Thread: [mod-security-users] Filter Rules by IP Address
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Naveen A. <na...@gm...> - 2005-10-25 04:33:54
|
HI All, Newbie of ModSecurity. I was wondering is there a way to open up rules for certain ip addresses. Thanks a gazillion! Naveen |
|
From: Ryan B. <rcb...@gm...> - 2005-10-25 11:38:16
|
Naveen, Think of the mod_security directives (SecFilter|SecFilterSelective) as you would firewall rules in that the order in which they are specified in the httpd.conf file does matter. Again, like firewall rules, once a filter matches the incoming HTTP request it will trigger the actions specified. With this being said, if you want to "whitelist" an IP address to allow thi= s client access, then add in a rule like this near the top of your Mod_Security directives - SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass Add this just below the mod_security general directives (such as SecFilterEngine, etc....). That should do it. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > HI All, > > Newbie of ModSecurity. I was wondering is there a way to > open up rules for certain ip addresses. > > Thanks a gazillion! > Naveen |
|
From: Jeffrey K. <jef...@gm...> - 2005-10-25 13:02:41
|
Ryan: Just to follow up on your comment about firewall rules: In the case of a high volume/high traffic site, would rules for specific IP addresses -- say, a couple particularly bad spammers -- be better handled at the IP tables level so that the hits don't even get far enough to cause load on Apache (and mod_security) ? -Jeff Jeffrey Knight Oceansuit Information Systems, LLC www.oceansuit.com On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > Naveen, > Think of the mod_security directives (SecFilter|SecFilterSelective) as yo= u > would firewall rules in that the order in which they are specified in the > httpd.conf file does matter. Again, like firewall rules, once a filter > matches the incoming HTTP request it will trigger the actions specified. > With this being said, if you want to "whitelist" an IP address to allow t= his > client access, then add in a rule like this near the top of your > Mod_Security directives - > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > Add this just below the mod_security general directives (such as > SecFilterEngine, etc....). > > That should do it. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > HI All, > > > > Newbie of ModSecurity. I was wondering is there a way to > > open up rules for certain ip addresses. > > > > Thanks a gazillion! > > Naveen > > > > |
|
From: Naveen A. <na...@gm...> - 2005-10-25 16:47:09
|
HI Ryan, I appreciate your quick response and help. I am still not able to configure it properly. Just like u said i added SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass I tried putting it right below the SecFilterEnging and other places too. And i am getting this error in the log file. Maybe i am missing something. UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE Request: 196.168.0.94 <http://196.168.0.94> - - [25/Oct/2005:11:39:02 --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 Handler: server-parsed ---------------------------------------- GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 User-Agent: Contribute Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> Cookie: phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3= Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 mod_security-message: Access denied with code 403. Pattern match "/tmp" at THE_REQUEST mod_security-action: 403 HTTP/1.1 403 Forbidden Content-Length: 232 Could you help me?And Just for info i am trying to configure Macromedia Contribute. Thanks a lot, naveen On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > > Naveen, > Think of the mod_security directives (SecFilter|SecFilterSelective) as yo= u > would firewall rules in that the order in which they are specified in the > httpd.conf file does matter. Again, like firewall rules, once a filter > matches the incoming HTTP request it will trigger the actions specified. > With this being said, if you want to "whitelist" an IP address to allow t= his > client access, then add in a rule like this near the top of your > Mod_Security directives - > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > Add this just below the mod_security general directives (such as > SecFilterEngine, etc....). > That should do it. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > > > HI All, > > > > Newbie of ModSecurity. I was wondering is there a way to > > open up rules for certain ip addresses. > > > > Thanks a gazillion! > > Naveen > > > > > |
|
From: Christopher M. <mu...@to...> - 2005-10-25 16:53:53
|
HI Naveen, your problem isn't with the IP rule you created. You error was: mod_security-message: Access denied with code 403. Pattern match "/tmp" at THE_REQUEST The request you sent: GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 has /TMP (lowercased) /tmp in it. You must have another rule higher in your chain thats disallowing URLS referencing /tmp. -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Naveen Amradi said: > HI Ryan, > I appreciate your quick response and help. > I am still not able to configure it properly. > Just like u said i added > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > I tried putting it right below the SecFilterEnging and other places too. > And i am getting this error in the log file. Maybe i am missing something. > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > Request: 196.168.0.94 <http://196.168.0.94> - - [25/Oct/2005:11:39:02 > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > Handler: server-parsed > ---------------------------------------- > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > User-Agent: Contribute > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> > Cookie: > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > PHPSESSID=59ded4be35990378545d942f2a11c0f9 > mod_security-message: Access denied with code 403. Pattern match "/tmp" at > THE_REQUEST > mod_security-action: 403 > > HTTP/1.1 403 Forbidden > Content-Length: 232 > > Could you help me?And Just for info i am trying to configure Macromedia > Contribute. > > Thanks a lot, > > naveen > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: >> >> Naveen, >> Think of the mod_security directives (SecFilter|SecFilterSelective) as >> you >> would firewall rules in that the order in which they are specified in >> the >> httpd.conf file does matter. Again, like firewall rules, once a filter >> matches the incoming HTTP request it will trigger the actions specified. >> With this being said, if you want to "whitelist" an IP address to allow >> this >> client access, then add in a rule like this near the top of your >> Mod_Security directives - >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass >> Add this just below the mod_security general directives (such as >> SecFilterEngine, etc....). >> That should do it. >> >> -- >> Ryan C. Barnett >> Web Application Security Consortium (WASC) Member >> CIS Apache Benchmark Project Lead >> SANS Instructor: Securing Apache >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC >> Author: Preventing Web Attacks with Apache >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> > >> > HI All, >> > >> > Newbie of ModSecurity. I was wondering is there a way to >> > open up rules for certain ip addresses. >> > >> > Thanks a gazillion! >> > Naveen >> >> >> >> >> > |
|
From: Naveen A. <na...@gm...> - 2005-10-25 17:02:32
|
Chris, I have attached my conf file. WOuld you please look at it. I have placed the rule right below the SecFilterEngine. In that case wont that rule be higher than other ones. Maybe i am sounding dumb. I am trying to read the book and understand slowly. I would appreciate if you can look at the conf file. Everyone on this list is so active helpful. Thanks a lot, naveen On 10/25/05, Christopher Murley <mu...@to...> wrote: > > HI Naveen, your problem isn't with the IP rule you created. You error was= : > > mod_security-message: Access denied with code 403. Pattern match "/tmp" a= t > THE_REQUEST > > > The request you sent: > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > has /TMP (lowercased) /tmp in it. You must have another rule higher in > your chain thats disallowing URLS referencing /tmp. > > -- > Regards, > > -Chris > > _______________________________________________ > Christopher Murley > Network Administrator > TownNews.Com > 800.293.9576 > > Naveen Amradi said: > > HI Ryan, > > I appreciate your quick response and help. > > I am still not able to configure it properly. > > Just like u said i added > > > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > > I tried putting it right below the SecFilterEnging and other places too= . > > And i am getting this error in the log file. Maybe i am missing > something. > > > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > > Request: 196.168.0.94 <http://196.168.0.94> <http://196.168.0.94> - - > [25/Oct/2005:11:39:02 > > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > Handler: server-parsed > > ---------------------------------------- > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > > User-Agent: Contribute > > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu> < > http://www.outreach.olemiss.edu/> > > Cookie: > > > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22= %3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > > mod_security-message: Access denied with code 403. Pattern match "/tmp" > at > > THE_REQUEST > > mod_security-action: 403 > > > > HTTP/1.1 403 Forbidden > > Content-Length: 232 > > > > Could you help me?And Just for info i am trying to configure Macromedia > > Contribute. > > > > Thanks a lot, > > > > naveen > > > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > >> > >> Naveen, > >> Think of the mod_security directives (SecFilter|SecFilterSelective) as > >> you > >> would firewall rules in that the order in which they are specified in > >> the > >> httpd.conf file does matter. Again, like firewall rules, once a filter > >> matches the incoming HTTP request it will trigger the actions > specified. > >> With this being said, if you want to "whitelist" an IP address to allo= w > >> this > >> client access, then add in a rule like this near the top of your > >> Mod_Security directives - > >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > >> Add this just below the mod_security general directives (such as > >> SecFilterEngine, etc....). > >> That should do it. > >> > >> -- > >> Ryan C. Barnett > >> Web Application Security Consortium (WASC) Member > >> CIS Apache Benchmark Project Lead > >> SANS Instructor: Securing Apache > >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > >> Author: Preventing Web Attacks with Apache > >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: > >> > > >> > HI All, > >> > > >> > Newbie of ModSecurity. I was wondering is there a way to > >> > open up rules for certain ip addresses. > >> > > >> > Thanks a gazillion! > >> > Naveen > >> > >> > >> > >> > >> > > > > |
|
From: Naveen A. <na...@gm...> - 2005-10-25 17:03:01
|
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly
# Naveen
SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# WEB-ATTACKS /bin/sh command attempt
SecFilter "/bin/sh"
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"
# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST "ps\x20"
# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"
# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"
# WEB-ATTACKS id command attempt
SecFilter "\;id"
# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"
# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"
# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"
# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"
# WEB-ATTACKS chown command attempt
SecFilter "/chown"
# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"
# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"
# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"
# WEB-ATTACKS cc command attempt
#SecFilter "cc\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"
# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"
# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"
# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"
# WEB-ATTACKS python access attempt
SecFilter "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"
# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"
# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"
# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"
# WEB-ATTACKS netcat command attempt
#SecFilter "nc\x20"
# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"
# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"
# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"
# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"
# WEB-ATTACKS rm command attempt
#SecFilter "rm\x20"
# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"
# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass
# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass
# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass
# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"
# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass
# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST "/perl\?"
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"
# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"
# WEB-CGI icat access
SecFilterSelective THE_REQUEST "/icat" log,pass
# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass
# WEB-CLIENT Javascript document.domain attempt
SecFilter "document\.domain\("
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"
# WEB-MISC http directory traversal
SecFilter "\.\.\\"
# WEB-MISC http directory traversal
SecFilter "\.\./"
# WEB-MISC ls%20-l
SecFilter "ls\x20-l"
# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"
# WEB-MISC .htaccess access
SecFilter "\.htaccess"
# WEB-MISC cd..
SecFilter "cd\.\."
# WEB-MISC /.... access
SecFilter "/\.\.\.\."
# WEB-MISC cat%20 access
SecFilter "cat\x20"
# WEB-MISC long basic authorization string
SecFilter "Authorization\: Basic "
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"
# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/\?M=D" log,pass
# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status" log,pass
# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"
# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"
# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass
# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["
# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="
# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass
SecFilterSelective THE_REQUEST "\.php" chain
SecFilter "path=http\://"
# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST "/uploadimage\.php" chain
SecFilter "\.php"
# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST "/upload\.php" chain
SecFilter "\.php"
# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass
# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST "/upload\.php" log,pass
# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass
# WEB-PHP test.php access
SecFilterSelective THE_REQUEST "/test\.php" log,pass
# WEB-PHP phpBB viewtopic.php
SecFilterSelective THE_REQUEST "viewtopic.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log
# EXTRAS
SecFilter "/boot"
SecFilter "/dev"
SecFilter "/etc"
SecFilter "/initrd"
SecFilter "/lost+found"
SecFilter "/mnt"
SecFilter "/proc"
SecFilter "/root"
SecFilter "/sbin"
SecFilter "/tmp"
SecFilter "/usr/local/apache"
SecFilter "/var/spool"
SecFilter "/bin/cc"
SecFilter "/bin/gcc"
SecFilter "<[[:space:]]*script"
SecFilter "<( |\n)*script"
#SecFilter "<(.|\n)+>"
#SecFilter "delete[[:space:]]+from"
#SecFilter "insert[[:space:]]+into"
#SecFilter "select.+from"
</IfModule>
|
|
From: Christopher M. <mu...@to...> - 2005-10-25 17:14:16
|
Move your IP rule sdown under: SecFilterDebugLog logs/modsec_debug_log At the very bottom of the module you have: SecFilter "/tmp" Thats looks be be getting you. Try moving your code down first. -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Naveen Amradi said: > Forgot to attach file in the previous reply. > Thanks, > naveen > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> >> Chris, >> I have attached my conf file. WOuld you please look at it. I have >> placed >> the rule right below the SecFilterEngine. In that case wont that rule be >> higher than other ones. Maybe i am sounding dumb. I am trying to read >> the >> book and understand slowly. >> I would appreciate if you can look at the conf file. >> Everyone on this list is so active helpful. >> Thanks a lot, >> naveen >> >> On 10/25/05, Christopher Murley <mu...@to...> wrote: >> > >> > HI Naveen, your problem isn't with the IP rule you created. You error >> > was: >> > >> > mod_security-message: Access denied with code 403. Pattern match >> "/tmp" >> > at >> > THE_REQUEST >> > >> > >> > The request you sent: >> > >> > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 >> > >> > has /TMP (lowercased) /tmp in it. You must have another rule higher in >> > your chain thats disallowing URLS referencing /tmp. >> > >> > -- >> > Regards, >> > >> > -Chris >> > >> > _______________________________________________ >> > Christopher Murley >> > Network Administrator >> > TownNews.Com >> > 800.293.9576 >> > >> > Naveen Amradi said: >> > > HI Ryan, >> > > I appreciate your quick response and help. >> > > I am still not able to configure it properly. >> > > Just like u said i added >> > > >> > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass >> > > I tried putting it right below the SecFilterEnging and other places >> > too. >> > > And i am getting this error in the log file. Maybe i am missing >> > something. >> > > >> > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE >> > > Request: 196.168.0.94 <http://196.168.0.94/> < http://196.168.0.94> >> - >> > - [25/Oct/2005:11:39:02 >> > > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 >> > > Handler: server-parsed >> > > ---------------------------------------- >> > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 >> > > User-Agent: Contribute >> > > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> < >> > http://www.outreach.olemiss.edu/> >> > > Cookie: >> > > >> > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; >> > > PHPSESSID=59ded4be35990378545d942f2a11c0f9 >> > > mod_security-message: Access denied with code 403. Pattern match >> > "/tmp" at >> > > THE_REQUEST >> > > mod_security-action: 403 >> > > >> > > HTTP/1.1 403 Forbidden >> > > Content-Length: 232 >> > > >> > > Could you help me?And Just for info i am trying to configure >> > Macromedia >> > > Contribute. >> > > >> > > Thanks a lot, >> > > >> > > naveen >> > > >> > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: >> > >> >> > >> Naveen, >> > >> Think of the mod_security directives (SecFilter|SecFilterSelective) >> > as >> > >> you >> > >> would firewall rules in that the order in which they are specified >> in >> > >> the >> > >> httpd.conf file does matter. Again, like firewall rules, once a >> > filter >> > >> matches the incoming HTTP request it will trigger the actions >> > specified. >> > >> With this being said, if you want to "whitelist" an IP address to >> > allow >> > >> this >> > >> client access, then add in a rule like this near the top of your >> > >> Mod_Security directives - >> > >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass >> > >> Add this just below the mod_security general directives (such as >> > >> SecFilterEngine, etc....). >> > >> That should do it. >> > >> >> > >> -- >> > >> Ryan C. Barnett >> > >> Web Application Security Consortium (WASC) Member >> > >> CIS Apache Benchmark Project Lead >> > >> SANS Instructor: Securing Apache >> > >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC >> > >> Author: Preventing Web Attacks with Apache >> > >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> > >> > >> > >> > HI All, >> > >> > >> > >> > Newbie of ModSecurity. I was wondering is there a way to >> > >> > open up rules for certain ip addresses. >> > >> > >> > >> > Thanks a gazillion! >> > >> > Naveen >> > >> >> > >> >> > >> >> > >> >> > >> >> > > >> > >> > >> > |
|
From: Ryan B. <rcb...@gm...> - 2005-10-25 17:14:44
|
Sorry about that - I used the wrong env token. Use this instead - SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow Also, just use "allow" at the end. This should tell mod_security to allow the request and to not apply and other filters. If it is still getting blocked by another filter, check the debug log file Looking at your conf file, you need to turn this on (0 does no logging). Se= t this log level to 9 if you want the most verbose info. - # You normally won't need debug logging SecFilterDebugLevel 9 SecFilterDebugLog logs/modsec_debug_log -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > HI Ryan, > I appreciate your quick response and help. > I am still not able to configure it properly. > Just like u said i added > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > I tried putting it right below the SecFilterEnging and other places too. > And i am getting this error in the log file. Maybe i am missing something= . > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > Request: 196.168.0.94 <http://196.168.0.94/> - - [25/Oct/2005:11:39:02 > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > Handler: server-parsed > ---------------------------------------- > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > User-Agent: Contribute > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> > Cookie: > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22= %3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > mod_security-message: Access denied with code 403. Pattern match "/tmp" a= t > THE_REQUEST > mod_security-action: 403 > > HTTP/1.1 403 Forbidden > Content-Length: 232 > > Could you help me?And Just for info i am trying to configure Macromedia > Contribute. > > Thanks a lot, > > naveen > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > > > > Naveen, > > Think of the mod_security directives (SecFilter|SecFilterSelective) as > > you would firewall rules in that the order in which they are specified = in > > the httpd.conf file does matter. Again, like firewall rules, once a > > filter matches the incoming HTTP request it will trigger the actions > > specified. With this being said, if you want to "whitelist" an IP addre= ss to > > allow this client access, then add in a rule like this near the top of = your > > Mod_Security directives - > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > Add this just below the mod_security general directives (such as > > SecFilterEngine, etc....). > > That should do it. > > > > -- > > Ryan C. Barnett > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor: Securing Apache > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > On 10/25/05, Naveen Amradi <na...@gm... > wrote: > > > > > > HI All, > > > > > > Newbie of ModSecurity. I was wondering is there a way to > > > open up rules for certain ip addresses. > > > > > > Thanks a gazillion! > > > Naveen > > > > > > > > > > > |
|
From: Naveen A. <na...@gm...> - 2005-10-25 17:56:59
|
SecFilterSelective REMOTE_ADDR ^196.168.0.94$ allow worked. I tried that before Ryan replied but with allow,pass. So i guess wiht pass in it, it was allowing the IP address but still applying the other rules. I really appreciate your help guys. Thanks a lot, Naveen On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > Sorry about that - I used the wrong env token. Use this instead - > > SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow > > Also, just use "allow" at the end. This should tell mod_security to allo= w > the request and to not apply and other filters. > > If it is still getting blocked by another filter, check the debug log fil= e > Looking at your conf file, you need to turn this on (0 does no logging). > Set this log level to 9 if you want the most verbose info. - > > # You normally won't need debug logging > SecFilterDebugLevel 9 > SecFilterDebugLog logs/modsec_debug_log > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > > > HI Ryan, > > > > I appreciate your quick response and help. > > I am still not able to configure it properly. > > Just like u said i added > > > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > > > > I tried putting it right below the SecFilterEnging and other places too= . > And i am getting this error in the log file. Maybe i am missing something= . > > > > > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > > Request: 196.168.0.94 - - [25/Oct/2005:11:39:02 --0500] "GET > /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > Handler: server-parsed > > ---------------------------------------- > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > > User-Agent: Contribute > > Host: www.outreach.olemiss.edu > > Cookie: > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22= %3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > > mod_security-message: Access denied with code 403. Pattern match "/tmp"= at > THE_REQUEST > > mod_security-action: 403 > > > > HTTP/1.1 403 Forbidden > > Content-Length: 232 > > > > Could you help me?And Just for info i am trying to configure Macromedia > Contribute. > > > > Thanks a lot, > > > > naveen > > > > > > On 10/25/05, Ryan Barnett <rcb...@gm... > wrote: > > > > > > > > Naveen, > > > Think of the mod_security directives (SecFilter|SecFilterSelective) a= s > you would firewall rules in that the order in which they are specified in > the httpd.conf file does matter. Again, like firewall rules, once a filt= er > matches the incoming HTTP request it will trigger the actions specified. > With this being said, if you want to "whitelist" an IP address to allow t= his > client access, then add in a rule like this near the top of your > Mod_Security directives - > > > > > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > > > > > Add this just below the mod_security general directives (such as > SecFilterEngine, etc....). > > > > > > That should do it. > > > > > > -- > > > Ryan C. Barnett > > > Web Application Security Consortium (WASC) Member > > > CIS Apache Benchmark Project Lead > > > SANS Instructor: Securing Apache > > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > Author: Preventing Web Attacks with Apache > > > > > > > > > On 10/25/05, Naveen Amradi <na...@gm... > wrote: > > > > HI All, > > > > > > > > Newbie of ModSecurity. I was wondering is there a way to > > > > open up rules for certain ip addresses. > > > > > > > > Thanks a gazillion! > > > > Naveen > > > > > > > > > > > > > > > > > > > > |
|
From: Naveen A. <na...@gm...> - 2005-10-25 17:59:30
|
Just curious, Can i allow a full subnet like this SecFilterSelective REMOTE_ADDR ^196.168.0.*$ allow. I will give it a try. Thanks, naveen On 10/25/05, Naveen Amradi <na...@gm...> wrote: > SecFilterSelective REMOTE_ADDR ^196.168.0.94$ allow > worked. I tried that before Ryan replied but with allow,pass. > So i guess wiht pass in it, it was allowing the IP address but still > applying the other rules. > > I really appreciate your help guys. > > > Thanks a lot, > Naveen > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > > Sorry about that - I used the wrong env token. Use this instead - > > > > SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow > > > > Also, just use "allow" at the end. This should tell mod_security to al= low > > the request and to not apply and other filters. > > > > If it is still getting blocked by another filter, check the debug log f= ile > > Looking at your conf file, you need to turn this on (0 does no logging)= . > > Set this log level to 9 if you want the most verbose info. - > > > > # You normally won't need debug logging > > SecFilterDebugLevel 9 > > SecFilterDebugLog logs/modsec_debug_log > > > > -- > > Ryan C. Barnett > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor: Securing Apache > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > Author: Preventing Web Attacks with Apache > > > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > > > > > HI Ryan, > > > > > > I appreciate your quick response and help. > > > I am still not able to configure it properly. > > > Just like u said i added > > > > > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > > > > > > I tried putting it right below the SecFilterEnging and other places t= oo. > > And i am getting this error in the log file. Maybe i am missing somethi= ng. > > > > > > > > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > > > Request: 196.168.0.94 - - [25/Oct/2005:11:39:02 --0500] "GET > > /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > > Handler: server-parsed > > > ---------------------------------------- > > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > > > User-Agent: Contribute > > > Host: www.outreach.olemiss.edu > > > Cookie: > > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%= 22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > > > mod_security-message: Access denied with code 403. Pattern match "/tm= p" at > > THE_REQUEST > > > mod_security-action: 403 > > > > > > HTTP/1.1 403 Forbidden > > > Content-Length: 232 > > > > > > Could you help me?And Just for info i am trying to configure Macromed= ia > > Contribute. > > > > > > Thanks a lot, > > > > > > naveen > > > > > > > > > On 10/25/05, Ryan Barnett <rcb...@gm... > wrote: > > > > > > > > > > > Naveen, > > > > Think of the mod_security directives (SecFilter|SecFilterSelective)= as > > you would firewall rules in that the order in which they are specified = in > > the httpd.conf file does matter. Again, like firewall rules, once a fi= lter > > matches the incoming HTTP request it will trigger the actions specified= . > > With this being said, if you want to "whitelist" an IP address to allow= this > > client access, then add in a rule like this near the top of your > > Mod_Security directives - > > > > > > > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > > > > > > > Add this just below the mod_security general directives (such as > > SecFilterEngine, etc....). > > > > > > > > That should do it. > > > > > > > > -- > > > > Ryan C. Barnett > > > > Web Application Security Consortium (WASC) Member > > > > CIS Apache Benchmark Project Lead > > > > SANS Instructor: Securing Apache > > > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > Author: Preventing Web Attacks with Apache > > > > > > > > > > > > On 10/25/05, Naveen Amradi <na...@gm... > wrote: > > > > > HI All, > > > > > > > > > > Newbie of ModSecurity. I was wondering is there a way to > > > > > open up rules for certain ip addresses. > > > > > > > > > > Thanks a gazillion! > > > > > Naveen > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |
Thanks for helping keep SourceForge clean.
X