mod-security-users

[mod-security-users] Chroot + Frontpage

[Domenico \DoM\ De M. <do...@mi...>]

Hi,
Before all greets for your mod really helpful :)
Great job!

And now my question :P
I have apache 1.3.33 + frontpage extension.
Chroot works great for all but not for frontpage.
On error_log i receive this at apache start:

Apache/1.3.33 (Unix) mod_throttle/3.1.2 PHP/4.3.10 FrontPage/5.0.2.2635 
configured -- resuming normal operations

And when i try to login with frontpage, prompt login doesnt appear and 
fp_client just tell me that no windows sharepoints are presente on that 
server.
No error anymore not in error_log neither in audit_log or modsec_debug.

If i stop Chroot enviroment everything works fine but i wanna chroot :!

THx & Byez DoM

Re: [mod-security-users] Chroot + Frontpage

[Ivan R. <iv...@we...>]

Domenico "DoM" De Monte wrote:
> Hi,
> Before all greets for your mod really helpful :)
> Great job!
> 
> And now my question :P
> I have apache 1.3.33 + frontpage extension.
> Chroot works great for all but not for frontpage.
> On error_log i receive this at apache start:
> 
> Apache/1.3.33 (Unix) mod_throttle/3.1.2 PHP/4.3.10 FrontPage/5.0.2.2635 
> configured -- resuming normal operations
> 
> And when i try to login with frontpage, prompt login doesnt appear and 
> fp_client just tell me that no windows sharepoints are presente on that 
> server.
> No error anymore not in error_log neither in audit_log or modsec_debug.
> 
> If i stop Chroot enviroment everything works fine but i wanna chroot :!

   :)

   You should try running Apache as a single process (-X) in order to
   attach strace to it to observe what FrontPage is trying to do. For
   example:

   # cd /usr/local/apache
   # strace ./bin/httpd -X -f ./conf/httpd.conf

   Now try to connect. Hopefully you will get something meaningful.

-- 
Ivan Ristic (http://www.modsecurity.org)

[mod-security-users] mod_security throttling?

[Scot H. <sh...@bi...>]

Hi -

I'm trying to find a way to block the bulk of Movable Type  comment spam at
the apache level, rather than at the weblog level. Is mod_security capable
of any kind of throttling, i.e. more than a given number of requests on a
single script per  time interval get dropped? Or is this a job for
mod_dosevasive?

I know that mod_security can be made to integrate with MT Blacklist, but
that approach will not catch the bulk of requests that can  cripple a server
with a lot  of MT blogs, since most server-crippling comment spam sessions
include strings that are not yet  blacklisted;  hence I'd like to try
another approach --  blocking any too-frequent CGI requests.

Thanks,
Scot

Re: [mod-security-users] mod_security throttling?

[Ivan R. <iv...@we...>]

> I'm trying to find a way to block the bulk of Movable Type  comment spam at
> the apache level, rather than at the weblog level. Is mod_security capable
> of any kind of throttling, i.e. more than a given number of requests on a
> single script per  time interval get dropped? Or is this a job for
> mod_dosevasive?

   mod_dosevasive can do it but it works on per-process level. There's
   no security-aware throttling module available for Apache that I'm
   aware. ModSecurity 2.x will be.

   What rate of comment spam are you getting? There's a script called
   apache-protect (http://www.apachesecurity.net), which monitors
   mod_status output to detect too many requests for the same URL. It
   then uses iptables to ban the offending IP address.

-- 
Ivan Ristic (http://www.modsecurity.org)

RE: [mod-security-users] mod_security throttling?

[Eli <eli...@ex...>]

>> I'm trying to find a way to block the bulk of Movable Type  comment 
>> spam at the apache level, rather than at the weblog level. Is 
>> mod_security capable of any kind of throttling, i.e. more than a given 
>> number of requests on a single script per  time interval get dropped? 
>> Or is this a job for mod_dosevasive?

>   mod_dosevasive can do it but it works on per-process level. There's
>   no security-aware throttling module available for Apache that I'm
>   aware. ModSecurity 2.x will be.

>   What rate of comment spam are you getting? There's a script called
>   apache-protect (http://www.apachesecurity.net), which monitors
>   mod_status output to detect too many requests for the same URL. It
>   then uses iptables to ban the offending IP address.


This is only for Apache 1.3.x but does what you want:

http://www.snert.com/Software/mod_throttle/

However, no compatibility for Apache 2.x.  Also be cautious as there is an
apparent root exploit possible for the current version - version 4 which is
not yet released is supposed to fix this bug.

I found this for Apache 2.x:

http://www.topology.org/src/bwshare/README.html

Let me know if you test bwshare in Apache 2.x - I'd be interested to know if
it works well or not.

Eli.