|
From: Christopher P. <chr...@ve...> - 2005-11-17 08:31:00
|
Hello folks, Well I've been doing some tightening of security on my webserver but it seems that I've made things too tight. The problem is that I can't figure out how to best let PostNuke do what it needs to do. Right now several of my filters stop the execution of a large number of commands that I need to have available in postnuke. I'll start off by posting my current modsecurity.conf file: SecFilterEngine On SecFilterScanPOST On SecAuditEngine On SecAuditLog logs/audit_log SecFilterSelective HTTP_Transfer-Encoding "!^$" SecFilterDefaultAction "deny,log,status:500" SecFilter "<( |\n)*script*" SecFilterInheritance Off SecFilterCheckUnicodeEncoding On SecFilterCheckURLEncoding On SecServerResponseToken Off SecFilter /bin/sh SecFilter hidden SecServerSignature "Microsoft-IIS/5.0" SecFilter "\.\./" SecFilterSelective ARGS "bin/" And here's the audit log of one of several stops I get when I try and do something simple like update a block: ======================================== UNIQUE_ID: davA638AAAEAAGm3ay8AAAAB Request: 67.190.166.65 - - [16/Nov/2005:23:54:53 --0600] "POST /index.php?module=Blocks&type=admin&func=update HTTP/1.1" 500 623 Handler: (null) ---------------------------------------- POST /index.php?module=Blocks&type=admin&func=update HTTP/1.1 Host: www.venomstats.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.venomstats.com/index.php?module=Blocks&type=admin&func=modify&bid =39 Content-Type: application/x-www-form-urlencoded Content-Length: 3382 mod_security-message: Access denied with code 500. Pattern match "bin/" at POST_PAYLOAD mod_security-action: 500 Thanks for the help. Christopher Patricca Server Administrator |
|
From: Ivan R. <iv...@we...> - 2005-11-18 09:57:32
|
Christopher Patricca wrote: > Hello folks, > > Well I’ve been doing some tightening of security on my webserver but it > seems that I’ve made things too tight. The problem is that I can’t > figure out how to best let PostNuke do what it needs to do. Right now > several of my filters stop the execution of a large number of commands > that I need to have available in postnuke. I’ll start off by posting my > current modsecurity.conf file: It's generally difficult to protect content management systems using generic negative signatures only. > SecAuditEngine On You do know this logs every request? Just checking :) > SecFilterCheckUnicodeEncoding On This should be enabled only if UTF-8 is used in the web site. > SecFilter /bin/sh > SecFilter hidden > SecFilter "\.\./" > SecFilterSelective ARGS "bin/" These are just too broad. It's what's causing your problems. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Christopher P. <chr...@ve...> - 2005-11-18 16:40:33
|
Ivan, Thanks for the tips. Do you have any starting points on how I can be more specific with my filters? I've been reading through various HOWTOs & articles on mod_security but don't fully grasp it quite yet. If I can get one or more examples on the direction I should head (or a really good article I should look at) I would appreciate it. Thanks, Christopher Patricca Server Administrator -----Original Message----- From: mod...@li... [mailto:mod...@li...] On Behalf Of Ivan Ristic Sent: Friday, November 18, 2005 3:00 AM To: Christopher Patricca Cc: mod...@li... Subject: Re: [mod-security-users] Need some help with mod security and PostNuke .761 Christopher Patricca wrote: > Hello folks, > > Well I've been doing some tightening of security on my webserver but it > seems that I've made things too tight. The problem is that I can't > figure out how to best let PostNuke do what it needs to do. Right now > several of my filters stop the execution of a large number of commands > that I need to have available in postnuke. I'll start off by posting my > current modsecurity.conf file: It's generally difficult to protect content management systems using generic negative signatures only. > SecAuditEngine On You do know this logs every request? Just checking :) > SecFilterCheckUnicodeEncoding On This should be enabled only if UTF-8 is used in the web site. > SecFilter /bin/sh > SecFilter hidden > SecFilter "\.\./" > SecFilterSelective ARGS "bin/" These are just too broad. It's what's causing your problems. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date: 11/18/2005 |
