Thread: [mod-security-users] Filter Rules by IP Address
Brought to you by:
victorhora,
zimmerletw
From: Naveen A. <na...@gm...> - 2005-10-25 04:33:54
|
HI All, Newbie of ModSecurity. I was wondering is there a way to open up rules for certain ip addresses. Thanks a gazillion! Naveen |
From: Ryan B. <rcb...@gm...> - 2005-10-25 11:38:16
|
Naveen, Think of the mod_security directives (SecFilter|SecFilterSelective) as you would firewall rules in that the order in which they are specified in the httpd.conf file does matter. Again, like firewall rules, once a filter matches the incoming HTTP request it will trigger the actions specified. With this being said, if you want to "whitelist" an IP address to allow thi= s client access, then add in a rule like this near the top of your Mod_Security directives - SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass Add this just below the mod_security general directives (such as SecFilterEngine, etc....). That should do it. -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > HI All, > > Newbie of ModSecurity. I was wondering is there a way to > open up rules for certain ip addresses. > > Thanks a gazillion! > Naveen |
From: Jeffrey K. <jef...@gm...> - 2005-10-25 13:02:41
|
Ryan: Just to follow up on your comment about firewall rules: In the case of a high volume/high traffic site, would rules for specific IP addresses -- say, a couple particularly bad spammers -- be better handled at the IP tables level so that the hits don't even get far enough to cause load on Apache (and mod_security) ? -Jeff Jeffrey Knight Oceansuit Information Systems, LLC www.oceansuit.com On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > Naveen, > Think of the mod_security directives (SecFilter|SecFilterSelective) as yo= u > would firewall rules in that the order in which they are specified in the > httpd.conf file does matter. Again, like firewall rules, once a filter > matches the incoming HTTP request it will trigger the actions specified. > With this being said, if you want to "whitelist" an IP address to allow t= his > client access, then add in a rule like this near the top of your > Mod_Security directives - > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > Add this just below the mod_security general directives (such as > SecFilterEngine, etc....). > > That should do it. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > HI All, > > > > Newbie of ModSecurity. I was wondering is there a way to > > open up rules for certain ip addresses. > > > > Thanks a gazillion! > > Naveen > > > > |
From: Naveen A. <na...@gm...> - 2005-10-25 16:47:09
|
HI Ryan, I appreciate your quick response and help. I am still not able to configure it properly. Just like u said i added SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass I tried putting it right below the SecFilterEnging and other places too. And i am getting this error in the log file. Maybe i am missing something. UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE Request: 196.168.0.94 <http://196.168.0.94> - - [25/Oct/2005:11:39:02 --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 Handler: server-parsed ---------------------------------------- GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 User-Agent: Contribute Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> Cookie: phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3= Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 mod_security-message: Access denied with code 403. Pattern match "/tmp" at THE_REQUEST mod_security-action: 403 HTTP/1.1 403 Forbidden Content-Length: 232 Could you help me?And Just for info i am trying to configure Macromedia Contribute. Thanks a lot, naveen On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > > Naveen, > Think of the mod_security directives (SecFilter|SecFilterSelective) as yo= u > would firewall rules in that the order in which they are specified in the > httpd.conf file does matter. Again, like firewall rules, once a filter > matches the incoming HTTP request it will trigger the actions specified. > With this being said, if you want to "whitelist" an IP address to allow t= his > client access, then add in a rule like this near the top of your > Mod_Security directives - > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > Add this just below the mod_security general directives (such as > SecFilterEngine, etc....). > That should do it. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > > > HI All, > > > > Newbie of ModSecurity. I was wondering is there a way to > > open up rules for certain ip addresses. > > > > Thanks a gazillion! > > Naveen > > > > > |
