Topic: Mod_Security configuration

[selecta]

Please i have apache installed is working fine, but it seems the Mod_Security Configuration is not working. Below is the information I get in the error log

[Fri Sep 26 00:44:37 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 00:44:38 2008] [notice] Apache/2.2.9 (Win32) configured -- resuming normal operations
[Fri Sep 26 00:44:38 2008] [notice] Server built: Jun 13 2008 04:04:59
[Fri Sep 26 00:44:38 2008] [notice] Parent: Created child process 540
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 00:44:39 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Child process is running
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Acquired the start mutex.
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Starting 64 worker threads.
[Fri Sep 26 00:44:40 2008] [notice] Child 540: Starting thread to listen on port 8000.
[Fri Sep 26 00:58:04 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 00:58:24 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 00:59:03 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 01:01:19 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/account.php
[Fri Sep 26 01:02:22 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/account.php
[Fri Sep 26 01:02:32 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php
[Fri Sep 26 01:03:03 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/safebrowsing
[Fri Sep 26 08:01:57 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 08:01:57 2008] [warn] pid file C:/Program Files/Apache Software Foundation/Apache2.2/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Fri Sep 26 08:01:59 2008] [notice] Apache/2.2.9 (Win32) configured -- resuming normal operations
[Fri Sep 26 08:01:59 2008] [notice] Server built: Jun 13 2008 04:04:59
[Fri Sep 26 08:01:59 2008] [notice] Parent: Created child process 456
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 08:02:00 2008] [notice] ModSecurity for Apache/2.5.6 (http://www.modsecurity.org/) configured.
httpd.exe: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Child process is running
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Acquired the start mutex.
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Starting 64 worker threads.
[Fri Sep 26 08:02:01 2008] [notice] Child 456: Starting thread to listen on port 8000.

Any advise to help to sort out the problem will be appreciated

Thanks

Selecta

[James Blond]

I cant't see there anything that don't work. What do you accepted to see?

[glsmith]

I see this, but im not sure mod_sec is getting in the way.


[Fri Sep 26 00:58:04 2008] [error] [client 127.0.0.1] File does not exist: C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/flowershop, referer: http://localhost:90/flowershop/selectarrangements.php

a few different varieties. What I notice is that it looks like your scripts are calling flowershop as a directory (which it is) and not a file, like http://localhost:90/flowershop

Is this an aliased directory?

/flowershop obviously exists cause the scripts (referers) are in that directory.

[selecta]

Well I expected that when I perform SQL attack an error message must be generated actually I am doing this for my MSc project work. The flowershop is a web site that has security design flaws, the idea is that I scanned the flowershop site expose the vulnerabilities, then use Mod_Security to remedy the SQL attacks. Are you saying that the mod_security configuration is working fine if that is so then how can I generate an error message to indicate that for example accessed is denied or attack stopped

[selecta]

James,

The fact is I am learning to configure Mod_Security for my MSc project, what I am expecting to see is that if I perform SQL injection attack mod_security should generate some message to indicate attack not successful. I am new to the whole mod_security and apache configuration.

[glsmith]

no .. Aliased directories have a placed where it easy to get tripped up. I'm actually just seeing if this could be a problem with an aliased directory due to the 404 file not found errors. I have no clue just where at and in which instance it comes into the picture from the request for, to completion of the requested content, that mod_sec jumps in the path. these errors could be links on the pages themselves the your scan is hammering on and simple may be noise as a result of the vulnerabilities in the site itself.

Using mod_sec's core rules, you would know it was interfering.
[Fri Sep 26 06:24:08 2008] [error] [client 212.235.92.153] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^0?$" against "REQUEST_HEADERS:Content-Length" required. [file "X:/Apache2/core_rules/modsecurity_crs_20_protocol_violations.conf"] [line "44"] -snip-

If you are writing your own, then it is up to you to decide how to deny and what to log.

[selecta]

Let me post my mod_security configuration so you look at and see what could be the reason why am not getting the expected results.

