mod-security-users Mailing List for ModSecurity (Page 583)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: ms <ma...@ms...> - 2004-01-28 08:20:46
|
=0D=0Ahi guys, this is my first post here, so blame me for funny english and/or stupid questions... First: great work! mod_security rocks! I installed a couple of proxies with it and I like it very much. Here are my questions you can of course answer: 1. Is it (will it be) possible to have a couple of SecFilterForceByteRange statements? For p.e. german sites you have to allow almost the complete range (the lower one for web forms - tab, crlf, etc and the higher one for the special characs)? At the moment, I have to use a lot of SecFilterSelective statements instead. 2. Do I need certain apache modules for some functions to work? Even with SecFilterOutputMimeTypes "(null) text/html text/plain" all my OUTPUT filters do not work any more. When uncommenting this one, they work fine. I also have a problem with the SecServerSignature statement, both the proxy and the real servers have ServerTokens full but the server distribution is not masked. Here is my httpd -l: Compiled in modules: core.c mod_access.c mod_auth.c mod_log_config.c mod_setenvif.c mod_proxy.c proxy_connect.c proxy_ftp.c proxy_http.c prefork.c http_core.c mod_mime.c mod_dir.c mod_alias.c mod_so.c I am currently using apache 2.0.48 compiled on my OpenBSD 3.4 x86 machine, running in systrace jail. Thanks and have fun! mark --=20 mark sprenk nordring 65 63843 niedernberg mailto:ma...@ms... pgp:tron.msnx.de/mspgpkey |
|
From: Ivan R. <iv...@we...> - 2004-01-27 23:30:08
|
Borut Rozman wrote: > > I recently because of day-to-day intrusions on my webserver installed > mod-security to log this kinda stuff. I would at first stage just log > all post-get data, but have problem, this is my config of it: > > AddHandler application/x-httpd-php .php > SecAuditEngine On > SecAuditLog /webs/logs/audit_log > SecFilterScanPOST On > SecFilterEngine On > SecServerSignature "Microsoft-IIS/5.0" > #SecFilter "<(.|\n)+>" > #SecFilter "'" > #SecFilter "\" > #SecFilter ".pl" > > at this config, couple of websites stop to work though i have all > filters disabled, how can I do just logging, nothing else! You need to tell us more about your problem: Which versions of Apache and mod_security are you using? Is there anything interesting in the error_log, audit log, mod_security debug log? When you say "not working" - what does that mean? Do you get a blank screen, internal server error, does Apache segfault? Ideally you would give enough information for me to replicate the problem on my server, and then I could look into what is causing the problem. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Borut R. <je...@zi...> - 2004-01-27 23:06:59
|
I recently because of day-to-day intrusions on my webserver installed
mod-security to log this kinda stuff. I would at first stage just log
all post-get data, but have problem, this is my config of it:
AddHandler application/x-httpd-php .php
SecAuditEngine On
SecAuditLog /webs/logs/audit_log
SecFilterScanPOST On
SecFilterEngine On
SecServerSignature "Microsoft-IIS/5.0"
#SecFilter "<(.|\n)+>"
#SecFilter "'"
#SecFilter "\"
#SecFilter ".pl"
at this config, couple of websites stop to work though i have all
filters disabled, how can I do just logging, nothing else!
regards
Borut
|
|
From: Bart <ba...@so...> - 2004-01-27 05:19:38
|
|
From: Ivan R. <iv...@we...> - 2004-01-26 21:58:52
|
> Is there sombody who has installed mod_security on a > reverse proxy to protect the backend servers??? I have, and I have also heard from many users that they are running it with a reverse proxy. > I'm looking for a configuration to protect my inner > web sitees running various webservers like IIS, > Tomcat, websphere .... You will find this article interesting: http://www.securityfocus.com/infocus/1739 > Is there a way to set up a generic file, because it > seems that mod_security patches against known bugs > (comming from a snort list) but what about the bugs > still need that are discovered all the time? Do you > need to addapt you config as soon as it is known, > which is not a good way of doing it.... You should use both approaches. In the article you can see some general rules that make web application hacking more difficult. It all boils down to knowing what runs on the servers you want to protect - you need to craft some rules for that. That will cover unknown threats. As for specific vulnerabilities - I don't like the Snort rules too much. Most of them are not good anyway. But a rule database is on the way, and if that becomes popular you should be able to automatically "patch" the software via mod_security for known, specific vulnerabilities. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Bart <ba...@so...> - 2004-01-26 20:51:39
|
1. I chrooted apache in standard way. There was no problem. Then I used mod_security to chroot "normal" apache I set in httpd.conf SecChrootDir /chroot/httpd but Apache return error no mysql.sock in /var/lib/mysql/mysql.sock cant write to /tmp/ ... The file mysql.sock exists and /tmp/ has 777 rights. Where is the problem? 2. Can I use mail() php function with mod_security chrooted apache? It was major problem that I decided no tto use chrooted apache 3. Additionaly I would like to test mod_security at all without chroot I added this config to my httpd.conf http://cvs.sourceforge.net/viewcvs.py/*checkout*/mod-security/mod_security/httpd.conf.example-full?content-type=text%2Fplain&rev=1.7 After restarting apache I cant logon with my authentication php script. I use session(). How to resolve this. Barti |
|
From: Tom V. de V. <tom...@ya...> - 2004-01-26 20:44:47
|
Hi, Is there sombody who has installed mod_security on a reverse proxy to protect the backend servers??? I'm looking for a configuration to protect my inner web sitees running various webservers like IIS, Tomcat, websphere .... Is there a way to set up a generic file, because it seems that mod_security patches against known bugs (comming from a snort list) but what about the bugs still need that are discovered all the time? Do you need to addapt you config as soon as it is known, which is not a good way of doing it.... Thanxs, Tom Van de velde __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ |
|
From: Ivan R. <iv...@we...> - 2004-01-22 21:55:14
|
Didier WIROTH wrote: > Hi, > (using freebsd 5.2-release, with mod_security 1.7.4 and apache 2.0.48) > > I had problems with 1.7.4 and apache 1.3.29, so I wanted to test it with > apache2.0.48. > > I followed the procedures of the manual but compiling fails when it comes to > mod_security: I am yet to see instructions on how to compile a module statically into Apache 2. What I described in the mod_security manual worked for me at the time. If it doesn't work for you I will remove it from the manual, and put it back in only if it works for all. This is one of the areas where help from someone with Apache 2.x expertize and access to FreeBSD would be great. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Didier W. <did...@mc...> - 2004-01-22 11:34:32
|
When running the configure + argument (see previous post) the modules.mk is almost empty it contains only this: DISTCLEAN_TARGETS = modules.mk static = shared = Now I'm adding the mod_security stuff and try to compile, it fails! When simply running: configure --prefix=/home... --with-module=mappers:security The modules.mk is not empty and already contains some modules to compile. Adding mod_security stuff now and compiling, works. So, there is a bug (apache or mod_security) if modules.mk contains only the mod_security stuff the build fails. -----Original Message----- From: Didier WIROTH [mailto:did...@mc...] Sent: jeudi 22 janvier 2004 11:09 To: 'mod...@li...' Subject: not able to compile mod_security as static Hi, (using freebsd 5.2-release, with mod_security 1.7.4 and apache 2.0.48) I had problems with 1.7.4 and apache 1.3.29, so I wanted to test it with apache2.0.48. I followed the procedures of the manual but compiling fails when it comes to mod_security: e/libpcre.la /usr/home/dda/download/httpd-2.0.48/srclib/apr-util/libaprutil-0.la -lexpat /usr/home/dda/download/httpd-2.0.48/srclib/apr/libapr-0.la -lm -lcrypt make: don't know how to make modules/mappers/mod_security.la. Stop *** Error code 1 The module is in the directory: Jan 22 10:39 modules/mappers/mod_security.c And here is the content of modules/mappers/modules.mk DISTCLEAN_TARGETS = modules.mk static = shared = Here is the configure command line I used: ./configure --prefix=/home/test/apache2 --disable-include --disable-env --disable-setenvif --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-imap --disable-actions --disable-userdir --disable-alias --disable-so --with-module=mappers:security Thanks for the help Didier |
|
From: Didier W. <did...@mc...> - 2004-01-22 10:09:23
|
Hi,
(using freebsd 5.2-release, with mod_security 1.7.4 and apache 2.0.48)
I had problems with 1.7.4 and apache 1.3.29, so I wanted to test it with
apache2.0.48.
I followed the procedures of the manual but compiling fails when it comes to
mod_security:
e/libpcre.la
/usr/home/dda/download/httpd-2.0.48/srclib/apr-util/libaprutil-0.la -lexpat
/usr/home/dda/download/httpd-2.0.48/srclib/apr/libapr-0.la -lm -lcrypt
make: don't know how to make modules/mappers/mod_security.la. Stop
*** Error code 1
The module is in the directory:
Jan 22 10:39 modules/mappers/mod_security.c
And here is the content of modules/mappers/modules.mk
DISTCLEAN_TARGETS = modules.mk
static = mod_security.la
shared =
mod_security.la: mod_security.lo
$(MOD_LINK) mod_security.lo (with TAB character)
Here is the configure command line I used:
./configure --prefix=/home/test/apache2 --disable-include --disable-env
--disable-setenvif --disable-status --disable-autoindex --disable-asis
--disable-cgi --disable-negotiation --disable-dir --disable-imap
--disable-actions --disable-userdir --disable-alias --disable-so
--with-module=mappers:security
Thanks for the help
Didier
|
|
From: L. C. L. <CL...@Xy...> - 2004-01-20 18:31:04
|
Jim, Would be so kind as to send your Apache configuration specifics? If you look at the message thread regarding my Apache configuration, you should get an idea of the information for which I'm looking. I suspect that is may be a httpd.conf configuration issue as the following error would seem to indicate: > directory: mod_security: Could not create modsec_debuglog_lock Also, are you running Apache 1.x or 2.x? - Christopher > -----Original Message----- > From: Jim Horwath [mailto:jim...@rc...] > Sent: Tuesday, January 20, 2004 6:25 AM > To: 'Ivan Ristic' > Cc: mod...@li... > Subject: RE: [mod-security-users] chroot and mod security > > > Ivan/Others, > > Thanks for your input. I worked on chroot'ing my apache > server last weekend. > I must be either missing something simple or I am misunderstanding > something. I am trying to start simple display a simple > static html page. I > have the SecChRoot near the bottom of the httpd.conf file, I > tried moving it > to other sections, but it doesn't seem to matter. I ran a > strace on the > httpd daemon and didn't see anything that jumped out at me. > As soon as I > remove the SecChroot entry the server starts fine. I created > a directory > /chroot/usr/local/apache2/htdocs with the correct > permissions. To run out a > missing file I even copied the entire /usr/local/acpahe2 > structure to the > chroot'd directory. I looked at the code and saw the file is > s mutex file > (memory communication?). I am sorry for pestering, but I > really want to get > chroot'ing working with my web server. > > Here is the entry from the error log: > > Jan 20 05:43:51 kazoo httpd[29589]: [warn] Init: Session Cache is not > configured [hint: SSLSessionCache] > Jan 20 05:43:51 kazoo httpd[29591]: [notice] Digest: > generating secret for > digest authentication ... > Jan 20 05:43:51 kazoo httpd[29591]: [notice] Digest: done > Jan 20 05:43:51 kazoo httpd[29591]: [error] mod_security: > Performed chroot, > path=/chroot > Jan 20 05:43:51 kazoo httpd[29591]: [error] (2)No such file or > directory: mod_security: Could not create modsec_debuglog_lock > > > Thanks in advance, > > Jim > > -----Original Message----- > From: mod...@li... > [mailto:mod...@li...] On > Behalf Of Ivan > Ristic > Sent: Wednesday, January 14, 2004 4:37 PM > To: jim...@rc... > Cc: mod...@li... > Subject: Re: [mod-security-users] chroot and mod security > > > > I need to run a chroot for the apache server. I have the > > code installed with the default path /usr/local/apache2. I > > am using the SecChrootDir directive but I can't seem to get > > it right. I will see a directory doesn't exist or like > > message in the logfile. > > What exactly does it say? > > > > Shouldn't the chroot'd jail be /usr/local/apache2? > > No, not really. It depends on where you've put your > document root. Assuming it's in /usr/local/apache2/htdocs, > the easiest way to do a chroot is to create a folder > /chroot/usr/local/apache2/htdocs, put the web site there > (just the web site, leave everything else as is), > and chroot with "SecChrootDir /chroot/". > > That way you won't have to change your httpd.conf much > and you can easily switch between a chrooted and > the non-chrooted installation. > > I guess that more documentation on chrooting is needed, I'll > see that I update it soon. > |
|
From: Jim H. <jim...@rc...> - 2004-01-20 11:25:19
|
Ivan/Others, Thanks for your input. I worked on chroot'ing my apache server last = weekend. I must be either missing something simple or I am misunderstanding something. I am trying to start simple display a simple static html = page. I have the SecChRoot near the bottom of the httpd.conf file, I tried = moving it to other sections, but it doesn't seem to matter. I ran a strace on the httpd daemon and didn't see anything that jumped out at me. As soon as = I remove the SecChroot entry the server starts fine. I created a = directory /chroot/usr/local/apache2/htdocs with the correct permissions. To run = out a missing file I even copied the entire /usr/local/acpahe2 structure to = the chroot'd directory. I looked at the code and saw the file is s mutex = file (memory communication?). I am sorry for pestering, but I really want to = get chroot'ing working with my web server. Here is the entry from the error log: Jan 20 05:43:51 kazoo httpd[29589]: [warn] Init: Session Cache is not configured [hint: SSLSessionCache]=20 Jan 20 05:43:51 kazoo httpd[29591]: [notice] Digest: generating secret = for digest authentication ...=20 Jan 20 05:43:51 kazoo httpd[29591]: [notice] Digest: done=20 Jan 20 05:43:51 kazoo httpd[29591]: [error] mod_security: Performed = chroot, path=3D/chroot=20 Jan 20 05:43:51 kazoo httpd[29591]: [error] (2)No such file or directory: mod_security: Could not create modsec_debuglog_lock Thanks in advance, Jim -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of = Ivan Ristic Sent: Wednesday, January 14, 2004 4:37 PM To: jim...@rc... Cc: mod...@li... Subject: Re: [mod-security-users] chroot and mod security > I need to run a chroot for the apache server. I have the=20 > code installed with the default path /usr/local/apache2. I=20 > am using the SecChrootDir directive but I can't seem to get=20 > it right. I will see a directory doesn't exist or like=20 > message in the logfile. What exactly does it say? > Shouldn't the chroot'd jail be /usr/local/apache2? =20 No, not really. It depends on where you've put your document root. Assuming it's in /usr/local/apache2/htdocs, the easiest way to do a chroot is to create a folder /chroot/usr/local/apache2/htdocs, put the web site there (just the web site, leave everything else as is), and chroot with "SecChrootDir /chroot/". That way you won't have to change your httpd.conf much and you can easily switch between a chrooted and the non-chrooted installation. I guess that more documentation on chrooting is needed, I'll see that I update it soon. --=20 ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] ------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users |
|
From: L. C. L. <CL...@Xy...> - 2004-01-20 00:10:46
|
Done! By using '127.0.0.1' in the Apache PHP scripts instead of 'localhost' and also tweaking the MySQL users database, it appears that my Apache web server has been successfully SecChrootDir'ed. I've still got some testing to do, but all of the main Apache/PHP/MySQL gotcha's were cleaned up by using the loopback adapter's IP address. The one strange thing I noticed was that I needed to maintain an empty /var/www/html directory even though the "real" document root was located in /chroot/var/www/html. If I didn't keep this empty directory around, the httpd daemon complained and wouldn't start because it could not find the directory specified by the DocumentRoot directive in /etc/httpd/conf/httpd.conf. Thank you, Ivan! - Christopher > -----Original Message----- > From: L. Christopher Luther [mailto:CL...@Xy...] > Sent: Monday, January 19, 2004 5:07 PM > To: 'Ivan Ristic' > Cc: mod...@li... > Subject: RE: [mod-security-users] SecChrootDir - RH 8.0, > Apache 2.0.40, > an d PHP 4.2.2 > > > > > -----Original Message----- > > From: Ivan Ristic [mailto:iv...@we...] > > Sent: Monday, January 19, 2004 5:02 PM > > To: L. Christopher Luther > > Cc: mod...@li... > > Subject: Re: [mod-security-users] SecChrootDir - RH 8.0, > > Apache 2.0.40, > > an d PHP 4.2.2 > > > > > > > > >> Yes. You didn't say whether you have anything running out of the > > >> cgi-bin? Whatever is in there (if anything) will probably > > need some > > >> runtime libraries too. > > > > > > No, nothing in cgi-bin, but the MySQL access through PHP > > didn't work. The > > > PHP/MySQL libraries attempted to locate the MySQL socket file in > > > /var/lib/mysql/mysql.sock, which was outside the jail, and > > thus couldn't be > > > seen. I tried a symlink of the MySQL socket file into the jailed > > > /chroot/var/lib/mysql directory, but no joy. > > > > In your PHP program, change the way you reference MySQL from > > 'localhost' to '127.0.0.1'. That will force the client libraries > > not to use the domain socket but use the TCP/IP socket instead. > > Consequently, the chroot will no longer be a problem. > > > > Already had thought of that, and gave it a shot, but a whole > slew of new > errors cropped up. I didn't, however, try '127.0.0.1' -- I > tried the "real" > IP -- and thus my new errors because of MySQL security. > > Still plugging away... :) > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > |
|
From: Ivan R. <iv...@we...> - 2004-01-19 23:48:29
|
Didier Wiroth wrote: > Hi, > (apache, *nix, newbie) > > As you are referring to mod_rewrite and mod_bandwidth on your homepage but I didn't exactly find these options in the doc. My purpose would be to only use mod_security and disable 3 other modules (setenvif, rewrite, bandwidth). > > I'm using mod_rewrite & mod_setenvif to do the following: > (I know it isn't secure :-), it is only for testing) > > SetEnvIfNoCase Referer "^http://www.home.local" locally_linked=1 > <FilesMatch "\.(html|gif|zip)$"> > Order Allow,Deny > Allow from env=locally_linked > </FilesMatch> > > The server asks for the referrer and denies access to the server if the referrer isn't http://www.home.local. > > 1) Can I do this with mod_security, if so, how would the syntax look like when referring to the above sample? SecFilterSelective HTTP_REFERER "!^http:/www\.home\.local" ^ this is not an error The above will deny all requests whose referrer information does not match yours. > 2) Concerning mod_bandwidth I have one additional question, is > mod_security able to do bandwidth throttling, allow max 2 simultanous > connections (which is interesting while downloading larger files, > zip files etc..) My purpose of this would be to set a download limit > of XY kb per seconds per ip and that users won't be able to start a > third download until there is one of the two download (slots) free. No, mod_security does not do any of that. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Ivan R. <iv...@we...> - 2004-01-19 22:16:41
|
>> In your PHP program, change the way you reference MySQL from >> 'localhost' to '127.0.0.1'. That will force the client libraries >> not to use the domain socket but use the TCP/IP socket instead. >> Consequently, the chroot will no longer be a problem. >> > Already had thought of that, and gave it a shot, but a whole slew of new > errors cropped up. I didn't, however, try '127.0.0.1' -- I tried the "real" > IP -- and thus my new errors because of MySQL security. The real IP would work too, but you would need to configure the MySQL to accept connections from that IP address/hostname. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: L. C. L. <CL...@Xy...> - 2004-01-19 22:07:38
|
> -----Original Message----- > From: Ivan Ristic [mailto:iv...@we...] > Sent: Monday, January 19, 2004 5:02 PM > To: L. Christopher Luther > Cc: mod...@li... > Subject: Re: [mod-security-users] SecChrootDir - RH 8.0, > Apache 2.0.40, > an d PHP 4.2.2 > > > > >> Yes. You didn't say whether you have anything running out of the > >> cgi-bin? Whatever is in there (if anything) will probably > need some > >> runtime libraries too. > > > > No, nothing in cgi-bin, but the MySQL access through PHP > didn't work. The > > PHP/MySQL libraries attempted to locate the MySQL socket file in > > /var/lib/mysql/mysql.sock, which was outside the jail, and > thus couldn't be > > seen. I tried a symlink of the MySQL socket file into the jailed > > /chroot/var/lib/mysql directory, but no joy. > > In your PHP program, change the way you reference MySQL from > 'localhost' to '127.0.0.1'. That will force the client libraries > not to use the domain socket but use the TCP/IP socket instead. > Consequently, the chroot will no longer be a problem. > Already had thought of that, and gave it a shot, but a whole slew of new errors cropped up. I didn't, however, try '127.0.0.1' -- I tried the "real" IP -- and thus my new errors because of MySQL security. Still plugging away... :) |
