logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_security and apache 2.2.4
Author
chuck1rar



Joined: 07 Feb 2006
Posts: 13

PostPosted: Mon 12 Mar '07 7:43    Post subject: mod_security and apache 2.2.4 Reply with quote

Just upgraded to apache 2.2.4 and also latest build of mod_security.

But cant get them both working together now..

Below have included the script for mod_security but this has not changed since the last version so was trying to work out why apache will not start with mod_security... Any help would be appreciated.

Thanks


<IfModule mod_security.c>

# Turn ModSecurity On
SecFilterEngine On

#SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
SecServerSignature "NOYB"

#SecUploadDir logs
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/sec.log

## -- Common attacks --------------------

SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"

#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "

# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
#SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"

# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"

# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"

# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"

## -- PHP attacks --------------------

SecFilterSignatureAction "log,deny,msg:'PHP attack'"

# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"

#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

## -- Awstats-------------------------

SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"

## -- SQL Injection Attacks --------------------

SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"

# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"

# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"


## -- Command execution --------------------

SecFilterSignatureAction "log,deny,msg:'Command execution attack'"

#SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
#SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
#SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"

</IfModule>
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 12 Mar '07 8:05    Post subject: Reply with quote

The latest is ModSecurity 2 which is not backward compatible with ModSecurity 1.x rules. See the readme in the .zip.
Back to top
chuck1rar



Joined: 07 Feb 2006
Posts: 13

PostPosted: Mon 12 Mar '07 8:08    Post subject: security Reply with quote

Yeah I know but was not using version 1.x before was on version 2....
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Mon 12 Mar '07 22:46    Post subject: Reply with quote

But above rules are 1.x rules.

Example of 2 rules:
Code:

SecRuleEngine On

SecDefaultAction "deny,phase:1,status:403"

SecRule REQUEST_URI ^http:/ "id:60014,severity:2,msg:'http Proxy access attempt'"

# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,id:60011,severity:2,msg:'GET or HEAD requests with bodies'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"

# Restrict which request methods can be used
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|HEAD))$" "phase:1,id:60032,severity:2,msg:'Method is not allowed by policy'"

# Restrict protocol versions.
SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:60034,severity:2,msg:'HTTP protocol version is not allowed by policy'"

# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "id:60013,severity:1,msg:'ModSecurity does not support transfer encodings'"

SecDefaultAction "deny,phase:2,status:403,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase"

SecRule ARGS:page "^http" "id:90000,severity:4,msg:'Arg_page with http'"
SecRule ARGS_NAMES "configdir" "id:90001,severity:4,msg:'Awstats attack'"
SecRule ARGS_NAMES "^php:/" "id:90002,severity:4,msg:'php attack'"
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)" "id:90003,severity:4,msg:'phpBB attack'"
SecRule ARGS:phpbb_root_path "http" "id:90003,severity:4,msg:'phpBB rootpath attack'"
SecRule ARGS:mosConfig_absolute_path "http" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS:sbp "http" "id:90004,severity:4,msg:'Joomla'"
SecRule ARGS:task "vote" "id:90004,severity:4,msg:'Joomla'"

SecRule ARGS "c:/" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
SecRule ARGS "\.\./" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"
SecRule ARGS "f:/" "t:normalisePathWin,id:50904,severity:4,msg:'Drive Access'"


## -- SQL Injection Attacks --------------------------------------------------

# Generic
SecRule ARGS "delete[[:space:]]+from"
SecRule ARGS "drop[[:space:]]+database"
SecRule ARGS "drop[[:space:]]+table"
SecRule ARGS "drop[[:space:]]+column"
SecRule ARGS "truncate[[:space:]]+table"
SecRule ARGS "create[[::space:]]+table"
SecRule ARGS "update.+set.+="
SecRule ARGS "insert[[:space:]]+into.+values"
SecRule ARGS "select.+from"
SecRule ARGS "bulk[[:space:]]+insert"
SecRule ARGS "union.+select"
SecRule ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecRule ARGS "alter[[:space:]]+table"
SecRule ARGS "or 1=1--'"
SecRule ARGS "'.+--"

# MySQL
SecRule ARGS "into[[:space:]]+outfile"
SecRule ARGS "load[[:space:]]+data
SecRule ARGS "/\*.+\*/"

Back to top
chuck1rar



Joined: 07 Feb 2006
Posts: 13

PostPosted: Tue 13 Mar '07 6:35    Post subject: mod_security and apache 2.2.4 Reply with quote

Yeah sorry realised that later but removed all the rules and just tried starting apache with the modules enabled but when mod_security is enabled then apache will not start..

Any tips on how to debug this..
Nothing relevenat is in any of the logs..

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Tue 13 Mar '07 9:57    Post subject: Reply with quote

What does the error.log tell about that error?
Did you download the right version for your apache?
Back to top
chuck1rar



Joined: 07 Feb 2006
Posts: 13

PostPosted: Tue 13 Mar '07 14:04    Post subject: error Reply with quote

nothing in the error log at all cause apache fails to start...

Am using Apache 2.2.4 Win32 mod_ssl 2.2.4 OpenSSL 0.9.8e and JRUN4 CFMX7..

The version of mod_security I downloaded was 2.1.0...

Was working fine till I moved from apache 2.2.3...

Thanks
Back to top
rebelo



Joined: 06 May 2007
Posts: 6

PostPosted: Sun 06 May '07 18:02    Post subject: Re: error Reply with quote

chuck1rar wrote:
nothing in the error log at all cause apache fails to start...

Am using Apache 2.2.4 Win32 mod_ssl 2.2.4 OpenSSL 0.9.8e and JRUN4 CFMX7..

The version of mod_security I downloaded was 2.1.0...

Was working fine till I moved from apache 2.2.3...

Thanks


Hi.
chuck1rar, how did You fix this matter ?
Having the same issue myself.
Back to top


Reply to topic   Topic: mod_security and apache 2.2.4 View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules