logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: Mod_Security configuration
Author
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Fri 26 Sep '08 13:01    Post subject: Mod_Security configuration Reply with quote

Please i have apache installed is working fine, but it seems the Mod_Security Configuration is not working. Below is the information I get in the error log

[Fri Sep 26 00:44:37 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 00:44:38 2008] [notice] Apache/2.2.9 (Win32) configured -- resuming normal operations
[Fri Sep 26 00:44:38 2008] [notice] Server built: Jun 13 2008 04:04:59
[Fri Sep 26 00:44:38 2008] [notice] Parent: Created child process 540
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 00:44:39 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Child process is running
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Acquired the start mutex.
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Starting 64 worker threads.
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Starting thread to listen on port 8000.
[Fri Sep 26 00:58:04 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 00:58:24 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 00:59:03 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 01:01:19 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/account.php
[Fri Sep 26 01:02:22 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/account.php
[Fri Sep 26 01:02:32 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 01:03:03 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/safebrowsing
[Fri Sep 26 08:01:57 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 08:01:57 2008] [warn] pid file C:/Program Files/Apache Software Foundation/Apache2.2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Fri Sep 26 08:01:59 2008] [notice] Apache/2.2.9 (Win32) configured -- resuming normal operations
[Fri Sep 26 08:01:59 2008] [notice] Server built: Jun 13 2008 04:04:59
[Fri Sep 26 08:01:59 2008] [notice] Parent: Created child process 456
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 08:02:00 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Child process is running
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Acquired the start mutex.
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Starting 64 worker threads.
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Starting thread to listen on port 8000.

Any advise to help to sort out the problem will be appreciated

Thanks

Selecta
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Fri 26 Sep '08 17:42    Post subject: Reply with quote

I cant't see there anything that don't work. What do you accepted to see?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 26 Sep '08 18:24    Post subject: Reply with quote

I see this, but im not sure mod_sec is getting in the way.


[Fri Sep 26 00:58:04 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php

a few different varieties. What I notice is that it looks like your scripts are calling flowershop as a directory (which it is) and not a file, like http://localhost:90/flowershop

Is this an aliased directory?

/flowershop obviously exists cause the scripts (referers) are in that directory.
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Fri 26 Sep '08 20:41    Post subject: Reply with quote

Well I expected that when I perform SQL attack an error message must be generated actually I am doing this for my MSc project work. The flowershop is a web site that has security design flaws, the idea is that I scanned the flowershop site expose the vulnerabilities, then use Mod_Security to remedy the SQL attacks. Are you saying that the mod_security configuration is working fine if that is so then how can I generate an error message to indicate that for example accessed is denied or attack stopped
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Fri 26 Sep '08 20:48    Post subject: Reply with quote

James,

The fact is I am learning to configure Mod_Security for my MSc project, what I am expecting to see is that if I perform SQL injection attack mod_security should generate some message to indicate attack not successful. I am new to the whole mod_security and apache configuration.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Fri 26 Sep '08 22:46    Post subject: Reply with quote

no .. Aliased directories have a placed where it easy to get tripped up. I'm actually just seeing if this could be a problem with an aliased directory due to the 404 file not found errors. I have no clue just where at and in which instance it comes into the picture from the request for, to completion of the requested content, that mod_sec jumps in the path. these errors could be links on the pages themselves the your scan is hammering on and simple may be noise as a result of the vulnerabilities in the site itself.

Using mod_sec's core rules, you would know it was interfering.
[Fri Sep 26 06:24:08 2008] [error] [client 212.235.92.153] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^0?$" against "REQUEST_HEADERS:Content-Length" required. [file "X:/Apache2/core_rules/modsecurity_crs_20_protocol_violations.conf"] [line "44"] -snip-

If you are writing your own, then it is up to you to decide how to deny and what to log.
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 1:54    Post subject: Reply with quote

Let me post my mod_security configuration so you look at and see what could be the reason why am not getting the expected results.

<IfModule mod_security.c>

#Turn Mod_Security Filtering Engine ON
SecFilterEnginee On

#SecFilterScanPOST ON
SecFilterScanPost On

SecFilterScanOutput Off
SecFilterOutputMimeTypes "(null) text/html text/plain"

#### Validation ####

SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding off

SecFilterForceByteRange 1 255

#Reject Requests With Status 500
SecFilterDefaultAction "deny,log,status:500"

#### Logging ####

SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modesc_log

#### Do Not Accept GET or Head Requests With Bodies ####

SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_CONTENT-LENGTH "!^$"

#### Require Content-Length to Be Provided With Every POST Request ####

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

#### SQL Injection Protection ####

SecFilterSignatureAction "log,deny,msg:'SQL Injection Attack'"

SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')"
"id:300014,rev:1,severity:2,msg:'Generic SQL Protection'"
SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
"id:300015,rev:1,severity:2,msg:'General SQL Protection'"

Any thoughts on how I could improve this to get required results will be appreciated.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 27 Sep '08 2:29    Post subject: Reply with quote

yes

<IfModule mod_security.c>
should be
<IfModule mod_security2.c>

It's generally better however to use the module as defined in the LoadModule.

LoadModule security2_module modules/mod_security2.so

then

<IfModule security2_module>
this would save the problem of not always knwoing what the actuall .c file is named, which is where you've gone astray.
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 3:43    Post subject: Reply with quote

Glsmith,

Yes have done the correction but the error message I get is The Requested Operation Has Failed, any ideas why that error
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 27 Sep '08 3:49    Post subject: Reply with quote

That is the browser telling you this yes?

Apache not starting cause of syntax error in the mod sec section. See error log for info .. should tell you the line # the problem is on.

If not, check both Application & System sections in event log, should be something there as well. Sometimes a double, one says nothing useful and the one right below has the beef.
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 4:00    Post subject: Reply with quote

Syntax error on line 411 of C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf:

This is error displayed
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 27 Sep '08 4:05    Post subject: Reply with quote

what is on line 411? Does your editor show line numbers?
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 4:13    Post subject: Reply with quote

This is what you find on line 411

Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included in the server configuration.

#LoadModule filter_module modules/mod_filter.so
Also this is commented do I have to uncomment it
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 27 Sep '08 4:15    Post subject: Reply with quote

I see it

#Turn Mod_Security Filtering Engine ON
SecFilterEnginee On <<- extra 'e' on the end of engine
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 4:21    Post subject: Reply with quote

Yes have seen that already corrected it yet I keep this error the requested operation has failed
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 27 Sep '08 4:26    Post subject: Reply with quote

error log?

basically .. error log .. fix .. error log .. fix .. till all error in syntax are gone.
Some are in event log if apache crashes before logging pipe is opened.

I do not load mod_filter.

Edit:

And in example .. I do not see </IfModule> .. just wanting to make sure it is there.

researching SecFilterEngine

Edit2:

I guess SecFilterEngine is not in mod_security 2.5.x .. I know it was in 1.x, don't remember much of 2.1.x

try

SecRuleEngine On
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 4:45    Post subject: Reply with quote

Yes just tried the SecRuleEngine On

No errors reported will try adding rules does that mean I now have use SecRule for my configuration, please let me know
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Sat 27 Sep '08 4:55    Post subject: Reply with quote

Yes .. I believe so

SecDefaultAction
SecGeoLookupDb

nothing SecFilter*

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/html-multipage/

Configuration Directives section shows a nice list of the available directives.
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Sat 27 Sep '08 4:59    Post subject: Reply with quote

Ok will go ahead and configure the rules whatever the situation I shall duly inform you
Back to top
selecta



Joined: 02 Sep 2008
Posts: 16

PostPosted: Fri 03 Oct '08 17:42    Post subject: Help with Mod_Security2 Configuration Reply with quote

I have mod_security2 configured in Apache2 but anything I perform an attack I do not get any error message in the error log. Could anybody have a look at this and suggest how I can improve this and get the expected results, the whole idea is to perform simple SQL injection, XSS attacks and see how mod_security will detect and block and reports errors
<IfModule security2_module>

#### Initial Configuration ####

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/xml text/plain text/html
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:htmlEntityDecode,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log

#### Enforce Proper Requests ####

SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'"

#### General Rules ####

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

#### PHPBB Attack ####
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#### Regrex For Detection of SQL Metacharacters ####
SecRule ARGS "/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(Wink)/i" "id:380015,rev:1,severity:2,msg:'Generic Meta-character URI Injection Protection'"

#### Regrex For Typical SQL Injection Attack ####
SecRule ARGS "/\w*((%27)|(\'))((\%6F)|0|(\%4F))((\%72)|r|(\%52))/ix" "id:300014,rev:1,severity:2,msg:'Generic SQL Injection Protection'"

#### Regrex For Detecting SQL Injection With The UNION Keyword ####
SecRule ARGS /((\%27)|(\'))union/ix
SecRule ARGS /exec(\s|\+)+(s|x)p\w+/ix

#### Regrex For XSS Attack ####
SecRule ARGs /((\%3)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix
SecRule ARGS /((\%3C)|<)((\%69)|i||(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[\%47]+((\%3E)|>)/I

</IfModule>
Will very much appreciate all the help I can get to achieve this goal.
Selecta
Back to top


Reply to topic   Topic: Mod_Security configuration View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules