Thread: [mod-security-users] modsecurity on http-https redirect on apache
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Franz A. <fra...@gm...> - 2021-03-18 07:54:43
|
Hi, Sorry but i'm new on modsecurity, i've installed a Debian apache server with modsecurity with no custom rules for testing/learning. If i try to use: curl https://www.example.test/index.html?exec=/bin/bash all working fine with: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html> and on modsecurity log: Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched on the same server i've configured a simple http to https redirection Redirect / https://www.example.test/ with redirect the same test fail: redirects acts before modsecurity? How can i solve this? Thanks in advance Franz |
|
From: Christian F. <chr...@ne...> - 2021-03-18 08:08:14
|
Hey Franz, ModSec works in multiple phases and the redirect is relatively early. In fact Mod_rewrite works in two phases IIRC and here it is faster than ModSec. The rule in question runs in phase 2 and that's relatively late. You have 3 options: - Forget about it. I mean who cares since the attack can not affect you due to the redirect anyways. - Implement the redirect in ModSecurity in ModSec phase 2 after the Core Rule Set include. (-> custom rule) - Move the Redirect into the VH or potentially into the container if that is possible (have not done this in years). That might force apache to execute it later and ModSec comes first. But you need to test this. Best, Christian On Thu, Mar 18, 2021 at 08:54:18AM +0100, Franz Angeli wrote: > Hi, > > Sorry but i'm new on modsecurity, i've installed a Debian apache > server with modsecurity with no custom rules for testing/learning. > > If i try to use: > > curl https://www.example.test/index.html?exec=/bin/bash > > all working fine with: > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>403 Forbidden</title> > </head><body> > <h1>Forbidden</h1> > <p>You don't have permission to access this resource.</p> > </body></html> > > and on modsecurity log: > > Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file > "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell > Code Found"] [data "Matched > > > on the same server i've configured a simple http to https redirection > Redirect / https://www.example.test/ > > with redirect the same test fail: > > redirects acts before modsecurity? How can i solve this? > > Thanks in advance > > Franz > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Franz A. <fra...@gm...> - 2021-03-18 15:43:07
|
Hi Christian, i moved redirect to .htaccess file and all working fine now... Yes i think ModSec in this way filter before Apache, thanks! Franz Il giorno gio 18 mar 2021 alle ore 09:10 Christian Folini <chr...@ne...> ha scritto: > > Hey Franz, > > ModSec works in multiple phases and the redirect is relatively early. In > fact Mod_rewrite works in two phases IIRC and here it is faster than ModSec. > The rule in question runs in phase 2 and that's relatively late. > > You have 3 options: > - Forget about it. I mean who cares since the attack can not affect you due > to the redirect anyways. > - Implement the redirect in ModSecurity in ModSec phase 2 after the Core Rule > Set include. (-> custom rule) > - Move the Redirect into the VH or potentially into the container if that > is possible (have not done this in years). That might force apache to > execute it later and ModSec comes first. But you need to test this. > > Best, > > Christian > > On Thu, Mar 18, 2021 at 08:54:18AM +0100, Franz Angeli wrote: > > Hi, > > > > Sorry but i'm new on modsecurity, i've installed a Debian apache > > server with modsecurity with no custom rules for testing/learning. > > > > If i try to use: > > > > curl https://www.example.test/index.html?exec=/bin/bash > > > > all working fine with: > > > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > > <html><head> > > <title>403 Forbidden</title> > > </head><body> > > <h1>Forbidden</h1> > > <p>You don't have permission to access this resource.</p> > > </body></html> > > > > and on modsecurity log: > > > > Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file > > "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > > [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell > > Code Found"] [data "Matched > > > > > > on the same server i've configured a simple http to https redirection > > Redirect / https://www.example.test/ > > > > with redirect the same test fail: > > > > redirects acts before modsecurity? How can i solve this? > > > > Thanks in advance > > > > Franz > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: logo <lo...@kr...> - 2021-03-18 11:13:02
|
Hi Franz, > Am 18.03.2021 um 09:07 schrieb Christian Folini <chr...@ne...>: > > Hey Franz, > > ModSec works in multiple phases and the redirect is relatively early. In > fact Mod_rewrite works in two phases IIRC and here it is faster than ModSec. > The rule in question runs in phase 2 and that's relatively late. > > You have 3 options: > - Forget about it. I mean who cares since the attack can not affect you due > to the redirect anyways. > - Implement the redirect in ModSecurity in ModSec phase 2 after the Core Rule > Set include. (-> custom rule) > - Move the Redirect into the VH or potentially into the container if that > is possible (have not done this in years). That might force apache to > execute it later and ModSec comes first. But you need to test this. > > Best, > > Christian > > On Thu, Mar 18, 2021 at 08:54:18AM +0100, Franz Angeli wrote: >> Hi, >> >> Sorry but i'm new on modsecurity, i've installed a Debian apache >> server with modsecurity with no custom rules for testing/learning. >> >> If i try to use: >> >> curl https://www.example.test/index.html?exec=/bin/bash >> is this to https or http? >> all working fine with: >> >> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >> <html><head> >> <title>403 Forbidden</title> >> </head><body> >> <h1>Forbidden</h1> >> <p>You don't have permission to access this resource.</p> >> </body></html> >> >> and on modsecurity log: >> >> Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file >> "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] >> [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell >> Code Found"] [data "Matched >> >> >> on the same server i've configured a simple http to https redirection >> Redirect / https://www.example.test/ >> >> with redirect the same test fail: >> >> redirects acts before modsecurity? How can i solve this? >> if I understood you correctly, the request is also not blocked when you arrive in the site after the redirect (on https?) ? If that is the case, are you enabling Modsecurity globally or only in one VirtualHost? In latter case, you have to also set SecRuleEngine On in the https virtualHost (or even add the whole config there). HTH Peter >> Thanks in advance >> >> Franz >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Blason R <bla...@gm...> - 2021-03-18 13:10:59
|
This should not be the case at all. I am running at least 15 sites with nginx as reverse proxy and apache as virtual host and all that works perfectly fine. However I am offloading my https traffic on my nginx server and then inspecting it only then clean traffic is sent to my backend apache server. Though I am stil on PL1 and figuring out how the rule chain works and understanding lot other concepts like Anomaly mode PL levels Phase etc... On Thu, Mar 18, 2021 at 4:48 PM logo <lo...@kr...> wrote: > Hi Franz, > > Am 18.03.2021 um 09:07 schrieb Christian Folini < > chr...@ne...>: > > Hey Franz, > > ModSec works in multiple phases and the redirect is relatively early. In > fact Mod_rewrite works in two phases IIRC and here it is faster than > ModSec. > The rule in question runs in phase 2 and that's relatively late. > > You have 3 options: > - Forget about it. I mean who cares since the attack can not affect you due > to the redirect anyways. > - Implement the redirect in ModSecurity in ModSec phase 2 after the Core > Rule > Set include. (-> custom rule) > - Move the Redirect into the VH or potentially into the container if that > is possible (have not done this in years). That might force apache to > execute it later and ModSec comes first. But you need to test this. > > Best, > > Christian > > On Thu, Mar 18, 2021 at 08:54:18AM +0100, Franz Angeli wrote: > > Hi, > > Sorry but i'm new on modsecurity, i've installed a Debian apache > server with modsecurity with no custom rules for testing/learning. > > If i try to use: > > curl https://www.example.test/index.html?exec=/bin/bash > > > is this to https or http? > > all working fine with: > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>403 Forbidden</title> > </head><body> > <h1>Forbidden</h1> > <p>You don't have permission to access this resource.</p> > </body></html> > > and on modsecurity log: > > Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file > "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] > [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell > Code Found"] [data "Matched > > > > > on the same server i've configured a simple http to https redirection > Redirect / https://www.example.test/ > > with redirect the same test fail: > > redirects acts before modsecurity? How can i solve this? > > > if I understood you correctly, the request is also not blocked when you > arrive in the site after the redirect (on https?) ? > > If that is the case, are you enabling Modsecurity globally or only in one > VirtualHost? In latter case, you have to also set SecRuleEngine On in the > https virtualHost (or even add the whole config there). > > HTH > > Peter > > > Thanks in advance > > Franz > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
Thanks for helping keep SourceForge clean.
X