Thread: [mod-security-users] Why doesn't my mod_security catch / log anything?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Emre S. <emr...@gm...> - 2011-03-16 12:13:22
|
Hello,
I installed mod_security on my Ubuntu GNU/Linux server but when I send
some simple requests to the web server that should match even the
simplest rules, I fail to see any alerts or any log files that were
supposed to exist in /var/log/apache2. What am I missing?
Before proceeding further here's my system details:
$ apache2ctl -t -D DUMP_MODULES | grep secu
Syntax OK
security2_module (shared)
$ sudo lsof | grep mod_security
apache2 12773 root mem REG 202,0 268828
50225 /usr/lib/apache2/modules/mod_security2.so
apache2 15287 www-data mem REG 202,0 268828
50225 /usr/lib/apache2/modules/mod_security2.so
apache2 15288 www-data mem REG 202,0 268828
50225 /usr/lib/apache2/modules/mod_security2.so
...
I also checked for libxml2 and liblua5.1 and lsof reports that they
are opened by apache2 user.
And here is the relevant part from my /etc/apache2/apache2.conf:
<IfModule mod_security2.c>
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
# Debug log
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 3
# Serial audit log
#SecAuditEngine RelevantOnly
SecAuditEngine On
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to # 512 KB in length
SecResponseBodyLimit 524288
# Configure default blocking policy
# see ModSecurity Handbook, p. 175
#
#SecDefaultAction "phase:1,log,auditlog,pass"
Include /etc/apache2/modsecurity-crs_2.0.6/*.conf
Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf
SecFilter "/bin/"
SecFilter "/cgi-bin" "deny,log,status:500"
# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"
</IfModule>
So I expect that if I try to visit my web site and send a request that
matches one of the filters I declared above using SecFilter or
anything that matches the base rules, etc. then I should see something
in those files:
/var/log/apache2/modsec_debug.log
/var/log/apache2/modsec_audit.log
right?
For example I try to visit my site using the following requests:
http://www.myserver.com/cgi-bin
http://www.myserver.com/index.html?q=/cgi-bin
http://www.myserver.com/bin
http://www.myserver.com/index.html?q=/bin
http://www.myserver.com/index.html?q=/bin/
But I don't see anything in the relevant files, they are still empty:
$ ls -lh /var/log/apache2/modsec_*
-rw-r--r-- 1 www-data www-data 0 2011-03-16 10:31
/var/log/apache2/modsec_audit.log
-rw-r--r-- 1 www-data www-data 0 2011-03-16 10:30
/var/log/apache2/modsec_debug.log
And in the /var/log/apache2/error.log I only see the usual 'File does
not exist' entries, no alerts related to mod_security.
What am I missing?
--
Emre Sevinc
|
|
From: Josh Amishav-Z. <ja...@gm...> - 2011-03-16 12:29:16
|
Not directly related, but it looks like you installed a really old version of modsecurity. The most recent version is 2.5.13. Lots has changed, for example the SecFilter directive you use is no longer supported. -- - Josh On Wed, Mar 16, 2011 at 2:13 PM, Emre Sevinc <emr...@gm...> wrote: > Hello, > > I installed mod_security on my Ubuntu GNU/Linux server but when I send > some simple requests to the web server that should match even the > simplest rules, I fail to see any alerts or any log files that were > supposed to exist in /var/log/apache2. What am I missing? > > Before proceeding further here's my system details: > > $ apache2ctl -t -D DUMP_MODULES | grep secu > Syntax OK > security2_module (shared) > > $ sudo lsof | grep mod_security > apache2 12773 root mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > apache2 15287 www-data mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > apache2 15288 www-data mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > ... > > I also checked for libxml2 and liblua5.1 and lsof reports that they > are opened by apache2 user. > > And here is the relevant part from my /etc/apache2/apache2.conf: > > <IfModule mod_security2.c> > # Basic configuration options > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess Off > > # Handling of file uploads > # TODO Choose a folder private to Apache. > # SecUploadDir /opt/apache-frontend/tmp/ > SecUploadKeepFiles Off > > # Debug log > SecDebugLog /var/log/apache2/modsec_debug.log > SecDebugLogLevel 3 > > # Serial audit log > #SecAuditEngine RelevantOnly > SecAuditEngine On > SecAuditLogRelevantStatus ^5 > SecAuditLogParts ABIFHZ > SecAuditLogType Serial > SecAuditLog /var/log/apache2/modsec_audit.log > > # Maximum request body size we will > # accept for buffering > SecRequestBodyLimit 131072 > > # Store up to 128 KB in memory > SecRequestBodyInMemoryLimit 131072 > # Buffer response bodies of up to # 512 KB in length > SecResponseBodyLimit 524288 > > # Configure default blocking policy > # see ModSecurity Handbook, p. 175 > # > #SecDefaultAction "phase:1,log,auditlog,pass" > > Include /etc/apache2/modsecurity-crs_2.0.6/*.conf > Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf > > SecFilter "/bin/" > SecFilter "/cgi-bin" "deny,log,status:500" > > > # By default log and deny suspicious requests > # with HTTP status 500 > SecFilterDefaultAction "deny,log,status:500" > </IfModule> > > So I expect that if I try to visit my web site and send a request that > matches one of the filters I declared above using SecFilter or > anything that matches the base rules, etc. then I should see something > in those files: > > /var/log/apache2/modsec_debug.log > /var/log/apache2/modsec_audit.log > > > right? > > For example I try to visit my site using the following requests: > > http://www.myserver.com/cgi-bin > http://www.myserver.com/index.html?q=/cgi-bin > http://www.myserver.com/bin > http://www.myserver.com/index.html?q=/bin > http://www.myserver.com/index.html?q=/bin/ > > > But I don't see anything in the relevant files, they are still empty: > > $ ls -lh /var/log/apache2/modsec_* > -rw-r--r-- 1 www-data www-data 0 2011-03-16 10:31 > /var/log/apache2/modsec_audit.log > -rw-r--r-- 1 www-data www-data 0 2011-03-16 10:30 > /var/log/apache2/modsec_debug.log > > And in the /var/log/apache2/error.log I only see the usual 'File does > not exist' entries, no alerts related to mod_security. > > What am I missing? > > > -- > Emre Sevinc > > ------------------------------------------------------------------------------ > Colocation vs. Managed Hosting > A question and answer guide to determining the best fit > for your organization - today and in the future. > http://p.sf.net/sfu/internap-sfd2d > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
|
From: Emre S. <emr...@gm...> - 2011-03-16 12:48:26
|
On Wed, Mar 16, 2011 at 1:28 PM, Josh Amishav-Zlatin <ja...@gm...> wrote: > Not directly related, but it looks like you installed a really old > version of modsecurity. My operating system is Ubuntu (Lucid) 10.04.2 LTS and according to package information the installed mod-security version and libapache-mod-security packages are: http://packages.ubuntu.com/lucid/mod-security-common http://packages.ubuntu.com/lucid/libapache-mod-security That is version 2.5.11-1 for both of them. I installed modsecurity from the Ubuntu repositories. Can this really be a problem? > The most recent version is 2.5.13. Lots has > changed, for example the SecFilter directive you use is no longer > supported. Oh, I didn't know that! Thank you. How should I change it to test if mod_security catches some requests, denies them and log this into the relevant file? -- Emre |
|
From: Josh Amishav-Z. <ja...@gm...> - 2011-03-16 13:06:37
|
On Wed, Mar 16, 2011 at 2:48 PM, Emre Sevinc <emr...@gm...> wrote: > On Wed, Mar 16, 2011 at 1:28 PM, Josh Amishav-Zlatin <ja...@gm...> wrote: >> Not directly related, but it looks like you installed a really old >> version of modsecurity. > > My operating system is Ubuntu (Lucid) 10.04.2 LTS and according to > package information the installed mod-security version and > libapache-mod-security packages are: > > http://packages.ubuntu.com/lucid/mod-security-common > http://packages.ubuntu.com/lucid/libapache-mod-security > > That is version 2.5.11-1 for both of them. I installed modsecurity > from the Ubuntu repositories. Can this really be a problem? Hi Emre, 2.5.11 is fine, I misread your config snippet. > >> The most recent version is 2.5.13. Lots has >> changed, for example the SecFilter directive you use is no longer >> supported. > > Oh, I didn't know that! Thank you. How should I change it to test if > mod_security catches some requests, denies them and log this into the > relevant file? Try: SecRule REQUEST_URI "cgi-bin" deny,log,auditlog,status:500 -- - Josh |
|
From: Ryan B. <RBa...@tr...> - 2011-03-16 13:07:26
|
On 3/16/11 8:48 AM, "Emre Sevinc" <emr...@gm...> wrote: >On Wed, Mar 16, 2011 at 1:28 PM, Josh Amishav-Zlatin <ja...@gm...> >wrote: >> Not directly related, but it looks like you installed a really old >> version of modsecurity. > >My operating system is Ubuntu (Lucid) 10.04.2 LTS and according to >package information the installed mod-security version and >libapache-mod-security packages are: > > http://packages.ubuntu.com/lucid/mod-security-common > http://packages.ubuntu.com/lucid/libapache-mod-security > >That is version 2.5.11-1 for both of them. I installed modsecurity >from the Ubuntu repositories. Can this really be a problem? > >> The most recent version is 2.5.13. Lots has >> changed, for example the SecFilter directive you use is no longer >> supported. > >Oh, I didn't know that! https://sourceforge.net/apps/mediawiki/mod-security/index.php?title=FAQ#How _do_I_migrate_my_rules_from_the_ModSecurity_1.x_format_into_the_2.x_format. 3F >Thank you. How should I change it to test if >mod_security catches some requests, denies them and log this into the >relevant file? Here is an example attack request sent to the CRS demo page that triggers a bunch of alerts - http://www.modsecurity.org/demo/phpids?test=%3Cscript%3Ealert%28document.co okie%29%3C%2Fscript%3E You can send this same URL to your host and it should generate some alerts. -Ryan |
|
From: Emre S. <emr...@gm...> - 2011-03-16 13:26:15
|
On Wed, Mar 16, 2011 at 2:07 PM, Ryan Barnett <RBa...@tr...> wrote: > > On 3/16/11 8:48 AM, "Emre Sevinc" <emr...@gm...> wrote: > >>On Wed, Mar 16, 2011 at 1:28 PM, Josh Amishav-Zlatin <ja...@gm...> >>wrote: >>> Not directly related, but it looks like you installed a really old >>> version of modsecurity. I found the culprit and it's me. I put the mod-security config directives *before* (and not after) the: # Include module configuration: Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf so mod-security module was not loaded actually! Sorry for missing something so simple and taking your time. The problem is solved now. -- Emre |
|
From: matthew s. <msp...@gm...> - 2011-03-16 12:54:54
|
On Wed, Mar 16, 2011 at 8:13 AM, Emre Sevinc <emr...@gm...> wrote: > Hello, > > I installed mod_security on my Ubuntu GNU/Linux server but when I send > some simple requests to the web server that should match even the > simplest rules, I fail to see any alerts or any log files that were > supposed to exist in /var/log/apache2. What am I missing? > > Before proceeding further here's my system details: > > $ apache2ctl -t -D DUMP_MODULES | grep secu > Syntax OK > security2_module (shared) > > $ sudo lsof | grep mod_security > apache2 12773 root mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > apache2 15287 www-data mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > apache2 15288 www-data mem REG 202,0 268828 > 50225 /usr/lib/apache2/modules/mod_security2.so > ... > > I also checked for libxml2 and liblua5.1 and lsof reports that they > are opened by apache2 user. > > And here is the relevant part from my /etc/apache2/apache2.conf: > > <IfModule mod_security2.c> > # Basic configuration options > SecRuleEngine On > SecRequestBodyAccess On > SecResponseBodyAccess Off > > # Handling of file uploads > # TODO Choose a folder private to Apache. > # SecUploadDir /opt/apache-frontend/tmp/ > SecUploadKeepFiles Off > > # Debug log > SecDebugLog /var/log/apache2/modsec_debug.log > SecDebugLogLevel 3 > > # Serial audit log > #SecAuditEngine RelevantOnly > SecAuditEngine On > SecAuditLogRelevantStatus ^5 > SecAuditLogParts ABIFHZ > SecAuditLogType Serial > SecAuditLog /var/log/apache2/modsec_audit.log > > # Maximum request body size we will > # accept for buffering > SecRequestBodyLimit 131072 > > # Store up to 128 KB in memory > SecRequestBodyInMemoryLimit 131072 > # Buffer response bodies of up to # 512 KB in length > SecResponseBodyLimit 524288 > > # Configure default blocking policy > # see ModSecurity Handbook, p. 175 > # > #SecDefaultAction "phase:1,log,auditlog,pass" > > Include /etc/apache2/modsecurity-crs_2.0.6/*.conf > Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf > > SecFilter "/bin/" > SecFilter "/cgi-bin" "deny,log,status:500" > > > # By default log and deny suspicious requests > # with HTTP status 500 > SecFilterDefaultAction "deny,log,status:500" > </IfModule> > > So I expect that if I try to visit my web site and send a request that > matches one of the filters I declared above using SecFilter or > anything that matches the base rules, etc. then I should see something > in those files: > > /var/log/apache2/modsec_debug.log > /var/log/apache2/modsec_audit.log > > > right? > > For example I try to visit my site using the following requests: > > http://www.myserver.com/cgi-bin > http://www.myserver.com/index.html?q=/cgi-bin > http://www.myserver.com/bin > http://www.myserver.com/index.html?q=/bin > http://www.myserver.com/index.html?q=/bin/ > > > But I don't see anything in the relevant files, they are still empty: > > $ ls -lh /var/log/apache2/modsec_* > -rw-r--r-- 1 www-data www-data 0 2011-03-16 10:31 > /var/log/apache2/modsec_audit.log > -rw-r--r-- 1 www-data www-data 0 2011-03-16 10:30 > /var/log/apache2/modsec_debug.log > > And in the /var/log/apache2/error.log I only see the usual 'File does > not exist' entries, no alerts related to mod_security. > > What am I missing? > Remove the <IfModule mod_security2.c> </IfModule> and see if it's actually loading the module. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X