Thread: [mod-security-users] Basic auth protection
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Scheblein, A. <ada...@ma...> - 2018-10-26 18:19:00
|
I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
Here is what I have for my rules and from my audit log:
Rules:
<Location />
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" \
"phase:2,id:40000000,deny,\
msg:'IP address blocked because of suspected brute-force attack'"
# Retrieve the per-username record
SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
# Enforce an existing username block
SecRule USER:bf_block "@eq 1" \
"phase:2,id:40000001,deny,\
msg:'Username blocked because of suspected brute-force attack'"
# Check for authentication failure and increment counters
SecRule RESPONSE_HEADERS:Location ^/ \
"phase:5,id:40000002,t:none,nolog,pass,\
setvar:IP.bf_counter=+1,\
setvar:USER.bf_counter=+1"
# Check for too many failures from a single IP address
SecRule IP:bf_counter "@gt 2" \
"phase:5,id:40000003,pass,t:none,\
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.block=1800"
# Check for too many failures for a single username
SecRule USER:bf_counter "@gt 2" \
"phase:5,id:40000004,t:none,pass,\
setvar:USER.bf_block,\
setvar:!USER.bf_counter,\
expirevar:USER.block=1800"
</Location>
Audit log entry:
--6ba2c30c-B--
GET / HTTP/1.1
Host: something.example.com
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
--6ba2c30c-F--
HTTP/1.1 401 Unauthorized
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
WWW-Authenticate: Basic realm="Protected"
Content-Length: 503
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--6ba2c30c-E--
--6ba2c30c-H--
Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
Stopwatch: 1540568079334381 38724 (- - -)
Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
Server: Apache
Engine-Mode: "ENABLED"
--6ba2c30c-Z--
|
|
From: Christian F. <chr...@ne...> - 2018-10-26 18:38:02
|
Hello Adam,
I have not tried this example in a while. I wonder if it works for basic auth,
because basic auth is likely to shortcut some of the ModSec processing phases
in case of a 401.
I suggest you raise the ModSec debug log level and then follow the execution
of the request to see which rules are actually executed.
Also: You should not send Basic Auth Headers to mailing lists. You just
shared a password with the world.
Good luck,
Christian Folini
On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
>
> Here is what I have for my rules and from my audit log:
>
> Rules:
>
> <Location />
> # Enforce an existing IP address block
> SecRule IP:bf_block "@eq 1" \
> "phase:2,id:40000000,deny,\
> msg:'IP address blocked because of suspected brute-force attack'"
> # Retrieve the per-username record
> SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> # Enforce an existing username block
> SecRule USER:bf_block "@eq 1" \
> "phase:2,id:40000001,deny,\
> msg:'Username blocked because of suspected brute-force attack'"
> # Check for authentication failure and increment counters
> SecRule RESPONSE_HEADERS:Location ^/ \
> "phase:5,id:40000002,t:none,nolog,pass,\
> setvar:IP.bf_counter=+1,\
> setvar:USER.bf_counter=+1"
> # Check for too many failures from a single IP address
> SecRule IP:bf_counter "@gt 2" \
> "phase:5,id:40000003,pass,t:none,\
> setvar:IP.bf_block,\
> setvar:!IP.bf_counter,\
> expirevar:IP.block=1800"
> # Check for too many failures for a single username
> SecRule USER:bf_counter "@gt 2" \
> "phase:5,id:40000004,t:none,pass,\
> setvar:USER.bf_block,\
> setvar:!USER.bf_counter,\
> expirevar:USER.block=1800"
> </Location>
>
> Audit log entry:
>
> --6ba2c30c-B--
> GET / HTTP/1.1
> Host: something.example.com
> Connection: keep-alive
> Cache-Control: max-age=0
> Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> DNT: 1
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8
>
> --6ba2c30c-F--
> HTTP/1.1 401 Unauthorized
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> X-Frame-Options: DENY
> X-Content-Type-Options: nosniff
> WWW-Authenticate: Basic realm="Protected"
> Content-Length: 503
> Keep-Alive: timeout=5, max=98
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --6ba2c30c-E--
>
> --6ba2c30c-H--
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> Stopwatch: 1540568079334381 38724 (- - -)
> Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.1.0.
> Server: Apache
> Engine-Mode: "ENABLED"
>
> --6ba2c30c-Z--
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: Scheblein, A. <ada...@ma...> - 2018-10-26 21:20:59
|
Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
Hello Adam,
I have not tried this example in a while. I wonder if it works for basic auth,
because basic auth is likely to shortcut some of the ModSec processing phases
in case of a 401.
I suggest you raise the ModSec debug log level and then follow the execution
of the request to see which rules are actually executed.
Also: You should not send Basic Auth Headers to mailing lists. You just
shared a password with the world.
Good luck,
Christian Folini
On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
>
> Here is what I have for my rules and from my audit log:
>
> Rules:
>
> <Location />
> # Enforce an existing IP address block
> SecRule IP:bf_block "@eq 1" \
> "phase:2,id:40000000,deny,\
> msg:'IP address blocked because of suspected brute-force attack'"
> # Retrieve the per-username record
> SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> # Enforce an existing username block
> SecRule USER:bf_block "@eq 1" \
> "phase:2,id:40000001,deny,\
> msg:'Username blocked because of suspected brute-force attack'"
> # Check for authentication failure and increment counters
> SecRule RESPONSE_HEADERS:Location ^/ \
> "phase:5,id:40000002,t:none,nolog,pass,\
> setvar:IP.bf_counter=+1,\
> setvar:USER.bf_counter=+1"
> # Check for too many failures from a single IP address
> SecRule IP:bf_counter "@gt 2" \
> "phase:5,id:40000003,pass,t:none,\
> setvar:IP.bf_block,\
> setvar:!IP.bf_counter,\
> expirevar:IP.block=1800"
> # Check for too many failures for a single username
> SecRule USER:bf_counter "@gt 2" \
> "phase:5,id:40000004,t:none,pass,\
> setvar:USER.bf_block,\
> setvar:!USER.bf_counter,\
> expirevar:USER.block=1800"
> </Location>
>
> Audit log entry:
>
> --6ba2c30c-B--
> GET / HTTP/1.1
> Host: something.example.com
> Connection: keep-alive
> Cache-Control: max-age=0
> Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> DNT: 1
> Accept-Encoding: gzip, deflate, sdch, br
> Accept-Language: en-US,en;q=0.8
>
> --6ba2c30c-F--
> HTTP/1.1 401 Unauthorized
> Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> X-Frame-Options: DENY
> X-Content-Type-Options: nosniff
> WWW-Authenticate: Basic realm="Protected"
> Content-Length: 503
> Keep-Alive: timeout=5, max=98
> Connection: Keep-Alive
> Content-Type: text/html; charset=iso-8859-1
>
> --6ba2c30c-E--
>
> --6ba2c30c-H--
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> Stopwatch: 1540568079334381 38724 (- - -)
> Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> Server: Apache
> Engine-Mode: "ENABLED"
>
> --6ba2c30c-Z--
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
|
|
From: Christian F. <chr...@ne...> - 2018-10-26 21:33:48
|
Hey Adam,
Yes, that is possible. It's a nice exercise actually. You need to strip the
"Basic " prefix, fill the rest into a variable and then t:base64 that variable
and then extract the 2nd part after the colon. I've built sort of a
dumb authentication cache based on this. It's been in production for close
to ten years now, running like a charm.
Cheers,
Christian
On Fri, Oct 26, 2018 at 09:20:41PM +0000, Scheblein, Adam wrote:
> Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
>
> On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
>
> Hello Adam,
>
> I have not tried this example in a while. I wonder if it works for basic auth,
> because basic auth is likely to shortcut some of the ModSec processing phases
> in case of a 401.
>
> I suggest you raise the ModSec debug log level and then follow the execution
> of the request to see which rules are actually executed.
>
> Also: You should not send Basic Auth Headers to mailing lists. You just
> shared a password with the world.
>
> Good luck,
>
> Christian Folini
>
> On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> > I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
> >
> > Here is what I have for my rules and from my audit log:
> >
> > Rules:
> >
> > <Location />
> > # Enforce an existing IP address block
> > SecRule IP:bf_block "@eq 1" \
> > "phase:2,id:40000000,deny,\
> > msg:'IP address blocked because of suspected brute-force attack'"
> > # Retrieve the per-username record
> > SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> > # Enforce an existing username block
> > SecRule USER:bf_block "@eq 1" \
> > "phase:2,id:40000001,deny,\
> > msg:'Username blocked because of suspected brute-force attack'"
> > # Check for authentication failure and increment counters
> > SecRule RESPONSE_HEADERS:Location ^/ \
> > "phase:5,id:40000002,t:none,nolog,pass,\
> > setvar:IP.bf_counter=+1,\
> > setvar:USER.bf_counter=+1"
> > # Check for too many failures from a single IP address
> > SecRule IP:bf_counter "@gt 2" \
> > "phase:5,id:40000003,pass,t:none,\
> > setvar:IP.bf_block,\
> > setvar:!IP.bf_counter,\
> > expirevar:IP.block=1800"
> > # Check for too many failures for a single username
> > SecRule USER:bf_counter "@gt 2" \
> > "phase:5,id:40000004,t:none,pass,\
> > setvar:USER.bf_block,\
> > setvar:!USER.bf_counter,\
> > expirevar:USER.block=1800"
> > </Location>
> >
> > Audit log entry:
> >
> > --6ba2c30c-B--
> > GET / HTTP/1.1
> > Host: something.example.com
> > Connection: keep-alive
> > Cache-Control: max-age=0
> > Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> > Upgrade-Insecure-Requests: 1
> > User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> > DNT: 1
> > Accept-Encoding: gzip, deflate, sdch, br
> > Accept-Language: en-US,en;q=0.8
> >
> > --6ba2c30c-F--
> > HTTP/1.1 401 Unauthorized
> > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> > X-Frame-Options: DENY
> > X-Content-Type-Options: nosniff
> > WWW-Authenticate: Basic realm="Protected"
> > Content-Length: 503
> > Keep-Alive: timeout=5, max=98
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=iso-8859-1
> >
> > --6ba2c30c-E--
> >
> > --6ba2c30c-H--
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> > Stopwatch: 1540568079334381 38724 (- - -)
> > Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> > Server: Apache
> > Engine-Mode: "ENABLED"
> >
> > --6ba2c30c-Z--
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: Scheblein, A. <ada...@ma...> - 2018-10-26 22:07:33
|
I was able to narrow down using decode and TX, however, the issue I'm having now is that:
Rule 559a7f24c920: SecAction "initcol:USER=%{TX:1}"
Failed to resolve macro %{tx:1}: Unknown variable: tx:1
How do I take what I captured previously and put it in as a key in a collection?
thanks
On 10/26/18, 4:34 PM, "Christian Folini" <chr...@ne...> wrote:
Hey Adam,
Yes, that is possible. It's a nice exercise actually. You need to strip the
"Basic " prefix, fill the rest into a variable and then t:base64 that variable
and then extract the 2nd part after the colon. I've built sort of a
dumb authentication cache based on this. It's been in production for close
to ten years now, running like a charm.
Cheers,
Christian
On Fri, Oct 26, 2018 at 09:20:41PM +0000, Scheblein, Adam wrote:
> Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
>
> On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
>
> Hello Adam,
>
> I have not tried this example in a while. I wonder if it works for basic auth,
> because basic auth is likely to shortcut some of the ModSec processing phases
> in case of a 401.
>
> I suggest you raise the ModSec debug log level and then follow the execution
> of the request to see which rules are actually executed.
>
> Also: You should not send Basic Auth Headers to mailing lists. You just
> shared a password with the world.
>
> Good luck,
>
> Christian Folini
>
> On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> > I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
> >
> > Here is what I have for my rules and from my audit log:
> >
> > Rules:
> >
> > <Location />
> > # Enforce an existing IP address block
> > SecRule IP:bf_block "@eq 1" \
> > "phase:2,id:40000000,deny,\
> > msg:'IP address blocked because of suspected brute-force attack'"
> > # Retrieve the per-username record
> > SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> > # Enforce an existing username block
> > SecRule USER:bf_block "@eq 1" \
> > "phase:2,id:40000001,deny,\
> > msg:'Username blocked because of suspected brute-force attack'"
> > # Check for authentication failure and increment counters
> > SecRule RESPONSE_HEADERS:Location ^/ \
> > "phase:5,id:40000002,t:none,nolog,pass,\
> > setvar:IP.bf_counter=+1,\
> > setvar:USER.bf_counter=+1"
> > # Check for too many failures from a single IP address
> > SecRule IP:bf_counter "@gt 2" \
> > "phase:5,id:40000003,pass,t:none,\
> > setvar:IP.bf_block,\
> > setvar:!IP.bf_counter,\
> > expirevar:IP.block=1800"
> > # Check for too many failures for a single username
> > SecRule USER:bf_counter "@gt 2" \
> > "phase:5,id:40000004,t:none,pass,\
> > setvar:USER.bf_block,\
> > setvar:!USER.bf_counter,\
> > expirevar:USER.block=1800"
> > </Location>
> >
> > Audit log entry:
> >
> > --6ba2c30c-B--
> > GET / HTTP/1.1
> > Host: something.example.com
> > Connection: keep-alive
> > Cache-Control: max-age=0
> > Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> > Upgrade-Insecure-Requests: 1
> > User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> > DNT: 1
> > Accept-Encoding: gzip, deflate, sdch, br
> > Accept-Language: en-US,en;q=0.8
> >
> > --6ba2c30c-F--
> > HTTP/1.1 401 Unauthorized
> > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> > X-Frame-Options: DENY
> > X-Content-Type-Options: nosniff
> > WWW-Authenticate: Basic realm="Protected"
> > Content-Length: 503
> > Keep-Alive: timeout=5, max=98
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=iso-8859-1
> >
> > --6ba2c30c-E--
> >
> > --6ba2c30c-H--
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> > Stopwatch: 1540568079334381 38724 (- - -)
> > Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> > Server: Apache
> > Engine-Mode: "ENABLED"
> >
> > --6ba2c30c-Z--
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
|
|
From: Scheblein, A. <ada...@ma...> - 2018-10-26 22:30:07
|
Figured it out. Had to use a period instead of a colon.
Below is the code that I've come up with to block brute force attacks from IP and for Username. Suggestions and comments are welcome:
# Retrieve the IP address
SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}
# Enforce an existing IP address block
SecRule IP:bf_block "@eq 1" \
"id:'2000001',phase:1,deny,\
msg:'IP address blocked because of suspected brute-force attack'"
# Retrieve the username
SecRule REQUEST_HEADERS:Authorization "Basic (.*)" "chain,capture,phase:1,pass,id:'2000002'"
SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
SecAction initcol:USER=%{TX.1}
# Enforce an existing username block
SecRule USER:bf_block "@eq 1" \
"id:'2000003',phase:1,deny,\
msg:'Username \"%{REMOTE_USER}\" blocked because of suspected brute-force attack'"
# Check that this is a POST
SecRule REQUEST_METHOD "@streq GET" "id:'2000004',phase:5,chain,t:none,nolog,pass"
# AND Check for authentication failure and increment counters
# NOTE this is for a Rails application, you probably need to customize this
SecRule RESPONSE_STATUS "!200" \
"setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"
# Check for too many failures for a single username
SecRule USER:bf_counter "@ge 3" \
"id:'2000005',phase:5,t:none,pass,\
setvar:USER.bf_block,\
setvar:!USER.bf_counter,\
expirevar:USER.bf_block=600"
# Check for too many failures from a single IP address. Block for 10 minutes.
SecRule IP:bf_counter "@ge 3" \
"id:'2000006',phase:5,pass,t:none, \
setvar:IP.bf_block,\
setvar:!IP.bf_counter,\
expirevar:IP.bf_block=600"
On 10/26/18, 5:07 PM, "Scheblein, Adam" <ada...@ma...> wrote:
I was able to narrow down using decode and TX, however, the issue I'm having now is that:
Rule 559a7f24c920: SecAction "initcol:USER=%{TX:1}"
Failed to resolve macro %{tx:1}: Unknown variable: tx:1
How do I take what I captured previously and put it in as a key in a collection?
thanks
On 10/26/18, 4:34 PM, "Christian Folini" <chr...@ne...> wrote:
Hey Adam,
Yes, that is possible. It's a nice exercise actually. You need to strip the
"Basic " prefix, fill the rest into a variable and then t:base64 that variable
and then extract the 2nd part after the colon. I've built sort of a
dumb authentication cache based on this. It's been in production for close
to ten years now, running like a charm.
Cheers,
Christian
On Fri, Oct 26, 2018 at 09:20:41PM +0000, Scheblein, Adam wrote:
> Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
>
> On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
>
> Hello Adam,
>
> I have not tried this example in a while. I wonder if it works for basic auth,
> because basic auth is likely to shortcut some of the ModSec processing phases
> in case of a 401.
>
> I suggest you raise the ModSec debug log level and then follow the execution
> of the request to see which rules are actually executed.
>
> Also: You should not send Basic Auth Headers to mailing lists. You just
> shared a password with the world.
>
> Good luck,
>
> Christian Folini
>
> On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> > I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
> >
> > Here is what I have for my rules and from my audit log:
> >
> > Rules:
> >
> > <Location />
> > # Enforce an existing IP address block
> > SecRule IP:bf_block "@eq 1" \
> > "phase:2,id:40000000,deny,\
> > msg:'IP address blocked because of suspected brute-force attack'"
> > # Retrieve the per-username record
> > SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> > # Enforce an existing username block
> > SecRule USER:bf_block "@eq 1" \
> > "phase:2,id:40000001,deny,\
> > msg:'Username blocked because of suspected brute-force attack'"
> > # Check for authentication failure and increment counters
> > SecRule RESPONSE_HEADERS:Location ^/ \
> > "phase:5,id:40000002,t:none,nolog,pass,\
> > setvar:IP.bf_counter=+1,\
> > setvar:USER.bf_counter=+1"
> > # Check for too many failures from a single IP address
> > SecRule IP:bf_counter "@gt 2" \
> > "phase:5,id:40000003,pass,t:none,\
> > setvar:IP.bf_block,\
> > setvar:!IP.bf_counter,\
> > expirevar:IP.block=1800"
> > # Check for too many failures for a single username
> > SecRule USER:bf_counter "@gt 2" \
> > "phase:5,id:40000004,t:none,pass,\
> > setvar:USER.bf_block,\
> > setvar:!USER.bf_counter,\
> > expirevar:USER.block=1800"
> > </Location>
> >
> > Audit log entry:
> >
> > --6ba2c30c-B--
> > GET / HTTP/1.1
> > Host: something.example.com
> > Connection: keep-alive
> > Cache-Control: max-age=0
> > Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> > Upgrade-Insecure-Requests: 1
> > User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> > DNT: 1
> > Accept-Encoding: gzip, deflate, sdch, br
> > Accept-Language: en-US,en;q=0.8
> >
> > --6ba2c30c-F--
> > HTTP/1.1 401 Unauthorized
> > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> > X-Frame-Options: DENY
> > X-Content-Type-Options: nosniff
> > WWW-Authenticate: Basic realm="Protected"
> > Content-Length: 503
> > Keep-Alive: timeout=5, max=98
> > Connection: Keep-Alive
> > Content-Type: text/html; charset=iso-8859-1
> >
> > --6ba2c30c-E--
> >
> > --6ba2c30c-H--
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> > Stopwatch: 1540568079334381 38724 (- - -)
> > Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> > Response-Body-Transformed: Dechunked
> > Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> > Server: Apache
> > Engine-Mode: "ENABLED"
> >
> > --6ba2c30c-Z--
>
>
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
_______________________________________________
mod-security-users mailing list
mod...@li...
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=cb8BEByzikCxnqIkV9FDXQ1no7guc1yfru9xKFwiidk&e=
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=e8IKCzOTlGHiYGvAGv69Ompqmjh21sVyrRDTJAb72f0&e=
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=u5kx7kDDZo2dvJGGzNUiqC7V8gAN3I52mz8xzzkKJnc&e=
|
|
From: Christian F. <chr...@ne...> - 2018-10-27 04:02:26
|
Nice one. Congratulations.
On Fri, Oct 26, 2018 at 10:29:54PM +0000, Scheblein, Adam wrote:
> Figured it out. Had to use a period instead of a colon.
>
> Below is the code that I've come up with to block brute force attacks from IP and for Username. Suggestions and comments are welcome:
>
> # Retrieve the IP address
> SecAction id:'2000000',phase:1,nolog,pass,initcol:IP=%{REMOTE_ADDR}
>
> # Enforce an existing IP address block
> SecRule IP:bf_block "@eq 1" \
> "id:'2000001',phase:1,deny,\
> msg:'IP address blocked because of suspected brute-force attack'"
>
> # Retrieve the username
> SecRule REQUEST_HEADERS:Authorization "Basic (.*)" "chain,capture,phase:1,pass,id:'2000002'"
> SecRule TX:1 "^([-a-zA-Z0-9_]+):" "t:base64Decode,chain,capture"
> SecAction initcol:USER=%{TX.1}
>
> # Enforce an existing username block
> SecRule USER:bf_block "@eq 1" \
> "id:'2000003',phase:1,deny,\
> msg:'Username \"%{REMOTE_USER}\" blocked because of suspected brute-force attack'"
>
> # Check that this is a POST
> SecRule REQUEST_METHOD "@streq GET" "id:'2000004',phase:5,chain,t:none,nolog,pass"
> # AND Check for authentication failure and increment counters
> # NOTE this is for a Rails application, you probably need to customize this
> SecRule RESPONSE_STATUS "!200" \
> "setvar:IP.bf_counter=+1,setvar:USER.bf_counter=+1"
>
>
> # Check for too many failures for a single username
> SecRule USER:bf_counter "@ge 3" \
> "id:'2000005',phase:5,t:none,pass,\
> setvar:USER.bf_block,\
> setvar:!USER.bf_counter,\
> expirevar:USER.bf_block=600"
>
> # Check for too many failures from a single IP address. Block for 10 minutes.
> SecRule IP:bf_counter "@ge 3" \
> "id:'2000006',phase:5,pass,t:none, \
> setvar:IP.bf_block,\
> setvar:!IP.bf_counter,\
> expirevar:IP.bf_block=600"
>
> On 10/26/18, 5:07 PM, "Scheblein, Adam" <ada...@ma...> wrote:
>
> I was able to narrow down using decode and TX, however, the issue I'm having now is that:
> Rule 559a7f24c920: SecAction "initcol:USER=%{TX:1}"
> Failed to resolve macro %{tx:1}: Unknown variable: tx:1
>
>
> How do I take what I captured previously and put it in as a key in a collection?
>
> thanks
>
> On 10/26/18, 4:34 PM, "Christian Folini" <chr...@ne...> wrote:
>
> Hey Adam,
>
> Yes, that is possible. It's a nice exercise actually. You need to strip the
> "Basic " prefix, fill the rest into a variable and then t:base64 that variable
> and then extract the 2nd part after the colon. I've built sort of a
> dumb authentication cache based on this. It's been in production for close
> to ten years now, running like a charm.
>
> Cheers,
>
> Christian
>
>
> On Fri, Oct 26, 2018 at 09:20:41PM +0000, Scheblein, Adam wrote:
> > Good thing it was a throw away password __. Is there any way to have mod_security grab the authorization string? I see that there is a base64 transform, so I was hoping to grab the string, decode it, parse/block based on that info.
> >
> > On 10/26/18, 1:38 PM, "Christian Folini" <chr...@ne...> wrote:
> >
> > Hello Adam,
> >
> > I have not tried this example in a while. I wonder if it works for basic auth,
> > because basic auth is likely to shortcut some of the ModSec processing phases
> > in case of a 401.
> >
> > I suggest you raise the ModSec debug log level and then follow the execution
> > of the request to see which rules are actually executed.
> >
> > Also: You should not send Basic Auth Headers to mailing lists. You just
> > shared a password with the world.
> >
> > Good luck,
> >
> > Christian Folini
> >
> > On Fri, Oct 26, 2018 at 04:01:06PM +0000, Scheblein, Adam wrote:
> > > I’m trying to implement basic auth protection based on the example given in the modsecurity handbook, however, the rules never seem to engage. Any help would be appreciated.
> > >
> > > Here is what I have for my rules and from my audit log:
> > >
> > > Rules:
> > >
> > > <Location />
> > > # Enforce an existing IP address block
> > > SecRule IP:bf_block "@eq 1" \
> > > "phase:2,id:40000000,deny,\
> > > msg:'IP address blocked because of suspected brute-force attack'"
> > > # Retrieve the per-username record
> > > SecAction phase:2,id:40000005,nolog,pass,initcol:USER=%{ARGS.username}
> > > # Enforce an existing username block
> > > SecRule USER:bf_block "@eq 1" \
> > > "phase:2,id:40000001,deny,\
> > > msg:'Username blocked because of suspected brute-force attack'"
> > > # Check for authentication failure and increment counters
> > > SecRule RESPONSE_HEADERS:Location ^/ \
> > > "phase:5,id:40000002,t:none,nolog,pass,\
> > > setvar:IP.bf_counter=+1,\
> > > setvar:USER.bf_counter=+1"
> > > # Check for too many failures from a single IP address
> > > SecRule IP:bf_counter "@gt 2" \
> > > "phase:5,id:40000003,pass,t:none,\
> > > setvar:IP.bf_block,\
> > > setvar:!IP.bf_counter,\
> > > expirevar:IP.block=1800"
> > > # Check for too many failures for a single username
> > > SecRule USER:bf_counter "@gt 2" \
> > > "phase:5,id:40000004,t:none,pass,\
> > > setvar:USER.bf_block,\
> > > setvar:!USER.bf_counter,\
> > > expirevar:USER.block=1800"
> > > </Location>
> > >
> > > Audit log entry:
> > >
> > > --6ba2c30c-B--
> > > GET / HTTP/1.1
> > > Host: something.example.com
> > > Connection: keep-alive
> > > Cache-Control: max-age=0
> > > Authorization: Basic MjhjM3NjaGVibGVpOmFzZGY=
> > > Upgrade-Insecure-Requests: 1
> > > User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> > > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> > > DNT: 1
> > > Accept-Encoding: gzip, deflate, sdch, br
> > > Accept-Language: en-US,en;q=0.8
> > >
> > > --6ba2c30c-F--
> > > HTTP/1.1 401 Unauthorized
> > > Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
> > > X-Frame-Options: DENY
> > > X-Content-Type-Options: nosniff
> > > WWW-Authenticate: Basic realm="Protected"
> > > Content-Length: 503
> > > Keep-Alive: timeout=5, max=98
> > > Connection: Keep-Alive
> > > Content-Type: text/html; charset=iso-8859-1
> > >
> > > --6ba2c30c-E--
> > >
> > > --6ba2c30c-H--
> > > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/": Password Mismatch
> > > Apache-Error: [file "mod_auth_basic.c"] [line 406] [level 3] AH01617: user username: authentication failure for "/tools/unauthorized.shtml": Password Mismatch
> > > Stopwatch: 1540568079334381 38724 (- - -)
> > > Stopwatch2: 1540568079334381 38724; combined=494, p1=280, p2=0, p3=61, p4=92, p5=61, sr=12, sw=0, l=0, gc=0
> > > Response-Body-Transformed: Dechunked
> > > Producer: ModSecurity for Apache/2.9.2 (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=qhl30HpH8LJWoF9f_fT90bk7SdkYVhzO3u8IO6snE-c&e=); OWASP_CRS/3.1.0.
> > > Server: Apache
> > > Engine-Mode: "ENABLED"
> > >
> > > --6ba2c30c-Z--
> >
> >
> > > _______________________________________________
> > > mod-security-users mailing list
> > > mod...@li...
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=u0jxmP0rhtu23yq0M7-p60br38HreMChRHJCZzer0K4&e=
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=cgYc-s-PpwppJr8fIXLtgK1mSJQAmqnzkZsq75TRROc&e=
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=GrUG5eW733hjZXRRayDFZ-lKai5L1jGVaa1B8_csXeY&s=Ny1EXwvYROVsswWxOxuWAOakyrwvh8fVr_cvjsPcHXA&e=
> >
> >
> >
> > _______________________________________________
> > mod-security-users mailing list
> > mod...@li...
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
> > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=dXjd2nye3iUVNEm093j19LY0GpfxCR95RPj3jE4vl3s&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=gmSmsBQJ3FMfzkzK_EEk8M3OXYq1SjWIz2azKOF7abk&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=QxsBsil2ErNwOo7Gy3ZZLEMghErRFXb_I7zp9Ofqe4c&s=WRhDqItV3_pjB8mCAldvdFIKwtWlXs_LpeHrelYeKnQ&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.sourceforge.net_lists_listinfo_mod-2Dsecurity-2Dusers&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=cb8BEByzikCxnqIkV9FDXQ1no7guc1yfru9xKFwiidk&e=
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_rules_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=e8IKCzOTlGHiYGvAGv69Ompqmjh21sVyrRDTJAb72f0&e=
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.modsecurity.org_projects_commercial_support_&d=DwIGaQ&c=S1d2Gs1Y1NQV8Lx35_Qi5FnTH2uYWyh_OhOS94IqYCo&r=E28NzkfUnnOxyipWbMmVvps8QnGe_19SJDNMcPTyffU&m=dq0RD2ZevA2MC-ce-EVcEtpDx9phI2cKyyyB3u2oSek&s=u5kx7kDDZo2dvJGGzNUiqC7V8gAN3I52mz8xzzkKJnc&e=
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X