From: Christopher M. <mu...@to...> - 2005-10-25 16:53:53
|
HI Naveen, your problem isn't with the IP rule you created. You error was: mod_security-message: Access denied with code 403. Pattern match "/tmp" at THE_REQUEST The request you sent: GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 has /TMP (lowercased) /tmp in it. You must have another rule higher in your chain thats disallowing URLS referencing /tmp. -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Naveen Amradi said: > HI Ryan, > I appreciate your quick response and help. > I am still not able to configure it properly. > Just like u said i added > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > I tried putting it right below the SecFilterEnging and other places too. > And i am getting this error in the log file. Maybe i am missing something. > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > Request: 196.168.0.94 <http://196.168.0.94> - - [25/Oct/2005:11:39:02 > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > Handler: server-parsed > ---------------------------------------- > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > User-Agent: Contribute > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> > Cookie: > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > PHPSESSID=59ded4be35990378545d942f2a11c0f9 > mod_security-message: Access denied with code 403. Pattern match "/tmp" at > THE_REQUEST > mod_security-action: 403 > > HTTP/1.1 403 Forbidden > Content-Length: 232 > > Could you help me?And Just for info i am trying to configure Macromedia > Contribute. > > Thanks a lot, > > naveen > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: >> >> Naveen, >> Think of the mod_security directives (SecFilter|SecFilterSelective) as >> you >> would firewall rules in that the order in which they are specified in >> the >> httpd.conf file does matter. Again, like firewall rules, once a filter >> matches the incoming HTTP request it will trigger the actions specified. >> With this being said, if you want to "whitelist" an IP address to allow >> this >> client access, then add in a rule like this near the top of your >> Mod_Security directives - >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass >> Add this just below the mod_security general directives (such as >> SecFilterEngine, etc....). >> That should do it. >> >> -- >> Ryan C. Barnett >> Web Application Security Consortium (WASC) Member >> CIS Apache Benchmark Project Lead >> SANS Instructor: Securing Apache >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC >> Author: Preventing Web Attacks with Apache >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> > >> > HI All, >> > >> > Newbie of ModSecurity. I was wondering is there a way to >> > open up rules for certain ip addresses. >> > >> > Thanks a gazillion! >> > Naveen >> >> >> >> >> > |
From: Naveen A. <na...@gm...> - 2005-10-25 17:02:32
|
Chris, I have attached my conf file. WOuld you please look at it. I have placed the rule right below the SecFilterEngine. In that case wont that rule be higher than other ones. Maybe i am sounding dumb. I am trying to read the book and understand slowly. I would appreciate if you can look at the conf file. Everyone on this list is so active helpful. Thanks a lot, naveen On 10/25/05, Christopher Murley <mu...@to...> wrote: > > HI Naveen, your problem isn't with the IP rule you created. You error was= : > > mod_security-message: Access denied with code 403. Pattern match "/tmp" a= t > THE_REQUEST > > > The request you sent: > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > has /TMP (lowercased) /tmp in it. You must have another rule higher in > your chain thats disallowing URLS referencing /tmp. > > -- > Regards, > > -Chris > > _______________________________________________ > Christopher Murley > Network Administrator > TownNews.Com > 800.293.9576 > > Naveen Amradi said: > > HI Ryan, > > I appreciate your quick response and help. > > I am still not able to configure it properly. > > Just like u said i added > > > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > > I tried putting it right below the SecFilterEnging and other places too= . > > And i am getting this error in the log file. Maybe i am missing > something. > > > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > > Request: 196.168.0.94 <http://196.168.0.94> <http://196.168.0.94> - - > [25/Oct/2005:11:39:02 > > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > Handler: server-parsed > > ---------------------------------------- > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > > User-Agent: Contribute > > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu> < > http://www.outreach.olemiss.edu/> > > Cookie: > > > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22= %3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > > mod_security-message: Access denied with code 403. Pattern match "/tmp" > at > > THE_REQUEST > > mod_security-action: 403 > > > > HTTP/1.1 403 Forbidden > > Content-Length: 232 > > > > Could you help me?And Just for info i am trying to configure Macromedia > > Contribute. > > > > Thanks a lot, > > > > naveen > > > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > >> > >> Naveen, > >> Think of the mod_security directives (SecFilter|SecFilterSelective) as > >> you > >> would firewall rules in that the order in which they are specified in > >> the > >> httpd.conf file does matter. Again, like firewall rules, once a filter > >> matches the incoming HTTP request it will trigger the actions > specified. > >> With this being said, if you want to "whitelist" an IP address to allo= w > >> this > >> client access, then add in a rule like this near the top of your > >> Mod_Security directives - > >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > >> Add this just below the mod_security general directives (such as > >> SecFilterEngine, etc....). > >> That should do it. > >> > >> -- > >> Ryan C. Barnett > >> Web Application Security Consortium (WASC) Member > >> CIS Apache Benchmark Project Lead > >> SANS Instructor: Securing Apache > >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > >> Author: Preventing Web Attacks with Apache > >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: > >> > > >> > HI All, > >> > > >> > Newbie of ModSecurity. I was wondering is there a way to > >> > open up rules for certain ip addresses. > >> > > >> > Thanks a gazillion! > >> > Naveen > >> > >> > >> > >> > >> > > > > |
From: Naveen A. <na...@gm...> - 2005-10-25 17:03:01
|
<IfModule mod_security.c> # Only inspect dynamic requests # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED) SecFilterEngine DynamicOnly # Naveen SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass # Reject requests with status 403 SecFilterDefaultAction "deny,log,status:403" # Some sane defaults SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterCheckUnicodeEncoding Off # Accept almost all byte values SecFilterForceByteRange 1 255 # Server masking is optional # SecServerSignature "Microsoft-IIS/5.0" SecUploadDir /tmp SecUploadKeepFiles Off # Only record the interesting stuff SecAuditEngine RelevantOnly SecAuditLog logs/audit_log # You normally won't need debug logging SecFilterDebugLevel 0 SecFilterDebugLog logs/modsec_debug_log # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # WEB-ATTACKS /bin/sh command attempt SecFilter "/bin/sh" # WEB-ATTACKS ps command attempt SecFilterSelective THE_REQUEST "/bin/ps" # WEB-ATTACKS /bin/ps command attempt # SecFilterSelective THE_REQUEST "ps\x20" # WEB-ATTACKS wget command attempt SecFilter "wget\x20" # WEB-ATTACKS uname -a command attempt SecFilter "uname\x20-a" # WEB-ATTACKS /usr/bin/id command attempt SecFilter "/usr/bin/id" # WEB-ATTACKS id command attempt SecFilter "\;id" # WEB-ATTACKS echo command attempt SecFilter "/bin/echo" # WEB-ATTACKS kill command attempt SecFilter "/bin/kill" # WEB-ATTACKS chmod command attempt SecFilter "/bin/chmod" # WEB-ATTACKS chgrp command attempt SecFilter "/chgrp" # WEB-ATTACKS chown command attempt SecFilter "/chown" # WEB-ATTACKS chsh command attempt SecFilter "/usr/bin/chsh" # WEB-ATTACKS tftp command attempt SecFilter "tftp\x20" # WEB-ATTACKS gcc command attempt SecFilter "gcc\x20-o" # WEB-ATTACKS cc command attempt #SecFilter "cc\x20" # WEB-ATTACKS /usr/bin/cpp command attempt SecFilter "/usr/bin/cpp" # WEB-ATTACKS cpp command attempt SecFilter "cpp\x20" # WEB-ATTACKS /usr/bin/g++ command attempt SecFilter "/usr/bin/g\+\+" # WEB-ATTACKS g++ command attempt SecFilter "g\+\+\x20" # WEB-ATTACKS bin/python access attempt SecFilter "bin/python" # WEB-ATTACKS python access attempt SecFilter "python\x20" # WEB-ATTACKS bin/tclsh execution attempt SecFilter "bin/tclsh" # WEB-ATTACKS tclsh execution attempt SecFilter "tclsh8\x20" # WEB-ATTACKS bin/nasm command attempt SecFilter "bin/nasm" # WEB-ATTACKS nasm command attempt SecFilter "nasm\x20" # WEB-ATTACKS /usr/bin/perl execution attempt SecFilter "/usr/bin/perl" # WEB-ATTACKS perl execution attempt SecFilter "perl\x20" # WEB-ATTACKS traceroute command attempt SecFilter "traceroute\x20" # WEB-ATTACKS ping command attempt SecFilter "/bin/ping" # WEB-ATTACKS netcat command attempt #SecFilter "nc\x20" # WEB-ATTACKS nmap command attempt SecFilter "nmap\x20" # WEB-ATTACKS xterm command attempt SecFilter "/usr/X11R6/bin/xterm" # WEB-ATTACKS X application to remote host attempt SecFilter "\x20-display\x20" # WEB-ATTACKS lsof command attempt SecFilter "lsof\x20" # WEB-ATTACKS rm command attempt #SecFilter "rm\x20" # WEB-ATTACKS mail command attempt SecFilter "/bin/mail" # WEB-ATTACKS /bin/ls command attempt SecFilterSelective THE_REQUEST "/bin/ls" # WEB-ATTACKS /etc/inetd.conf access SecFilter "/etc/inetd\.conf" log,pass # WEB-ATTACKS /etc/motd access SecFilter "/etc/motd" log,pass # WEB-ATTACKS /etc/shadow access SecFilter "/etc/shadow" log,pass # WEB-ATTACKS conf/httpd.conf attempt SecFilter "conf/httpd\.conf" log,pass # WEB-ATTACKS .htgroup access SecFilterSelective THE_REQUEST "\.htgroup" log,pass # WEB-CGI rksh access SecFilterSelective THE_REQUEST "/rksh" # WEB-CGI bash access SecFilterSelective THE_REQUEST "/bash" log,pass # WEB-CGI perl command attempt SecFilterSelective THE_REQUEST "/perl\?" # WEB-CGI zsh access SecFilterSelective THE_REQUEST "/zsh" # WEB-CGI csh access SecFilterSelective THE_REQUEST "/csh" # WEB-CGI tcsh access SecFilterSelective THE_REQUEST "/tcsh" # WEB-CGI rsh access SecFilterSelective THE_REQUEST "/rsh" # WEB-CGI ksh access SecFilterSelective THE_REQUEST "/ksh" # WEB-CGI icat access SecFilterSelective THE_REQUEST "/icat" log,pass # WEB-CGI /cgi-bin/ls access SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass # WEB-CLIENT Javascript document.domain attempt SecFilter "document\.domain\(" # WEB-CLIENT Javascript URL host spoofing attempt SecFilter "javascript\://" # WEB-MISC cross site scripting \(img src=javascript\) attempt SecFilter "img src=javascript" # WEB-MISC .htpasswd access SecFilter "\.htpasswd" # WEB-MISC http directory traversal SecFilter "\.\.\\" # WEB-MISC http directory traversal SecFilter "\.\./" # WEB-MISC ls%20-l SecFilter "ls\x20-l" # WEB-MISC /etc/passwd SecFilter "/etc/passwd" # WEB-MISC .htaccess access SecFilter "\.htaccess" # WEB-MISC cd.. SecFilter "cd\.\." # WEB-MISC /.... access SecFilter "/\.\.\.\." # WEB-MISC cat%20 access SecFilter "cat\x20" # WEB-MISC long basic authorization string SecFilter "Authorization\: Basic " # WEB-MISC .history access SecFilterSelective THE_REQUEST "/\.history" # WEB-MISC .bash_history access SecFilterSelective THE_REQUEST "/\.bash_history" # WEB-MISC *%0a.pl access SecFilterSelective THE_REQUEST "/*\x0a\.pl" # WEB-MISC apache ?M=D directory list attempt SecFilterSelective THE_REQUEST "/\?M=D" log,pass # WEB-MISC server-status access SecFilterSelective THE_REQUEST "/server-status" log,pass # WEB-MISC Transfer-Encoding\: chunked SecFilter "chunked" # WEB-MISC perl post attempt SecFilterSelective THE_REQUEST "/perl/" chain SecFilter "POST" # WEB-MISC mod_gzip_status access SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass # WEB-PHP squirrel mail spell-check arbitrary command attempt SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain SecFilter "SQSPELL_APP\[" # WEB-PHP squirrel mail theme arbitrary command attempt SecFilterSelective THE_REQUEST "/left_main\.php" chain SecFilter "cmdd=" # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" # WEB-PHP phpbb quick-reply.php access SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass SecFilterSelective THE_REQUEST "\.php" chain SecFilter "path=http\://" # WEB-PHP Mambo uploadimage.php upload php file attempt SecFilterSelective THE_REQUEST "/uploadimage\.php" chain SecFilter "\.php" # WEB-PHP Mambo upload.php upload php file attempt SecFilterSelective THE_REQUEST "/upload\.php" chain SecFilter "\.php" # WEB-PHP Mambo uploadimage.php access SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass # WEB-PHP Mambo upload.php access SecFilterSelective THE_REQUEST "/upload\.php" log,pass # WEB-PHP phpBB privmsg.php access SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass # WEB-PHP test.php access SecFilterSelective THE_REQUEST "/test\.php" log,pass # WEB-PHP phpBB viewtopic.php SecFilterSelective THE_REQUEST "viewtopic.php" chain SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log # EXTRAS SecFilter "/boot" SecFilter "/dev" SecFilter "/etc" SecFilter "/initrd" SecFilter "/lost+found" SecFilter "/mnt" SecFilter "/proc" SecFilter "/root" SecFilter "/sbin" SecFilter "/tmp" SecFilter "/usr/local/apache" SecFilter "/var/spool" SecFilter "/bin/cc" SecFilter "/bin/gcc" SecFilter "<[[:space:]]*script" SecFilter "<( |\n)*script" #SecFilter "<(.|\n)+>" #SecFilter "delete[[:space:]]+from" #SecFilter "insert[[:space:]]+into" #SecFilter "select.+from" </IfModule> |
From: Christopher M. <mu...@to...> - 2005-10-25 17:14:16
|
Move your IP rule sdown under: SecFilterDebugLog logs/modsec_debug_log At the very bottom of the module you have: SecFilter "/tmp" Thats looks be be getting you. Try moving your code down first. -- Regards, -Chris _______________________________________________ Christopher Murley Network Administrator TownNews.Com 800.293.9576 Naveen Amradi said: > Forgot to attach file in the previous reply. > Thanks, > naveen > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> >> Chris, >> I have attached my conf file. WOuld you please look at it. I have >> placed >> the rule right below the SecFilterEngine. In that case wont that rule be >> higher than other ones. Maybe i am sounding dumb. I am trying to read >> the >> book and understand slowly. >> I would appreciate if you can look at the conf file. >> Everyone on this list is so active helpful. >> Thanks a lot, >> naveen >> >> On 10/25/05, Christopher Murley <mu...@to...> wrote: >> > >> > HI Naveen, your problem isn't with the IP rule you created. You error >> > was: >> > >> > mod_security-message: Access denied with code 403. Pattern match >> "/tmp" >> > at >> > THE_REQUEST >> > >> > >> > The request you sent: >> > >> > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 >> > >> > has /TMP (lowercased) /tmp in it. You must have another rule higher in >> > your chain thats disallowing URLS referencing /tmp. >> > >> > -- >> > Regards, >> > >> > -Chris >> > >> > _______________________________________________ >> > Christopher Murley >> > Network Administrator >> > TownNews.Com >> > 800.293.9576 >> > >> > Naveen Amradi said: >> > > HI Ryan, >> > > I appreciate your quick response and help. >> > > I am still not able to configure it properly. >> > > Just like u said i added >> > > >> > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass >> > > I tried putting it right below the SecFilterEnging and other places >> > too. >> > > And i am getting this error in the log file. Maybe i am missing >> > something. >> > > >> > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE >> > > Request: 196.168.0.94 <http://196.168.0.94/> < http://196.168.0.94> >> - >> > - [25/Oct/2005:11:39:02 >> > > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 >> > > Handler: server-parsed >> > > ---------------------------------------- >> > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 >> > > User-Agent: Contribute >> > > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> < >> > http://www.outreach.olemiss.edu/> >> > > Cookie: >> > > >> > phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; >> > > PHPSESSID=59ded4be35990378545d942f2a11c0f9 >> > > mod_security-message: Access denied with code 403. Pattern match >> > "/tmp" at >> > > THE_REQUEST >> > > mod_security-action: 