mod-security-users

[mod-security-users] mod_security

[Borut R. <je...@zi...>]

 
I recently because of day-to-day intrusions on my webserver installed
mod-security to log this kinda stuff. I would at first stage just log
all post-get data, but have problem, this is my config of it: 
 
     AddHandler application/x-httpd-php .php
     SecAuditEngine On
     SecAuditLog /webs/logs/audit_log
     SecFilterScanPOST On
     SecFilterEngine On
      SecServerSignature "Microsoft-IIS/5.0"
     #SecFilter "<(.|\n)+>"
     #SecFilter "'"
     #SecFilter "\"
     #SecFilter ".pl"

 
at this config, couple of websites stop to work though i have all
filters disabled, how can I do just logging, nothing else!
 
regards
Borut

[mod-security-users] mod_security

[Jessy M. <jm...@up...>]

Hello,

Could you please let me know if there is way in mod_security to throttle 
requests based on IP with in a defined period of time.
eg.  if the no. of requests from a particular ip address exceeds 90 requests in 
a 5 minute interval, flag the ip address and blocks it for 60 minutes. By 
default, the requests should be throttled based on X-forwarded field Ip 
addresses. If x-forwarded field is not present, throttle requests based on real 
client IP.

Thanks in advance,
Jessy

Re: [mod-security-users] mod_security

[Brian R. <Bri...@br...>]

Jessy Mathew wrote:
> Hello,
>
> Could you please let me know if there is way in mod_security to throttle
> requests based on IP with in a defined period of time.
> eg.  if the no. of requests from a particular ip address exceeds 90 requests in
> a 5 minute interval, flag the ip address and blocks it for 60 minutes. By
> default, the requests should be throttled based on X-forwarded field Ip
> addresses. If x-forwarded field is not present, throttle requests based on real
> client IP.
>
> Thanks in advance,
> Jessy

The archives are a good place to look for things like this...

http://article.gmane.org/gmane.comp.apache.mod-security.user/3027

Watch out on the x-forwarded-for.  Anyone can put any IP in there and 
could cause an arbitrary IP to be throttled.

-B

-- 
Brian Rectanus
Breach Security

Re: [mod-security-users] mod_security

[<jm...@up...>]

Thank you for your guidance Brian, Could you please let me know how to incorporate the X-forwarded field in the Rule and use the "if" condition.

Thanks again...
Regards,
Jessy 

-----Original Message-----
From: Brian Rectanus [mailto:Bri...@br...] 
Sent: Tuesday, March 31, 2009 6:50 PM
To: Mathew Jessy (HCC1MJM)
Cc: mod...@li...
Subject: Re: [mod-security-users] mod_security



Jessy Mathew wrote:
> Hello,
>
> Could you please let me know if there is way in mod_security to 
> throttle requests based on IP with in a defined period of time.
> eg.  if the no. of requests from a particular ip address exceeds 90 
> requests in a 5 minute interval, flag the ip address and blocks it for 
> 60 minutes. By default, the requests should be throttled based on 
> X-forwarded field Ip addresses. If x-forwarded field is not present, 
> throttle requests based on real client IP.
>
> Thanks in advance,
> Jessy

The archives are a good place to look for things like this...

http://article.gmane.org/gmane.comp.apache.mod-security.user/3027

Watch out on the x-forwarded-for.  Anyone can put any IP in there and could cause an arbitrary IP to be throttled.

-B

--
Brian Rectanus
Breach Security

Re: [mod-security-users] mod_security

[Christian B. <ch...@jw...>]

Hi Jessy,

let's see what we have here... Some comments on Ryan's rules from the  
post referred to by Brian:


     #
     # we initialize the IP collection, i.e. we create associate the  
IP collection with
     # the client's IP, i.e. we now have a collection associated with  
the remote address.
     #
     SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \
                   setvar:request_count=+1,  
expirevar:request_count=86400

     #
     # we make sure that the client can access the  
"limit_exceeded_page.html" by
     # any means, even if he is blocked
     #
     SecRule REQUEST_URI "/limit_exceeded_page\.html"  
"log,allow,ctl:ruleEngine=off"

     #
     # we check if the REQUEST_COUNT variable in the IP collection is  
above the threshold
     # of 2000 requests per IP address and take further actions, by  
setting the "blocked"
     # variable
     #
     SecRule IP:REQUEST_COUNT "@ge 2000" "phase: 
1,pass,nolog,setvar:ip.blocked=1,expirevar:ip.blocked=3600"


     #
     # we need to add another check for the existence of the "blocked"  
variable in the
     # current context (i.e. in the IP collection)
     #
     SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log,redirect:http://www.site.com/limit_exceeded_page.html 
"


All these rules check for a request count variable being available in  
the IP collection. At
each request, the collection is filled with values (from memory/disk),  
depending on the remote_address
value it is associated with.
(You can think of collections as a hash-of-hashes in perl. Using  
initcol:ip=... you select a specific
hash to be associated with the IP reference, i.e. after that action,  
the IP contains values previously
put into exactly the collection referenced by "REMOTE_ADDRESS").

In your case, you need to initialize the collection with the value of  
the "x-forwarded-for"
value, more exactly, with the ip address contained within that header.  
So the first thing to
do is to extract the ip address from that header.
(The following rules are not tested due to missing time, but they  
somehow show the principle.
  Rule IDs below are for clarity only.)


     #
     # this rule looks for an IPv4 address in the x-forwarded-for  
header and saves it
     # into the TX:1 variable (due to the "capture" action)
     # we also do set the "fwd_ip_found" variable for this transaction  
to indicate to the
     # following rule that the "TX:1" variable is the one to choose  
for loading the IP collection
     #
     SecRule REQUEST_HEADERS:x-forwarded-for "(\d{1,3}\.\d{1,3}\. 
\d{1,3}\.\d{1,3})" \
                  "phase: 
1,t:none,capture,setvar:tx.fwd_header_found=1,id:'1'"

     #
     # Now we need to initialize the IP collection depending on the
     #
     SecRule TX:FWD_IP_FOUND "@eq 1" "phase:1,initcol:ip=%{TX: 
1},nolog,id:'2'"

     #
     # if now FWD is found, we use the REMOTE_ADDRESS as client ip
     #
     SecAction &TX:FWD_IP_FOUND "@eq 0" "phase:1,initcol:ip=% 
{REMOTE_ADDRESS},id:'3'"



This setup includes a "fail-safe" solution, as it will use the x- 
forwarded-for header
if one exists AND contains an IPv4 address (rule (2)) and otherwise  
uses the remote client
address for request-counting (rule (3)).

The above 3 rules are intended to replace the very first "SecAction"  
line of Ryan's original
post, you need to include the other rules from that post after rules  
(1),(2),(3).
As said before this is not tested.

Best regards,
       Chris


Am 01.04.2009 um 17:29 schrieb <jm...@up...> <jm...@up...>:

> Thank you for your guidance Brian, Could you please let me know how  
> to incorporate the X-forwarded field in the Rule and use the "if"  
> condition.
>
> Thanks again...
> Regards,
> Jessy
>
> -----Original Message-----
> From: Brian Rectanus [mailto:Bri...@br...]
> Sent: Tuesday, March 31, 2009 6:50 PM
> To: Mathew Jessy (HCC1MJM)
> Cc: mod...@li...
> Subject: Re: [mod-security-users] mod_security
>
>
>
> Jessy Mathew wrote:
>> Hello,
>>
>> Could you please let me know if there is way in mod_security to
>> throttle requests based on IP with in a defined period of time.
>> eg.  if the no. of requests from a particular ip address exceeds 90
>> requests in a 5 minute interval, flag the ip address and blocks it  
>> for
>> 60 minutes. By default, the requests should be throttled based on
>> X-forwarded field Ip addresses. If x-forwarded field is not present,
>> throttle requests based on real client IP.
>>
>> Thanks in advance,
>> Jessy
>
> The archives are a good place to look for things like this...
>
> http://article.gmane.org/gmane.comp.apache.mod-security.user/3027
>
> Watch out on the x-forwarded-for.  Anyone can put any IP in there  
> and could cause an arbitrary IP to be throttled.
>
> -B
>
> --
> Brian Rectanus
> Breach Security
>
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

Re: [mod-security-users] mod_security

[Ivan R. <iv...@we...>]

Borut Rozman wrote:
>  
> I recently because of day-to-day intrusions on my webserver installed
> mod-security to log this kinda stuff. I would at first stage just log
> all post-get data, but have problem, this is my config of it: 
>  
>      AddHandler application/x-httpd-php .php
>      SecAuditEngine On
>      SecAuditLog /webs/logs/audit_log
>      SecFilterScanPOST On
>      SecFilterEngine On
>       SecServerSignature "Microsoft-IIS/5.0"
>      #SecFilter "<(.|\n)+>"
>      #SecFilter "'"
>      #SecFilter "\"
>      #SecFilter ".pl"
> 
> at this config, couple of websites stop to work though i have all
> filters disabled, how can I do just logging, nothing else!

  You need to tell us more about your problem:

   Which versions of Apache and mod_security are you using?

   Is there anything interesting in the error_log, audit log,
   mod_security debug log?

   When you say "not working" - what does that mean? Do you
   get a blank screen, internal server error, does Apache
   segfault?

  Ideally you would give enough information for me to
  replicate the problem on my server, and then I could look into
  what is causing the problem.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]