Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: mod_security block Apache totally !!!! |
|
Author |
|
underxp
Joined: 16 Jan 2006 Posts: 34
|
Posted: Mon 29 May '06 5:08 Post subject: mod_security block Apache totally !!!! |
|
|
Hello, I want to use mod_status with Apache 2.0.x, I download from here and install it, copy and paste rules from here as:
Code: |
<IfModule mod_security.c>
SecFilterEngine On
#SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 10 128
# Server masking is optional
SecServerSignature "Microsoft-IIS/4.0"
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/security.log
## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
## -- Awstats-------------------------
SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"
## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
</IfModule>
|
When i activated this module, NONE page is accesible now, security.log says:
Code: |
==29000000==============================
Request: Ap2058 127.0.0.1 - - [28/May/2006:23:22:05 --0400] "GET / HTTP/1.1" 403 179 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" - "-"
----------------------------------------
GET / HTTP/1.1
Accept: */*
Accept-Language: es-ve
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 20 Nov 2004 18:16:24 GMT
If-None-Match: "2233-2c-9efc6e00"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: localhost
Connection: Keep-Alive
mod_security-message: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [msg "Common attacks"] [severity "EMERGENCY"]
mod_security-action: 403
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 179
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--29000000--
|
I can't open any page. I think that is a problem with mod_deflate and the rule:
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
I disabled this rule and Apache serves page fine. Can anyone tell me why mod_security block any request ? |
|
Back to top |
|
underxp
Joined: 16 Jan 2006 Posts: 34
|
Posted: Mon 29 May '06 5:10 Post subject: |
|
|
Btw, i have this directives for mod_deflate:
Code: |
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
DeflateCompressionLevel 9
DeflateMemLevel 9
DeflateWindowSize 15
DeflateBufferSize 8096
DeflateFilterNote deflate_ratio
LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct." vhost_with_deflate_info
CustomLog logs/deflate.log vhost_with_deflate_info
</IfModule>
|
|
|
Back to top |
|
Steffen Moderator
Joined: 15 Oct 2005 Posts: 3094 Location: Hilversum, NL, EU
|
Posted: Mon 29 May '06 17:36 Post subject: |
|
|
Nothing to do with deflate.
Looks like you removed the line with "chain" at the end:
You have:
# Only accept request encodings we know how to handle.
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
It must be:
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
Steffen |
|
Back to top |
|
underxp
Joined: 16 Jan 2006 Posts: 34
|
Posted: Tue 30 May '06 2:37 Post subject: |
|
|
Thanks Stefen I'll try and post results laters |
|
Back to top |
|
underxp
Joined: 16 Jan 2006 Posts: 34
|
Posted: Tue 30 May '06 2:39 Post subject: |
|
|
I catch the error:
Code: |
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
|
REQUEST_METHOD is duplicated and the last don't have chain |
|
Back to top |
|
|
|
|
|
|