Thread: [mod-security-users] I'm a beginner and need your help.
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Jason L. <hac...@ya...> - 2020-08-25 17:54:35
|
Hello,I'm using LAMP on CentOS 8. I installed a WordPress and PhpMyadmin. I created a Virtualhost for WordPress as below:
# cat /etc/httpd/conf.d/wp.conf <VirtualHost *:80>ServerAdmin root@localhostServerAlias www.mymy.netDocumentRoot /var/www/wordpress<Directory "/var/www/wordpress">Options Indexes FollowSymLinksAllowOverride allRequire all granted</Directory>ErrorLog /var/log/httpd/wordpress_error.logCustomLog /var/log/httpd/wordpress_access.log common</VirtualHost>
I installed the Mod_security and its configuration is:
$ cat /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security2.c># Default recommended configuration
SecRuleEngine OnSecRequestBodyAccess OffSecRule REQUEST_HEADERS:Content-Type "text/xml" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"# SecRequestBodyLimit 13107200SecRequestBodyNoFilesLimit 131072
SecRequestBodyNoFilesLimit 10000000
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"SecRule MULTIPART_STRICT_ERROR "!@eq 0" \"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.logSecArgumentSeparator & SecCookieFormat 0SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
# ModSecurity Core Rules Set and Local configuration
IncludeOptional modsecurity.d/*.confIncludeOptionalmodsecurity.d/activated_rules/*.conf
IncludeOptionalmodsecurity.d/local_rules/*.conf</IfModule>
When I want to import database via PhpMyadmin then it show me an error:
# cat modsec_audit.log--1b44395e-H--Apache-Error: [file "mod_autoindex.c"] [line 2329] [level 3] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php,index.php) found, and server-generated directory index forbidden by Options directiveStopwatch: 1598359137900184 2090 (- - -)Stopwatch2: 1598359137900184 2090; combined=49, p1=4, p2=35, p3=0, p4=0, p5=10, sr=0, sw=0, l=0, gc=0Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/).Server: ApacheEngine-Mode: "ENABLED"
And also error about "MULTIPART_BOUNDARY" .
Apache configuration is:
<Directory /> AllowOverride none Require all denied</Directory><Directory "/var/www"> AllowOverride None # Allow open access: Require all granted</Directory>
<Directory "/var/www/html"> Options FollowSymLinks
AllowOverride None
Require all granted</Directory>
TraceEnable offServerSignature OffServerTokens ProdSSLProtocol all -SSLv3 -TLSv1 -TLSv1.1SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder onSSLCompression offSSLSessionTickets offTimeOut 60Header always append X-Frame-Options SAMEORIGINHeader set X-XSS-Protection "1; mode=block"Header set X-Content-Type-Options nosniffErrorDocument 500 "Oh sorry dear."FileETag MTime KeepAlive On MaxKeepAliveRequests 100 MaxConnectionsPerChild 1000 UseCanonicalName Off LimitInternalRecursion 5 LimitRequestFields 500 AcceptPathInfo OffMaxRanges 100KeepAliveTimeout 4# ModulesLoadModule reqtimeout_module modules/mod_reqtimeout.soLoadModule headers_module modules/mod_headers.soRequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
Please help me to solve this problem.
Thank you.
|
|
From: Ervin H. <ai...@gm...> - 2020-08-25 18:29:16
|
Hi Jason, On Tue, Aug 25, 2020 at 05:54:16PM +0000, Jason Long via mod-security-users wrote: ... > When I want to import database via PhpMyadmin then it show me an error: ... > And also error about "MULTIPART_BOUNDARY" . ... I assume your SQL dump contains few comments (I mean lines which begins with "--"). if this statement is true, the problem could be that: there is a know bug in mod_security2, the boundary handling is wrong. (Note, that the patch is available since nearly one year: https://github.com/SpiderLabs/ModSecurity/pull/2193) > Please help me to solve this problem. you can turn off the rule with id 200002 (just comment out that block and restart your HTTPD). Hope this helps. a. |
|
From: Jamie B. <ja...@ib...> - 2020-08-25 20:00:25
|
> Note, > that the patch is available since nearly one year: Having run in to this bug myself today, I gave up trying to find out how to get this updated version of mod_security and just disabled that broken rule. EL7 epel doesn't have it and the repos I found on the official website were for ancient versions of EL. Jamie Sent from my iPhone > On 25 Aug 2020, at 19:31, Ervin Hegedüs <ai...@gm...> wrote: > > Hi Jason, > > > On Tue, Aug 25, 2020 at 05:54:16PM +0000, Jason Long via mod-security-users wrote: > ... >> When I want to import database via PhpMyadmin then it show me an error: > ... > >> And also error about "MULTIPART_BOUNDARY" . > > ... > > I assume your SQL dump contains few comments (I mean lines which > begins with "--"). > > if this statement is true, the problem could be that: there is a > know bug in mod_security2, the boundary handling is wrong. (Note, > that the patch is available since nearly one year: > > https://github.com/SpiderLabs/ModSecurity/pull/2193) > >> Please help me to solve this problem. > > you can turn off the rule with id 200002 (just comment out that > block and restart your HTTPD). > > > Hope this helps. > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Jason L. <hac...@ya...> - 2020-08-25 20:11:24
|
How you solve it? Sent from Yahoo Mail on Android On Wed, Aug 26, 2020 at 12:33 AM, Jamie Burchell<ja...@ib...> wrote: > Note, > that the patch is available since nearly one year: Having run in to this bug myself today, I gave up trying to find out how to get this updated version of mod_security and just disabled that broken rule. EL7 epel doesn't have it and the repos I found on the official website were for ancient versions of EL. Jamie Sent from my iPhone > On 25 Aug 2020, at 19:31, Ervin Hegedüs <ai...@gm...> wrote: > > Hi Jason, > > > On Tue, Aug 25, 2020 at 05:54:16PM +0000, Jason Long via mod-security-users wrote: > ... >> When I want to import database via PhpMyadmin then it show me an error: > ... > >> And also error about "MULTIPART_BOUNDARY" . > > ... > > I assume your SQL dump contains few comments (I mean lines which > begins with "--"). > > if this statement is true, the problem could be that: there is a > know bug in mod_security2, the boundary handling is wrong. (Note, > that the patch is available since nearly one year: > > https://github.com/SpiderLabs/ModSecurity/pull/2193) > >> Please help me to solve this problem. > > you can turn off the rule with id 200002 (just comment out that > block and restart your HTTPD). > > > Hope this helps. > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Jason L. <hac...@ya...> - 2020-08-25 20:04:25
|
Thank you.Which misconfiguration?Log is: # tail error_log [Wed Aug 26 00:16:29.307497 2020] [:notice] [pid 37990:tid 140688956213568] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"[Wed Aug 26 00:16:29.307511 2020] [:notice] [pid 37990:tid 140688956213568] ModSecurity: LUA compiled version="Lua 5.3"[Wed Aug 26 00:16:29.307515 2020] [:notice] [pid 37990:tid 140688956213568] ModSecurity: YAJL compiled version="2.1.0"[Wed Aug 26 00:16:29.307520 2020] [:notice] [pid 37990:tid 140688956213568] ModSecurity: LIBXML compiled version="2.9.7"[Wed Aug 26 00:16:29.307524 2020] [:notice] [pid 37990:tid 140688956213568] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.[Wed Aug 26 00:16:29.359136 2020] [so:warn] [pid 37990:tid 140688956213568] AH01574: module reqtimeout_module is already loaded, skipping[Wed Aug 26 00:16:29.359175 2020] [so:warn] [pid 37990:tid 140688956213568] AH01574: module headers_module is already loaded, skipping[Wed Aug 26 00:16:29.364696 2020] [lbmethod_heartbeat:notice] [pid 37990:tid 140688956213568] AH02282: No slotmem from mod_heartmonitor[Wed Aug 26 00:16:29.374111 2020] [mpm_event:notice] [pid 37990:tid 140688956213568] AH00489: Apache/2.4.37 (centos) OpenSSL/1.1.1c mod_fcgid/2.3.9 configured -- resuming normal operations[Wed Aug 26 00:16:29.374151 2020] [core:notice] [pid 37990:tid 140688956213568] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND' How to disable it? Sent from Yahoo Mail on Android On Tue, Aug 25, 2020 at 11:00 PM, Ervin Hegedüs<ai...@gm...> wrote: Hi Jason, On Tue, Aug 25, 2020 at 05:54:16PM +0000, Jason Long via mod-security-users wrote: ... > When I want to import database via PhpMyadmin then it show me an error: ... > And also error about "MULTIPART_BOUNDARY" . ... I assume your SQL dump contains few comments (I mean lines which begins with "--"). if this statement is true, the problem could be that: there is a know bug in mod_security2, the boundary handling is wrong. (Note, that the patch is available since nearly one year: https://github.com/SpiderLabs/ModSecurity/pull/2193) > Please help me to solve this problem. you can turn off the rule with id 200002 (just comment out that block and restart your HTTPD). Hope this helps. a. |
|
From: Jason L. <hac...@ya...> - 2020-08-25 20:08:17
|
Is you mean:
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \failed strict validation: \PE %{REQBODY_PROCESSOR_ERROR}, \BQ %{MULTIPART_BOUNDARY_QUOTED}, \BW %{MULTIPART_BOUNDARY_WHITESPACE}, \DB %{MULTIPART_DATA_BEFORE}, \DA %{MULTIPART_DATA_AFTER}, \HF %{MULTIPART_HEADER_FOLDING}, \LF %{MULTIPART_LF_LINE}, \SM %{MULTIPART_MISSING_SEMICOLON}, \IQ %{MULTIPART_INVALID_QUOTING}, \IP %{MULTIPART_INVALID_PART}, \IH %{MULTIPART_INVALID_HEADER_FOLDING}, \FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
Sent from Yahoo Mail on Android
On Tue, Aug 25, 2020 at 11:00 PM, Ervin Hegedüs<ai...@gm...> wrote: Hi Jason,
On Tue, Aug 25, 2020 at 05:54:16PM +0000, Jason Long via mod-security-users wrote:
...