<IfModule mod_security.c>

#Turn Mod_Security Filtering Engine ON
SecFilterEnginee On

#SecFilterScanPOST ON
SecFilterScanPost On

SecFilterScanOutput Off
SecFilterOutputMimeTypes "(null) text/html text/plain"

#### Validation ####

SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding off

SecFilterForceByteRange 1 255

#Reject Requests With Status 500
SecFilterDefaultAction "deny,log,status:500"

#### Logging ####

SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modesc_log

#### Do Not Accept GET or Head Requests With Bodies ####

SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_CONTENT-LENGTH "!^$"

#### Require Content-Length to Be Provided With Every POST Request ####

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

#### SQL Injection Protection ####

SecFilterSignatureAction "log,deny,msg:'SQL Injection Attack'"

SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilterSelective ARGS "(or.+1[[:space:]]*=[[:space:]]1|(or 1=1|'.+)--')"
"id:300014,rev:1,severity:2,msg:'Generic SQL Protection'"
SecFilterSelective ARGS "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)"
"id:300015,rev:1,severity:2,msg:'General SQL Protection'"

Any thoughts on how I could improve this to get required results will be appreciated.

[glsmith]

yes

<IfModule mod_security.c>
should be
<IfModule mod_security2.c>

It's generally better however to use the module as defined in the LoadModule.

LoadModule security2_module modules/mod_security2.so

then

<IfModule security2_module>
this would save the problem of not always knwoing what the actuall .c file is named, which is where you've gone astray.

[selecta]

Glsmith,

Yes have done the correction but the error message I get is The Requested Operation Has Failed, any ideas why that error

[glsmith]

That is the browser telling you this yes?

Apache not starting cause of syntax error in the mod sec section. See error log for info .. should tell you the line # the problem is on.

If not, check both Application & System sections in event log, should be something there as well. Sometimes a double, one says nothing useful and the one right below has the beef.

[selecta]

Syntax error on line 411 of C:/Program Files/Apache Software Foundation/Apache2.2/conf/httpd.conf:

This is error displayed

[glsmith]

what is on line 411? Does your editor show line numbers?

[selecta]

This is what you find on line 411

Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included in the server configuration.

#LoadModule filter_module modules/mod_filter.so
Also this is commented do I have to uncomment it

[glsmith]

I see it

#Turn Mod_Security Filtering Engine ON
SecFilterEnginee On <<- extra 'e' on the end of engine

[selecta]

Yes have seen that already corrected it yet I keep this error the requested operation has failed

[glsmith]

error log?

basically .. error log .. fix .. error log .. fix .. till all error in syntax are gone.
Some are in event log if apache crashes before logging pipe is opened.

I do not load mod_filter.

Edit:

And in example .. I do not see </IfModule> .. just wanting to make sure it is there.

researching SecFilterEngine

Edit2:

I guess SecFilterEngine is not in mod_security 2.5.x .. I know it was in 1.x, don't remember much of 2.1.x

try

SecRuleEngine On

[selecta]

Yes just tried the SecRuleEngine On

No errors reported will try adding rules does that mean I now have use SecRule for my configuration, please let me know

[glsmith]

Yes .. I believe so

SecDefaultAction
SecGeoLookupDb

nothing SecFilter*

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/html-multipage/

Configuration Directives section shows a nice list of the available directives.

[selecta]

Ok will go ahead and configure the rules whatever the situation I shall duly inform you

[selecta]

I have mod_security2 configured in Apache2 but anything I perform an attack I do not get any error message in the error log. Could anybody have a look at this and suggest how I can improve this and get the expected results, the whole idea is to perform simple SQL injection, XSS attacks and see how mod_security will detect and block and reports errors
<IfModule security2_module>

#### Initial Configuration ####

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/xml text/plain text/html
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:htmlEntityDecode,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log

#### Enforce Proper Requests ####

SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "id:340000,severity:1,msg:'Bad HTTP Protocol'"

#### General Rules ####

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

#### PHPBB Attack ####
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

#### Regrex For Detection of SQL Metacharacters ####
SecRule ARGS "/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|()/i" "id:380015,rev:1,severity:2,msg:'Generic Meta-character URI Injection Protection'"

#### Regrex For Typical SQL Injection Attack ####
SecRule ARGS "/\w*((%27)|(\'))((\%6F)|0|(\%4F))((\%72)|r|(\%52))/ix" "id:300014,rev:1,severity:2,msg:'Generic SQL Injection Protection'"

#### Regrex For Detecting SQL Injection With The UNION Keyword ####
SecRule ARGS /((\%27)|(\'))union/ix
SecRule ARGS /exec(\s|\+)+(s|x)p\w+/ix

#### Regrex For XSS Attack ####
SecRule ARGs /((\%3)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix
SecRule ARGS /((\%3C)|<)((\%69)|i||(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[\%47]+((\%3E)|>)/I

</IfModule>
Will very much appreciate all the help I can get to achieve this goal.
Selecta