|
From: Ivan R. <iv...@we...> - 2004-01-19 21:59:48
|
>> Yes. You didn't say whether you have anything running out of the >> cgi-bin? Whatever is in there (if anything) will probably need some >> runtime libraries too. > > No, nothing in cgi-bin, but the MySQL access through PHP didn't work. The > PHP/MySQL libraries attempted to locate the MySQL socket file in > /var/lib/mysql/mysql.sock, which was outside the jail, and thus couldn't be > seen. I tried a symlink of the MySQL socket file into the jailed > /chroot/var/lib/mysql directory, but no joy. In your PHP program, change the way you reference MySQL from 'localhost' to '127.0.0.1'. That will force the client libraries not to use the domain socket but use the TCP/IP socket instead. Consequently, the chroot will no longer be a problem. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Didier W. <did...@mc...> - 2004-01-18 22:34:12
|
Hi, (apache, *nix, newbie) As you are referring to mod_rewrite and mod_bandwidth on your homepage but I didn't exactly find these options in the doc. My purpose would be to only use mod_security and disable 3 other modules (setenvif, rewrite, bandwidth). I'm using mod_rewrite & mod_setenvif to do the following: (I know it isn't secure :-), it is only for testing) SetEnvIfNoCase Referer "^http://www.home.local" locally_linked=1 <FilesMatch "\.(html|gif|zip)$"> Order Allow,Deny Allow from env=locally_linked </FilesMatch> The server asks for the referrer and denies access to the server if the referrer isn't http://www.home.local. 1) Can I do this with mod_security, if so, how would the syntax look like when referring to the above sample? 2) Concerning mod_bandwidth I have one additional question, is mod_security able to do bandwidth throttling, allow max 2 simultanous connections (which is interesting while downloading larger files, zip files etc..) My purpose of this would be to set a download limit of XY kb per seconds per ip and that users won't be able to start a third download until there is one of the two download (slots) free. Many thanks for the help Didier |
|
From: Ivan R. <iv...@we...> - 2004-01-18 01:41:59
|
L. Christopher Luther wrote: > I've never tried a chroot() operation before, so go easy on me. > > My apache configuration (Red Hat 8.0 distribution) is as follows: > > ... > > So, how do I SecChrootDir this mess? > > Should I simply move the entire /var/www to /chroot/var/www Yes. > and also create > /chroot/var/run Might not be necessary. Probably will be if you are also using mod_ssl because it creates new files at runtime. > and /chroot/var/log/httpd directories? No, the logs can stay where they are. > Will the symlinks to > the /var/log/httpd and /var/run folders mess things up? Not for the log files, probably for the files in /var/run generated after the chroot. I've never tried to create a symlink out of a jail though, could be wrong. > And finally (I hope), what about the various scripts (e.g., > /etc/rc.d/init.d/httpd) and logrotate configuration (/etc/logrotate.d/httpd) > files? Log rotation will be fine, but the graceful restart won't work (that is one of the drawbacks of this method of chrooting). > I should also note that this particular web site used PHP and MySQL access > through PHP extensively. Will the forked httpd processes still be able to > access PHP? Yes. You didn't say whether you have anything running out of the cgi-bin? Whatever is in there (if anything) will probably need some runtime libraries too. > In Red Hat 8.0 PHP (4.2.2) is handled through Apache (2.0.40) > input/output filters -- the mod_security way of configuring for PHP (i.e., > AddHandler application/x-httpd-php .php) doesn't seem to work with this > particular match-up of Apache and PHP. This is not related to mod_security, but I think it would be better to upgrade both Apache and PHP to latest versions. Earlier versions are generally know to have problems (eg the apache2filter PHP interface was abandoned for that very reason). -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: L. C. L. <CL...@Xy...> - 2004-01-16 18:15:35
|
I've never tried a chroot() operation before, so go easy on me. My apache configuration (Red Hat 8.0 distribution) is as follows: * binary: /usr/sbin/httpd * configuration: /etc/httpd /etc/httpd/conf /etc/httpd/conf.d * logs: /etc/httpd/logs (which is symlinked to ../../var/log/httpd) * modules: /etc/httpd/modules (which is symlinked to ../../usr/lib/httpd/modules) * run: /etc/httpd/run (which is symlinked to ../../var/run) * www: /var/www /var/www/html /var/www/cgi-bin /var/www/error /var/www/icons The /etc/httpd/conf/httpd.conf files specifies the following: * ServerRoot: /etc/httpd * PidFile: run/httpd.pid * DocumentRoot: /var/www/html * ErrorLog: logs/error_log * CustomLog: logs/access_log * And various Alias and Directory directives pointing to the subdirectories in /var/www. So, how do I SecChrootDir this mess? Should I simply move the entire /var/www to /chroot/var/www, and also create /chroot/var/run and /chroot/var/log/httpd directories? Will the symlinks to the /var/log/httpd and /var/run folders mess things up? And finally (I hope), what about the various scripts (e.g., /etc/rc.d/init.d/httpd) and logrotate configuration (/etc/logrotate.d/httpd) files? I should also note that this particular web site used PHP and MySQL access through PHP extensively. Will the forked httpd processes still be able to access PHP? In Red Hat 8.0 PHP (4.2.2) is handled through Apache (2.0.40) input/output filters -- the mod_security way of configuring for PHP (i.e., AddHandler application/x-httpd-php .php) doesn't seem to work with this particular match-up of Apache and PHP. I know that this is a rather bloated message, all assistance would be greatly appreciated. TIA! Sincerely, L. Christopher Luther Technical Consultant Xybernaut Solutions, Inc. (703) 654-3642 cl...@xy... http://www.xybernautsolutions.com PGP Public KeyID: 0x21261B88 CONFIDENTIALITY NOTE: This communication contains information that is confidential and/or legally privileged. This information is intended only for the use of the individual or entity named on this communication. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, printing or other use of, or any action in reliance on, the contents of this communication is strictly prohibited. If you receive this communication in error, please immediately notify us by telephone at (703) 631-6925. ============================================ Unsolicited commercial e-mail will automatically be reported to the appropriate abuse@ - without exception. ============================================ |
|
From: Ivan R. <iv...@we...> - 2004-01-15 21:03:44
|
cerial01 wrote: > Is there some way to call the mod-sec snort rules from a > remote directory? With the mod-sec snort rules added to the httpd.conf > file, it makes the file quite large. I'd like to move the snort > rules to it's own directory (have the httpd.conf file point the > mod_security to the remote mod-sec snort file) for ease of > administration and so the script I have written will update > them when snort updates their rules. Sure, put them in a separate file and include them from httpd.conf with "Include conf/modsecrules.conf". The "Include" directive can import whole folders too, so you can have your rules in several files if you want: http://httpd.apache.org/docs/mod/core.html#include -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Jim H. <jim...@rc...> - 2004-01-15 00:07:55
|
Ivan, Thank you very much for the response. When I get home tonight I will try your solution. I guess I am confused about how chroot() works or needs to work. I thought the entire apache tree, in my case /usr/local/apche2 would have to present and part of the root jail. I saw in the documentation where the libraries are loaded prior to the jail taking effect. How do other apache helper binaries get executed, are they also loaded in to the httpd code? From your explanation I see my understanding is wrong. Thank you for the help. Regards, Jim -----Original Message----- From: Ivan Ristic [mailto:iv...@we...] Sent: Wednesday, January 14, 2004 4:37 PM To: jim...@rc... Cc: mod...@li... Subject: Re: [mod-security-users] chroot and mod security > I need to run a chroot for the apache server. I have the > code installed with the default path /usr/local/apache2. I > am using the SecChrootDir directive but I can't seem to get > it right. I will see a directory doesn't exist or like > message in the logfile. What exactly does it say? > Shouldn't the chroot'd jail be /usr/local/apache2? No, not really. It depends on where you've put your document root. Assuming it's in /usr/local/apache2/htdocs, the easiest way to do a chroot is to create a folder /chroot/usr/local/apache2/htdocs, put the web site there (just the web site, leave everything else as is), and chroot with "SecChrootDir /chroot/". That way you won't have to change your httpd.conf much and you can easily switch between a chrooted and the non-chrooted installation. I guess that more documentation on chrooting is needed, I'll see that I update it soon. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: L. C. L. <CL...@Xy...> - 2004-01-14 22:04:45
|
Well, I dropped the RH default configuration, that is the input/output filters, added the handler, and restarted Apache. Now when I hit the home page of the web server, I see nice, clean PHP code instead of a running application. So, I'm back to the input/output filtering. Maybe it's because RH 8.0 uses Apache 2.0.40 and PHP 4.2.2... -----Original Message----- From: Ivan Ristic [mailto:iv...@we...] Sent: Wednesday, January 14, 2004 4:30 PM To: L. Christopher Luther Cc: ModSecurity-Users (E-mail) Subject: Re: [mod-security-users] Apache/PHP Configuration L. Christopher Luther wrote: > Can someone tell me the difference between RH 8.0 Apache's default > configuration for PHP handling: > > <Files *.php> > SetOutputFilter PHP > SetInputFilter PHP > LimitRequestBody 524288 > </Files> Strictly speaking, that's RedHat's default configuration, since Apache does not ship with PHP originally. The interface between PHP and Apache can be implemented in two different ways. PHP developers first attempted to implement PHP as an Apache filter. They have since abandoned that approach, going back to the "good old handler" approach. PHP 4.3.4 still ships with both interfaces but, as far as I know, apache2handler is being recommended as "the right way to do it". > And what the mod_security docs suggest for the Apache/PHP configuration: > > AddHandler application/x-httpd-php .php > > I'm using the vanilla RH 8.0 Apache/PHP configuration, but with regard to > mod_security's dynamic request handling, I'm wondering what is best. I would go with the mod_security way ;) -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Ivan R. <iv...@we...> - 2004-01-14 21:34:20
|
> I need to run a chroot for the apache server. I have the > code installed with the default path /usr/local/apache2. I > am using the SecChrootDir directive but I can't seem to get > it right. I will see a directory doesn't exist or like > message in the logfile. What exactly does it say? > Shouldn't the chroot'd jail be /usr/local/apache2? No, not really. It depends on where you've put your document root. Assuming it's in /usr/local/apache2/htdocs, the easiest way to do a chroot is to create a folder /chroot/usr/local/apache2/htdocs, put the web site there (just the web site, leave everything else as is), and chroot with "SecChrootDir /chroot/". That way you won't have to change your httpd.conf much and you can easily switch between a chrooted and the non-chrooted installation. I guess that more documentation on chrooting is needed, I'll see that I update it soon. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Ivan R. <iv...@we...> - 2004-01-14 21:27:19
|
L. Christopher Luther wrote: > Can someone tell me the difference between RH 8.0 Apache's default > configuration for PHP handling: > > <Files *.php> > SetOutputFilter PHP > SetInputFilter PHP > LimitRequestBody 524288 > </Files> Strictly speaking, that's RedHat's default configuration, since Apache does not ship with PHP originally. The interface between PHP and Apache can be implemented in two different ways. PHP developers first attempted to implement PHP as an Apache filter. They have since abandoned that approach, going back to the "good old handler" approach. PHP 4.3.4 still ships with both interfaces but, as far as I know, apache2handler is being recommended as "the right way to do it". > And what the mod_security docs suggest for the Apache/PHP configuration: > > AddHandler application/x-httpd-php .php > > I'm using the vanilla RH 8.0 Apache/PHP configuration, but with regard to > mod_security's dynamic request handling, I'm wondering what is best. I would go with the mod_security way ;) -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
139 messages has been excluded from this view by a project administrator.