> When I want to import database via PhpMyadmin then it show me an error:
...
> And also error about "MULTIPART_BOUNDARY" .
...
I assume your SQL dump contains few comments (I mean lines which
begins with "--").
if this statement is true, the problem could be that: there is a
know bug in mod_security2, the boundary handling is wrong. (Note,
that the patch is available since nearly one year:
https://github.com/SpiderLabs/ModSecurity/pull/2193)
> Please help me to solve this problem.
you can turn off the rule with id 200002 (just comment out that
block and restart your HTTPD).
Hope this helps.
a.
|
|
From: Christian F. <chr...@ne...> - 2020-08-25 18:25:12
|
Hey Jason,
This is an apache error that is also reported in the ModSecurity Audit Log.
The original error message is in the Apache Error Log.
I suggest you disable ModSecurity for the time being and fix this
misconfiguration before you bring in ModSec again.
Regs,
Christian
On Tue, Aug 25, 2020 at 05:54:16PM +0000, Jason Long via mod-security-users wrote:
> Hello,I'm using LAMP on CentOS 8. I installed a WordPress and PhpMyadmin. I created a Virtualhost for WordPress as below:
> # cat /etc/httpd/conf.d/wp.conf <VirtualHost *:80>ServerAdmin root@localhostServerAlias www.mymy.netDocumentRoot /var/www/wordpress<Directory "/var/www/wordpress">Options Indexes FollowSymLinksAllowOverride allRequire all granted</Directory>ErrorLog /var/log/httpd/wordpress_error.logCustomLog /var/log/httpd/wordpress_access.log common</VirtualHost>
>
> I installed the Mod_security and its configuration is:
> $ cat /etc/httpd/conf.d/mod_security.conf
> <IfModule mod_security2.c># Default recommended configuration
> SecRuleEngine OnSecRequestBodyAccess OffSecRule REQUEST_HEADERS:Content-Type "text/xml" \"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"# SecRequestBodyLimit 13107200SecRequestBodyNoFilesLimit 131072
> SecRequestBodyNoFilesLimit 10000000
> SecRequestBodyInMemoryLimit 131072
> SecRequestBodyLimitAction Reject
> SecRule REQBODY_ERROR "!@eq 0" \
> "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"SecRule MULTIPART_STRICT_ERROR "!@eq 0" \"id:'200002',phase:2,t:none,log,deny,status:400,msg:'Multipart request body \
> failed strict validation: \
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
> "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"SecPcreMatchLimit 1000
> SecPcreMatchLimitRecursion 1000
> SecRule TX:/^MSC_/ "!@streq 0" \
> "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
> SecResponseBodyAccess Off
> SecDebugLog /var/log/httpd/modsec_debug.log
> SecDebugLogLevel 0SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> SecAuditLogParts ABIJDEFHZ
> SecAuditLogType Serial
>
> SecAuditLog /var/log/httpd/modsec_audit.logSecArgumentSeparator & SecCookieFormat 0SecTmpDir /var/lib/mod_security
> SecDataDir /var/lib/mod_security
>
> # ModSecurity Core Rules Set and Local configuration
> IncludeOptional modsecurity.d/*.confIncludeOptionalmodsecurity.d/activated_rules/*.conf
>
> IncludeOptionalmodsecurity.d/local_rules/*.conf</IfModule>
>
> When I want to import database via PhpMyadmin then it show me an error:
> # cat modsec_audit.log--1b44395e-H--Apache-Error: [file "mod_autoindex.c"] [line 2329] [level 3] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php,index.php) found, and server-generated directory index forbidden by Options directiveStopwatch: 1598359137900184 2090 (- - -)Stopwatch2: 1598359137900184 2090; combined=49, p1=4, p2=35, p3=0, p4=0, p5=10, sr=0, sw=0, l=0, gc=0Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/).Server: ApacheEngine-Mode: "ENABLED"
> And also error about "MULTIPART_BOUNDARY" .
> Apache configuration is:
> <Directory /> AllowOverride none Require all denied</Directory><Directory "/var/www"> AllowOverride None # Allow open access: Require all granted</Directory>
> <Directory "/var/www/html"> Options FollowSymLinks
> AllowOverride None
> Require all granted</Directory>
> TraceEnable offServerSignature OffServerTokens ProdSSLProtocol all -SSLv3 -TLSv1 -TLSv1.1SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> SSLHonorCipherOrder onSSLCompression offSSLSessionTickets offTimeOut 60Header always append X-Frame-Options SAMEORIGINHeader set X-XSS-Protection "1; mode=block"Header set X-Content-Type-Options nosniffErrorDocument 500 "Oh sorry dear."FileETag MTime KeepAlive On MaxKeepAliveRequests 100 MaxConnectionsPerChild 1000 UseCanonicalName Off LimitInternalRecursion 5 LimitRequestFields 500 AcceptPathInfo OffMaxRanges 100KeepAliveTimeout 4# ModulesLoadModule reqtimeout_module modules/mod_reqtimeout.soLoadModule headers_module modules/mod_headers.soRequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
>
> Please help me to solve this problem.
> Thank you.
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
Thanks for helping keep SourceForge clean.
X