403 >> > > >> > > HTTP/1.1 403 Forbidden >> > > Content-Length: 232 >> > > >> > > Could you help me?And Just for info i am trying to configure >> > Macromedia >> > > Contribute. >> > > >> > > Thanks a lot, >> > > >> > > naveen >> > > >> > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: >> > >> >> > >> Naveen, >> > >> Think of the mod_security directives (SecFilter|SecFilterSelective) >> > as >> > >> you >> > >> would firewall rules in that the order in which they are specified >> in >> > >> the >> > >> httpd.conf file does matter. Again, like firewall rules, once a >> > filter >> > >> matches the incoming HTTP request it will trigger the actions >> > specified. >> > >> With this being said, if you want to "whitelist" an IP address to >> > allow >> > >> this >> > >> client access, then add in a rule like this near the top of your >> > >> Mod_Security directives - >> > >> SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass >> > >> Add this just below the mod_security general directives (such as >> > >> SecFilterEngine, etc....). >> > >> That should do it. >> > >> >> > >> -- >> > >> Ryan C. Barnett >> > >> Web Application Security Consortium (WASC) Member >> > >> CIS Apache Benchmark Project Lead >> > >> SANS Instructor: Securing Apache >> > >> GCIA, GCFA, GCIH, GSNA, GCUX, GSEC >> > >> Author: Preventing Web Attacks with Apache >> > >> On 10/25/05, Naveen Amradi <na...@gm...> wrote: >> > >> > >> > >> > HI All, >> > >> > >> > >> > Newbie of ModSecurity. I was wondering is there a way to >> > >> > open up rules for certain ip addresses. >> > >> > >> > >> > Thanks a gazillion! >> > >> > Naveen >> > >> >> > >> >> > >> >> > >> >> > >> >> > > >> > >> > >> > |
From: Ryan B. <rcb...@gm...> - 2005-10-25 17:14:44
|
Sorry about that - I used the wrong env token. Use this instead - SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow Also, just use "allow" at the end. This should tell mod_security to allow the request and to not apply and other filters. If it is still getting blocked by another filter, check the debug log file Looking at your conf file, you need to turn this on (0 does no logging). Se= t this log level to 9 if you want the most verbose info. - # You normally won't need debug logging SecFilterDebugLevel 9 SecFilterDebugLog logs/modsec_debug_log -- Ryan C. Barnett Web Application Security Consortium (WASC) Member CIS Apache Benchmark Project Lead SANS Instructor: Securing Apache GCIA, GCFA, GCIH, GSNA, GCUX, GSEC Author: Preventing Web Attacks with Apache On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > HI Ryan, > I appreciate your quick response and help. > I am still not able to configure it properly. > Just like u said i added > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > I tried putting it right below the SecFilterEnging and other places too. > And i am getting this error in the log file. Maybe i am missing something= . > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > Request: 196.168.0.94 <http://196.168.0.94/> - - [25/Oct/2005:11:39:02 > --0500] "GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > Handler: server-parsed > ---------------------------------------- > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > User-Agent: Contribute > Host: www.outreach.olemiss.edu <http://www.outreach.olemiss.edu/> > Cookie: > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22= %3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > mod_security-message: Access denied with code 403. Pattern match "/tmp" a= t > THE_REQUEST > mod_security-action: 403 > > HTTP/1.1 403 Forbidden > Content-Length: 232 > > Could you help me?And Just for info i am trying to configure Macromedia > Contribute. > > Thanks a lot, > > naveen > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > > > > Naveen, > > Think of the mod_security directives (SecFilter|SecFilterSelective) as > > you would firewall rules in that the order in which they are specified = in > > the httpd.conf file does matter. Again, like firewall rules, once a > > filter matches the incoming HTTP request it will trigger the actions > > specified. With this being said, if you want to "whitelist" an IP addre= ss to > > allow this client access, then add in a rule like this near the top of = your > > Mod_Security directives - > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > Add this just below the mod_security general directives (such as > > SecFilterEngine, etc....). > > That should do it. > > > > -- > > Ryan C. Barnett > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor: Securing Apache > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > On 10/25/05, Naveen Amradi <na...@gm... > wrote: > > > > > > HI All, > > > > > > Newbie of ModSecurity. I was wondering is there a way to > > > open up rules for certain ip addresses. > > > > > > Thanks a gazillion! > > > Naveen > > > > > > > > > > > |
From: Naveen A. <na...@gm...> - 2005-10-25 17:56:59
|
SecFilterSelective REMOTE_ADDR ^196.168.0.94$ allow worked. I tried that before Ryan replied but with allow,pass. So i guess wiht pass in it, it was allowing the IP address but still applying the other rules. I really appreciate your help guys. Thanks a lot, Naveen On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > Sorry about that - I used the wrong env token. Use this instead - > > SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow > > Also, just use "allow" at the end. This should tell mod_security to allo= w > the request and to not apply and other filters. > > If it is still getting blocked by another filter, check the debug log fil= e > Looking at your conf file, you need to turn this on (0 does no logging). > Set this log level to 9 if you want the most verbose info. - > > # You normally won't need debug logging > SecFilterDebugLevel 9 > SecFilterDebugLog logs/modsec_debug_log > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > Author: Preventing Web Attacks with Apache > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > > > HI Ryan, > > > > I appreciate your quick response and help. > > I am still not able to configure it properly. > > Just like u said i added > > > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > > > > I tried putting it right below the SecFilterEnging and other places too= . > And i am getting this error in the log file. Maybe i am missing something= . > > > > > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > > Request: 196.168.0.94 - - [25/Oct/2005:11:39:02 --0500] "GET > /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > Handler: server-parsed > > ---------------------------------------- > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > > User-Agent: Contribute > > Host: www.outreach.olemiss.edu > > Cookie: > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22= %3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > > mod_security-message: Access denied with code 403. Pattern match "/tmp"= at > THE_REQUEST > > mod_security-action: 403 > > > > HTTP/1.1 403 Forbidden > > Content-Length: 232 > > > > Could you help me?And Just for info i am trying to configure Macromedia > Contribute. > > > > Thanks a lot, > > > > naveen > > > > > > On 10/25/05, Ryan Barnett <rcb...@gm... > wrote: > > > > > > > > Naveen, > > > Think of the mod_security directives (SecFilter|SecFilterSelective) a= s > you would firewall rules in that the order in which they are specified in > the httpd.conf file does matter. Again, like firewall rules, once a filt= er > matches the incoming HTTP request it will trigger the actions specified. > With this being said, if you want to "whitelist" an IP address to allow t= his > client access, then add in a rule like this near the top of your > Mod_Security directives - > > > > > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > > > > > Add this just below the mod_security general directives (such as > SecFilterEngine, etc....). > > > > > > That should do it. > > > > > > -- > > > Ryan C. Barnett > > > Web Application Security Consortium (WASC) Member > > > CIS Apache Benchmark Project Lead > > > SANS Instructor: Securing Apache > > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > Author: Preventing Web Attacks with Apache > > > > > > > > > On 10/25/05, Naveen Amradi <na...@gm... > wrote: > > > > HI All, > > > > > > > > Newbie of ModSecurity. I was wondering is there a way to > > > > open up rules for certain ip addresses. > > > > > > > > Thanks a gazillion! > > > > Naveen > > > > > > > > > > > > > > > > > > > > |
From: Naveen A. <na...@gm...> - 2005-10-25 17:59:30
|
Just curious, Can i allow a full subnet like this SecFilterSelective REMOTE_ADDR ^196.168.0.*$ allow. I will give it a try. Thanks, naveen On 10/25/05, Naveen Amradi <na...@gm...> wrote: > SecFilterSelective REMOTE_ADDR ^196.168.0.94$ allow > worked. I tried that before Ryan replied but with allow,pass. > So i guess wiht pass in it, it was allowing the IP address but still > applying the other rules. > > I really appreciate your help guys. > > > Thanks a lot, > Naveen > > On 10/25/05, Ryan Barnett <rcb...@gm...> wrote: > > Sorry about that - I used the wrong env token. Use this instead - > > > > SecFilterSelective REMOTE_ADDR "^192\.168\.0\.94$" allow > > > > Also, just use "allow" at the end. This should tell mod_security to al= low > > the request and to not apply and other filters. > > > > If it is still getting blocked by another filter, check the debug log f= ile > > Looking at your conf file, you need to turn this on (0 does no logging)= . > > Set this log level to 9 if you want the most verbose info. - > > > > # You normally won't need debug logging > > SecFilterDebugLevel 9 > > SecFilterDebugLog logs/modsec_debug_log > > > > -- > > Ryan C. Barnett > > Web Application Security Consortium (WASC) Member > > CIS Apache Benchmark Project Lead > > SANS Instructor: Securing Apache > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > Author: Preventing Web Attacks with Apache > > > > On 10/25/05, Naveen Amradi <na...@gm...> wrote: > > > > > > HI Ryan, > > > > > > I appreciate your quick response and help. > > > I am still not able to configure it properly. > > > Just like u said i added > > > > > > SecFilterSelective REMOTE_HOST "^192\.168\.0\.94$" allow,pass > > > > > > I tried putting it right below the SecFilterEnging and other places t= oo. > > And i am getting this error in the log file. Maybe i am missing somethi= ng. > > > > > > > > > UNIQUE_ID: xv7hbIJKVE8AAFQjVXYAAAAE > > > Request: 196.168.0.94 - - [25/Oct/2005:11:39:02 --0500] "GET > > /study_abroad/TMPzad38oxcyx.htm HTTP/1.1" 403 232 > > > Handler: server-parsed > > > ---------------------------------------- > > > GET /study_abroad/TMPzad38oxcyx.htm HTTP/1.1 > > > User-Agent: Contribute > > > Host: www.outreach.olemiss.edu > > > Cookie: > > phpbb2mysql_data=3Da%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%= 22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D; > > PHPSESSID=3D59ded4be35990378545d942f2a11c0f9 > > > mod_security-message: Access denied with code 403. Pattern match "/tm= p" at > > THE_REQUEST > > > mod_security-action: 403 > > > > > > HTTP/1.1 403 Forbidden > > > Content-Length: 232 > > > > > > Could you help me?And Just for info i am trying to configure Macromed= ia > > Contribute. > > > > > > Thanks a lot, > > > > > > naveen > > > > > > > > > On 10/25/05, Ryan Barnett <rcb...@gm... > wrote: > > > > > > > > > > > Naveen, > > > > Think of the mod_security directives (SecFilter|SecFilterSelective)= as > > you would firewall rules in that the order in which they are specified = in > > the httpd.conf file does matter. Again, like firewall rules, once a fi= lter > > matches the incoming HTTP request it will trigger the actions specified= . > > With this being said, if you want to "whitelist" an IP address to allow= this > > client access, then add in a rule like this near the top of your > > Mod_Security directives - > > > > > > > > SecFilterSelective REMOTE_HOST "^192\.168\.1\.100$" allow,pass > > > > > > > > Add this just below the mod_security general directives (such as > > SecFilterEngine, etc....). > > > > > > > > That should do it. > > > > > > > > -- > > > > Ryan C. Barnett > > > > Web Application Security Consortium (WASC) Member > > > > CIS Apache Benchmark Project Lead > > > > SANS Instructor: Securing Apache > > > > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > > > > Author: Preventing Web Attacks with Apache > > > > > > > > > > > > On 10/25/05, Naveen Amradi <na...@gm... > wrote: > > > > > HI All, > > > > > > > > > > Newbie of ModSecurity. I was wondering is there a way to > > > > > open up rules for certain ip addresses. > > > > > > > > > > Thanks a gazillion! > > > > > Naveen > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > |