Thread: [mod-security-users] Strange error when blocking a petition
Brought to you by:
victorhora,
zimmerletw
From: Alberto G. I. <ag...@in...> - 2005-03-29 16:52:22
|
Hi all, I'm getting the following error from time to time. I'm not running windows, so I'm not very worried about it, but the 'ap_setup_client_block failed with 400' message doesn't look good. Is it a problem with my mod_security installation? Or is it normal? 195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST /_vti_bin/_vti_aut/fp3= 0reg.dll HTTP/1.1" 500 647 Access denied with code 500. ap_setup_client_b= lock failed with 400 Running: Debian woody apache 1.3.26-0woody6 mod_security/1.8.7 (build in this system) libc6 2.2.5-11.8 libdb2 2.7.7.0-7 Thanks, Alberto --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
From: Ivan R. <iv...@we...> - 2005-03-29 19:03:31
|
Alberto Gonzalez Iniesta wrote: > Hi all, > > I'm getting the following error from time to time. I'm not running > windows, so I'm not very worried about it, but the > 'ap_setup_client_block failed with 400' message doesn't look good. Is it > a problem with my mod_security installation? Or is it normal? > > 195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 500 647 Access denied with code 500. ap_setup_client_block failed with 400 It should be normal (although not very user-friendly, I admit). They probably sent a chunked request body and you are using Apache 1.x? Can you look into the audit log to confirm my suspicion? -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
From: Alberto G. I. <ag...@in...> - 2005-03-29 19:27:03
|
On Tue, Mar 29, 2005 at 08:05:59PM +0100, Ivan Ristic wrote: > Alberto Gonzalez Iniesta wrote: > >Hi all, > > > >I'm getting the following error from time to time. I'm not running > >windows, so I'm not very worried about it, but the > >'ap_setup_client_block failed with 400' message doesn't look good. Is = it > >a problem with my mod_security installation? Or is it normal? > > > >195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST=20 > >/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 500 647 Access denied with co= de=20 > >500. ap_setup_client_block failed with 400 >=20 > It should be normal (although not very user-friendly, I admit). >=20 > They probably sent a chunked request body and you are using > Apache 1.x? Can you look into the audit log to confirm my > suspicion? >=20 Yes, Apache 1.3.26. I don't have an audit log right now, but I'll setup one and come back later with more info. Thanks. --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
From: Tom A. <tan...@oa...> - 2005-03-29 20:54:23
|
----- Original Message ----- From: "Alberto Gonzalez Iniesta" <ag...@in...> To: <mod...@li...> Sent: Tuesday, March 29, 2005 11:53 AM Subject: [mod-security-users] Strange error when blocking a petition > Hi all, > > I'm getting the following error from time to time. I'm not running > windows, so I'm not very worried about it, but the > 'ap_setup_client_block failed with 400' message doesn't look good. Is it > a problem with my mod_security installation? Or is it normal? > > 195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST > /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 500 647 Access denied with code > 500. ap_setup_client_block failed with 400 Here's some things that would probably catch this on my system: SecFilterSelective "HTTP_TRANSFER_ENCODING" "chunked" SecFilter "\.(conf|cf|ini|cfg|htpasswd|htaccess|htgroup|inc|history|bash_history|exe|pwd|cnf|dll)" I also have this, but I don't recall why: SecFilter errors/400 I have a bunch of "/_vti_bin" requests in my error log, but they are all 404. How did you get a 500 instead of a 404 if they're posting to a dll and you're not running Windows? Tom |
From: Alberto G. I. <ag...@in...> - 2005-03-30 07:59:29
|
On Tue, Mar 29, 2005 at 03:51:43PM -0500, Tom Anderson wrote: >=20 > ----- Original Message -----=20 > From: "Alberto Gonzalez Iniesta" <ag...@in...> > To: <mod...@li...> > Sent: Tuesday, March 29, 2005 11:53 AM > Subject: [mod-security-users] Strange error when blocking a petition >=20 >=20 > >Hi all, > > > >I'm getting the following error from time to time. I'm not running > >windows, so I'm not very worried about it, but the > >'ap_setup_client_block failed with 400' message doesn't look good. Is = it > >a problem with my mod_security installation? Or is it normal? > > > >195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST=20 > >/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 500 647 Access denied with co= de=20 > >500. ap_setup_client_block failed with 400 >=20 > Here's some things that would probably catch this on my system: >=20 > SecFilterSelective "HTTP_TRANSFER_ENCODING" "chunked" Here: SecFilterSelective HTTP_Transfer-Encoding "!^$" > SecFilter=20 > "\.(conf|cf|ini|cfg|htpasswd|htaccess|htgroup|inc|history|bash_history|= exe|pwd|cnf|dll)" >=20 > I also have this, but I don't recall why: >=20 > SecFilter errors/400 >=20 > I have a bunch of "/_vti_bin" requests in my error log, but they are al= l=20 > 404. How did you get a 500 instead of a 404 if they're posting to a dl= l=20 > and you're not running Windows? I get a 500 'cos the petition probably triggered the HTTP_Transfer-Encoding rule or any other. The file asked by the client does not have to exist to trigger a rule and get kicked. --=20 Alberto Gonzalez Iniesta | Formaci=F3n, consultor=EDa y soporte t=E9cn= ico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint =3D 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3 |
From: dusky <she...@li...> - 2005-10-27 23:42:15
|
Tom Anderson <tanderso <at> oac-design.com> writes: > > > ----- Original Message ----- > From: "Alberto Gonzalez Iniesta" <agi <at> inittab.org> > To: <mod-security-users <at> lists.sourceforge.net> > Sent: Tuesday, March 29, 2005 11:53 AM > Subject: [mod-security-users] Strange error when blocking a petition > > > Hi all, > > > > I'm getting the following error from time to time. I'm not running > > windows, so I'm not very worried about it, but the > > 'ap_setup_client_block failed with 400' message doesn't look good. Is it > > a problem with my mod_security installation? Or is it normal? > > > > 195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST > > /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 500 647 Access denied with code > > 500. ap_setup_client_block failed with 400 > > Here's some things that would probably catch this on my system: > > SecFilterSelective "HTTP_TRANSFER_ENCODING" "chunked" > > SecFilter > "\. (conf|cf|ini|cfg|htpasswd|htaccess|htgroup|inc|history|bash_history|exe|pwd|cnf| dll)" > > I also have this, but I don't recall why: > > SecFilter errors/400 > > I have a bunch of "/_vti_bin" requests in my error log, but they are all > 404. How did you get a 500 instead of a 404 if they're posting to a dll and > you're not running Windows? > > Tom > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > I may be wrong, but if you have this in your apache's mod_security: SecServerSignature "Microsoft-IIS/5.0" (when you're running Apache), then someone obviously thinks you're truly running MS server. I have it in mine to confuse hackers... Try it and have a look at your headers in stats logs etc...it'll have that instead of the real info that you do not wish to disclose to competitors, hackers...( or to boost that you can afford an expensive server :) !!! I know most know about this trick, but there'll always be a newbie somewhere! dusky |
From: Ivan R. <iv...@we...> - 2005-10-28 08:32:21
|
I can't remember if I replied to this one at the time so I'll just respond again. >>>I'm getting the following error from time to time. I'm not running >>>windows, so I'm not very worried about it, but the >>>'ap_setup_client_block failed with 400' message doesn't look good. Is it >>>a problem with my mod_security installation? Or is it normal? >>> >>>195.194.x.x - - [24/Mar/2005:00:54:50 +0100] "POST >>>/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 500 647 Access denied with code >>>500. ap_setup_client_block failed with 400 > > ... > >>I have a bunch of "/_vti_bin" requests in my error log, but they are all >>404. How did you get a 500 instead of a 404 if they're posting to a dll and >>you're not running Windows? This is probably with Apache 1.x. It will respond with 400 if an attempt to use chunked encoding (and ModSecurity is loaded). The same thing will be allowed with Apache 2.x. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |