the log samples you provide, it seems like your mod_security
configuration contains a few rules from the regression tests. So the
solution is simple - just remove them :)
> I inserted the rule SecFilter "/squirrelmail/" allow
What you really want is:
# disable mod_security for Squirrel mail
<Location /squirrelmail/>
SecFilterEngine Off
</Location>
Bye,
Ivan
|
|
From: <to...@ke...> - 2005-05-02 18:21:28
|
Hi I have recently installed mod_security on my Apache 2.0 server and it = works very well. However, I am having a major problem getting Squirrelmail to work. I can log in, read emails but any attempt to send results in mod_security blocking the request with the default 500 message. I have scoured the Internet and found no-one with the same problem and = no solution. My setup is Mandrake Linux 10.0 running Apache 2.0 and Squirrelmail 1.4.4 At first it blocked every squirremail request. I inserted the rule SecFilter "/squirrelmail/" allow which got around that but I am baffled = by the POST-PAYLOAD filters I am picking up at the moment. Here are a selection of the messages that mod_security returned, it sometimes returned a pattern match on '444' as well. error_log.1:[Fri Apr 29 14:44:48 2005] [error] [client 192.168.1.4] mod_security: Access denied with code 500. Pattern match "111" at POST_PAYLOAD., referer: http://192.168.1.3/squirrelmail/src/compose.php?passed_id=3D30223&mailbox= =3DINBO X&startMessage=3D1&passed_ent_id=3D0&smaction=3Dforward error_log.1:[Fri Apr 29 18:23:54 2005] [error] [client 192.168.1.4] mod_security: Access denied with code 500. Pattern match "\.\./" at POST_PAYLOAD., referer: http://192.168.1.3/squirrelmail/src/compose.php?passed_id=3D30229&mailbox= =3DINBO X&startMessage=3D1&passed_ent_id=3D0&smaction=3Dforward As you can see I am relatively new to this and am looking for someone = who can simply point me in the right direction. I have been through the = FAQ, the manual and any other resource I could find. Many thanks in anticipation. toby ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dr Toby Murcott e-mail: tob...@ke...=20 Ketoe Communications tel: +44 (0)117 971 2594=20 PO Box 2168 mob: +44 (0)7870 272 554 Bristol http://www.ketoe.co.uk/Tobymain.htm BS99 3LZ=20 The Whole Story: Alternative medicine on trial? www.wholestory.org=20 |
|
From: Ivan R. <iv...@we...> - 2005-04-30 15:20:28
|
Roman Medina-Heigl Hernandez wrote: > Ivan Ristic wrote: > > >> SecChrootDir /chroot/apache >> >> Everything else can remain outside jail but there are consequences >> (e.g. you won't be able to restart Apache, just stop-start it). > > And what about Perl/Python/* libraries needed for CGIs? Let's suppose we > have cgi-bin directory inside chroot jail (for instance, > /chroot/apache/www/cgi-bin). That's ok, but what will be happen when the > invoked cgi try to execute /usr/bin/perl or moreover when it needs > /usr/lib/perl/* files (all of them are out of the jail)? Nothing, it won't work. If you have a need for CGI scripts or any other type of external binary execution you will have to create a proper jail. You won't be needing mod_security. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Mike P. <mi...@pl...> - 2005-04-30 15:00:52
|
I have been seeing several people asking about chroot and Apache and I wanted to pass along another source for creating jails with Apache and some other associated programs. I looked at the Apache Security PDF and the book and website can be used side by side. I find the website easier to use as it takes a step by step approach. I did not write this website but I have used it in real world work and it has been a great help. http://penguin.triumf.ca/chroot.html -- Mike Plemmons mi...@pl... |
|
From: Roman Medina-H. H. <ro...@rs...> - 2005-04-30 14:15:47
|
Ivan Ristic wrote: > SecChrootDir /chroot/apache > > Everything else can remain outside jail but there are consequences > (e.g. you won't be able to restart Apache, just stop-start it). And what about Perl/Python/* libraries needed for CGIs? Let's suppose we have cgi-bin directory inside chroot jail (for instance, /chroot/apache/www/cgi-bin). That's ok, but what will be happen when the invoked cgi try to execute /usr/bin/perl or moreover when it needs /usr/lib/perl/* files (all of them are out of the jail)? -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] |
|
From: Ivan R. <iv...@we...> - 2005-04-30 09:27:28
|
Lee Mehlhorn wrote: > > I'm running Apache 2.0.53 using mod_security 1.8.7. I've installed > modsecurity successfully and it seems to be working using a very simple > ruleset on my test box. > > Apache Installation: /usr/local/apache > Document Root: /webs > Apache Logs: /webs/logs > > Setting up SecChrootDir /chroot/apache > Okay, this is probably the part I'm confused about, setting up the > directories underneath the /chroot directory. Do I symbolic links to > the apache install directory for each subfolder? what do I do about my > document root and or logs directory? Should I use symbolic links for > them as well? You could put your document root into the jail: cd / mv /webs /chroot/apache/webs ln -s /chroot/apache/webs and try with: SecChrootDir /chroot/apache Everything else can remain outside jail but there are consequences (e.g. you won't be able to restart Apache, just stop-start it). You will probably need to have /chroot/apache/usr/local/apache/logs too, as Apache 2 attempts to create some files after the chroot and that's the default directory for them. There's extensive documentation available here: http://www.apachesecurity.net/download/apachesecurity-ch02.pdf -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-04-30 09:18:44
|
Christian Martorella wrote: > Hi i was doing some test with mod_proxy and mod_security. > > I have a mod_security working as an appliance, so in the configuration i > have 2 virtual_host, > One have: Header set Server "x" > and the other: Header set Server "y" > > But when i connect to the server y, and i telnet to port 80 and do a > "HEAD / HTTP/1.0" i get the Server "x" header. You are not connecting to server Y. You are connecting to the proxy server Z, and you are not telling it which virtual host you want to talk to. So the proxy is either using the default virtual host or responding as itself. > Is there a way to get differents Server headers, for each virtual_host? You already have that. What really troubles you is that someone can talk to the proxy directly and figure out it is a proxy. In theory, if you can allocate one IP address per virtual host then it may be possible to change mod_security to use different signature for each IP address. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ivan R. <iv...@we...> - 2005-04-30 09:09:42
|
Christian Martorella wrote: > Hi, i was looking others Application firewalls and i saw that some of > them use tokens to sign forms or variables with a hash. Can you be more specific? What are they signing? The hidden fields, the names of the fields? > There are > plans to implement this on Mod_Security? or there is someone already > working on it? No. I am not convinced such feature would have significant value in real life. I can see how it can help in a specific case (e.g. when someone has an app with a hidden field that should never change). But I do not think it can work as a generic protection measure people can turn on and forget about it. In this day and age many applications are creating forms dynamically at runtime, and using JavaScript to change the values in the hidden fields. > P.S: I also noted that there is no TODO list, could be very interesting > to see what things are needed, or what are the people expecting from the > mod? :) I used to have a public TODO list but it was frequently out of sync. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Christian M. <cma...@is...> - 2005-04-29 18:56:16
|
Hi, i was looking others Application firewalls and i saw that some of=20 them use tokens to sign forms or variables with a hash. There are=20 plans to implement this on Mod_Security? or there is someone already=20 working on it? Thanks P.S: I also noted that there is no TODO list, could be very interesting=20 to see what things are needed, or what are the people expecting from the=20 mod? :) Christian --=20 _________________________________ Christian Martorella e-Security Engineer cma...@is... Internet Security Auditors, S.L. c. Santander, 101. Edif. A. 2=BA 1=AA. 08030 Barcelona Tel: 93 305 13 18 Fax: 93 278 22 48 www.isecauditors.com ____________________________________ Este mensaje y los documentos que, en su caso lleve anexos, pueden contener informaci=F3n confidencial. Por ello, se informa a quien lo reciba por error que la informaci=F3n contenida en el mismo es reservada y su uso no autorizado est=E1 prohibido legalmente, por lo que en tal caso le rogamos que nos lo comunique por la misma v=EDa o por tel=E9fono (93 305 13 18), se abstenga de realizar copias del mensaje o remitirlo o entregarlo a otra persona y proceda a borrarlo de inmediato. En cumplimiento de la Ley Org=E1nica 15/1999 de 13 de diciembre de protecci=F3n de datos de car=E1cter personal, Internet Security Auditors S.L., le informa de que sus datos personales se han incluido en ficheros informatizados titularidad de Internet Security Auditors S.L., que ser=E1 el =FAnico destinatario de dichos datos, y cuya finalida= d exclusiva es la gesti=F3n de clientes y acciones de comunicaci=F3n comercial, y de que tiene la posibilidad de ejercer los derechos de acceso, rectificaci=F3n, cancelaci=F3n y oposici=F3n previstos en la ley mediante carta dirigida a Internet Security Auditors, c. Santander, 101. Edif. A. 2=BA 1=AA, 08030 Barcelona, o v=EDa e-mail a la siguiente direcci=F3n de correo: le...@is... |
|
From: Lee M. <le...@ub...> - 2005-04-29 17:26:00
|
I've looked at the modsecurity reference manual and would like to try using the SecChrootDir directive to chroot my apache installation. I'm not too familiar with chrooting daemons etc but do understand it's purpose for security. I'm just not sure about what I need for a directory structure in order to ensure modsecurity will chroot successfully. I'll try outline my step and some background. I'm running Apache 2.0.53 using mod_security 1.8.7. I've installed modsecurity successfully and it seems to be working using a very simple ruleset on my test box. Apache Installation: /usr/local/apache Document Root: /webs Apache Logs: /webs/logs Setting up SecChrootDir /chroot/apache Okay, this is probably the part I'm confused about, setting up the directories underneath the /chroot directory. Do I symbolic links to the apache install directory for each subfolder? what do I do about my document root and or logs directory? Should I use symbolic links for them as well? I guess this the part that I'm struggling with when setting up modsecurity to chroot apache. Any help would be appreciated. Thank You. |
|
From: Tom A. <tan...@oa...> - 2005-04-29 14:21:54
|
From: "Rudi Starcevic" <te...@wi...> > I'm planning to parse the audit_log file into a relational database. > Perhaps parse the rules in as well, though I'd like to start small and > simple. Then you might find these useful: http://orderamidchaos.com/modsec/modsec_auditlog_parser http://prwdot.org/code/modsecauditlogparse.txt They're written in Perl, not PHP, though. Tom |
|
From: Rudi S. <te...@wi...> - 2005-04-29 13:47:53
|
Hi, >> Are you going to use modsec's "exec" action to trigger the program, or are you going >> to just passively read the log file? I'm planning to parse the audit_log file into a relational database. Perhaps parse the rules in as well, though I'd like to start small and simple. From the log-file/alert database there will be dynamic reports and be able to run queries on the database. Eg select all by alert, select by IP etc. It will handle log files from more than one Apache server. Cheers, RS. Tom Anderson wrote: > From: "Rudi Starcevic" <te...@wi...> > >> I'm about to start a small PHP web app. to analyze mod security alerts. > > > > > Tom > > > ------------------------------------------------------- > SF.Net email is sponsored by: Tell us your software development plans! > Take this survey and enter to win a one-year sub to SourceForge.net > Plus IDC's 2005 look-ahead and a copy of this survey > Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |
|
From: Tom A. <tan...@oa...> - 2005-04-29 13:14:20
|
From: "Rudi Starcevic" <te...@wi...> > I'm about to start a small PHP web app. to analyze mod security alerts. Are you going to use modsec's "exec" action to trigger the program, or are you going to just passively read the log file? Tom |
|
From: Christian M. <cma...@is...> - 2005-04-29 11:47:23
|
Hi i was doing some test with mod_proxy and mod_security. I have a mod_security working as an appliance, so in the configuration i have 2 virtual_host, One have: Header set Server "x" and the other: Header set Server "y" But when i connect to the server y, and i telnet to port 80 and do a "HEAD / HTTP/1.0" i get the Server "x" header. Is there a way to get differents Server headers, for each virtual_host? Thanks Christian Martorella |
|
From: Rudi S. <te...@wi...> - 2005-04-29 00:59:11
|
Hi, I'm about to start a small PHP web app. to analyze mod security alerts. Something similar to BASE/ACID for Snort but for one or more Apache mod security installations. I've had a quick look around and can't find much work already done in this area. If there is already something like this around can you let me know please. I'll be starting to cut code this weekend. Thanks, Rudi. |
|
From: Ivan R. <iv...@we...> - 2005-04-28 22:22:11
|
Tom Anderson wrote: > From: "raja agireddy" <tag...@gm...> > >> [Wed Apr 27 17:20:59 2005] [error] [client xxx.xxx] mod_security: >> Access d >> enied with code 500. Pattern match "!(^$|^[a-zA-Z0-9]+$)" at >> COOKIES_VALUES [hos >> tname "xxx.xxx.xxx"] [uri "/cgi-bin/test-cgi"] > > That's not even a very good regex since the blank case > (^$) can simply be specified by changing the + to a *. Here's a better > filter for alphanumeric and space characters only... > > SecFilterSelective COOKIES_VALUES "!^(\w|\s)*$" It may be better when you are working with Apache 2.x, but it doesn't work at all when you are using Apache 1.x :) As far as I am aware Apache 1.x supports POSIX regular expressions, and Apache 2.x supports Perl-compatible regular expressions. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Tom A. <tan...@oa...> - 2005-04-28 17:02:41
|
From: "raja agireddy" <tag...@gm...> > [Wed Apr 27 17:20:59 2005] [error] [client xxx.xxx] mod_security: Access d > enied with code 500. Pattern match "!(^$|^[a-zA-Z0-9]+$)" at > COOKIES_VALUES [hos > tname "xxx.xxx.xxx"] [uri "/cgi-bin/test-cgi"] This is going to be triggered any time you set a cookie that contains any punctuation or other non-alphanumeric symbols (including spaces). Comment out that line if you don't want to force your cookies into such narrow constraints, or modify the regex to include the characters you intend to use. That's not even a very good regex since the blank case (^$) can simply be specified by changing the + to a *. Here's a better filter for alphanumeric and space characters only... SecFilterSelective COOKIES_VALUES "!^(\w|\s)*$" Here's what you would use if you wanted to filter out the # sign in cookies: SecFilterSelective COOKIES_VALUES "#" Better would be to use such a filter on a _specific_ cookie: SecFilterSelective COOKIE_password "!([0-9]|\W)" "deny,nolog,status:406" This rule would block anyone using a weak password which got past your client-side checks. Maybe not the best place to do something like this, but hey, it's just an example. Google for "perlre" to get the perl documentation on regular expressions. Tom |
|
From: Ivan R. <iv...@we...> - 2005-04-28 15:31:10
|
raja agireddy wrote: > Hello! > > I have confiured modsecurity 1.8.7 and apache2 with the default > configuration and I receive the following error. I had copied > httpd.conf.regression-v2 to the httpd.conf. > > [Wed Apr 27 17:20:59 2005] [error] [client xxx.xxx] mod_security: Access d > enied with code 500. Pattern match "!(^$|^[a-zA-Z0-9]+$)" at COOKIES_VALUES [hos > tname "xxx.xxx.xxx"] [uri "/cgi-bin/test-cgi"] > > I get this error only through the IE browser but not through the > firefox browser. > > Please let me know if I can do something to work with IE. That is *not* the default configuration - remove it from httpd.conf httpd.conf.example-minimal is the default configuration: http://cvs.sourceforge.net/viewcvs.py/mod-security/mod_security/httpd.conf.example-minimal?rev=1.9&view=auto -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
139 messages has been excluded from this view by a project administrator.
