logoon  windows
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored by anyone.

Your donations will help to keep this site alive and well, and continuing the building of the binaries.



Troubleshooting mod_security windows

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
pipedevil



Joined: 01 Aug 2011
Posts: 9

PostPosted: Mon 01 Aug '11 8:34    Post subject: Troubleshooting mod_security windows Reply with quote

Hi everybody!

I have installed mod_security2 on xampp/windows and set it up followind the README instructions.

It seems that module starts properly:

Code:
[Mon Aug 01 09:09:19 2011] [notice] Server built: Oct 18 2010 01:58:12
[Mon Aug 01 09:09:19 2011] [notice] Parent: Created child process 2140
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.2"
[Mon Aug 01 09:09:21 2011] [warn] ModSecurity: Loaded APR do not match with compiled!
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: PCRE compiled version="8.12"; loaded version="7.9 2009-04-11"
[Mon Aug 01 09:09:21 2011] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Aug 01 09:09:21 2011] [notice] ModSecurity: LIBXML compiled version="2.7.7"


But neither Readme nor SQLinjectme ff plugin tests show me results.

I am searching for an answer more than a week, please help with the solution
Question
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 5109
Location: Germany, Next to Hamburg

PostPosted: Mon 01 Aug '11 10:41    Post subject: Reply with quote

That means that mod_sec is compiled with a newer version of APR than your apache is.
And mod_sec is compiled with PCRE 8.12 but your apache with 7.9.

Is mod_sec now available for xampp or did you download it here?
Back to top
pipedevil



Joined: 01 Aug 2011
Posts: 9

PostPosted: Mon 01 Aug '11 11:39    Post subject: Troubleshooting mod_security windows Reply with quote

I've downloaded it from apachelouge.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 399

PostPosted: Mon 01 Aug '11 12:08    Post subject: Reply with quote

Did you follow the instructions in the readme and created a folder in modules and copied the two dll's ?

And did you tested it with the example in the readme ?
With only there mentioned rules.

APR is build against 2.2.19 and you are running an older version.

The warnings should not be a problem, it should work.


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 5109
Location: Germany, Next to Hamburg

PostPosted: Mon 01 Aug '11 12:19    Post subject: Reply with quote

It would be easy to download the apache zip from this place and override the bin,include,lib and modules folder.
Ya, I know the include folder and the lib folder are not realy nessesary, but since xampp has a lot of scripts / tools to compile stuff against the includes and libs it is saver that way.
Back to top
pipedevil



Joined: 01 Aug 2011
Posts: 9

PostPosted: Mon 01 Aug '11 12:48    Post subject: Reply with quote

I have the same suggestion about warnings.

I strictly followed the instructions from Readme file, created "mod_security2" directory copied dll's, so file there and, "modsecurity_crs_10_config.conf" file and rules directories(including "base_rules")

Then I edited "modsecurity_crs_10_config.conf" and added following string at the end of the file:

Code:
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin


Then performed tests listed in Readme, and have no messages in the log.


Here is httpd.conf mod_sec section:

Code:
LoadFile bin/libxml2.dll

<IfModule security2_module>
   Include "modules/mod_security2/*.conf"
   Include "modules/mod_security2/base_rules/*.conf"
   SecAuditEngine RelevantOnly
   SecAuditLog logs/audit_log
   SecRuleEngine On
   SecDebugLog "logs/modsec_debug"
   SecRequestBodyAccess On
   SecResponseBodyAccess On
   SecRequestBodyInMemoryLimit 131072
   SecRequestBodyLimit 10485760
   SecResponseBodyMimeTypesClear
   SecResponseBodyMimeType (null) text/plain text/html text/css text/xml

</IfModule>
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2163
Location: Hilversum, NL, EU

PostPosted: Mon 01 Aug '11 13:10    Post subject: Reply with quote

You did not follow the readme, eg: LoadFile bin/libxml2.dll , when you do this then it is not picking up the one in the created folder in modules. Do you have also a Loadfile PCRE directive ?

I asked you to test only with the mentioned rules in the readme. Not merging with other rules.

And test only with the simple config mentioned in the readme and not what you show above:

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log


## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

Steffen
Back to top
pipedevil



Joined: 01 Aug 2011
Posts: 9

PostPosted: Tue 02 Aug '11 9:40    Post subject: Reply with quote

Steffen wrote:
Do you have also a Loadfile PCRE directive ?

Steffen


I don't have PCRE directive.

I've corrected, now my new httpd.conf mod_sec section looks like:

Code:
<IfModule security2_module>

# A very quick start:

SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log


## -- General rules --------------------

SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
SecRule ARGS "d:/" t:normalisePathWin

## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"

</IfModule>



tried
Code:
http://<my_site>/?abc=../../

the same thing: no 403 error, no log messages (
Back to top
pipedevil



Joined: 01 Aug 2011
Posts: 9

PostPosted: Tue 02 Aug '11 10:02    Post subject: Reply with quote

I found the tail, mod sec works fine when I enter the following address:

Code:
http://<ServerName>/?abc=../../


but it doesn't when:
Code:
http://<ServerAlias>/?abc=../../
is entered in the address bar.

Where "ServerName" and "ServerAlias" are directives from <VirtualHost *:80> container. Which looks like:

Code:
<VirtualHost *:80>
    DocumentRoot "<path>"
    ServerName <ServerName>
    ServerAlias <www.ServerName>
    ServerAlias <www1.ServerName>
    ErrorLog "logs/site-error.log"
    CustomLog "logs/site-access.log" combined
</VirtualHost>


How can I make mod sec work with ServerAlias too??
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2163
Location: Hilversum, NL, EU

PostPosted: Tue 02 Aug '11 11:48    Post subject: Reply with quote

Works here.

Only you can try is set SecRuleInheritance On in your vHost.

When it does not help, the best is you post your question at the mod_security list.

Steffen
Back to top
pipedevil



Joined: 01 Aug 2011
Posts: 9

PostPosted: Tue 02 Aug '11 13:31    Post subject: Reply with quote

Steffen wrote:
Works here.

Only you can try is set SecRuleInheritance On in your vHost.

When it does not help, the best is you post your question at the mod_security list.

Steffen


Solved(without SecRuleInheritance). There was no IP address entry for ServerAlias in
Code:
%system root%\system32\drivers\etc\hosts
file, though I was able to open all alias pages.


Smile Thanks Everybody for your consideration!

Sincerely,
pipedevil
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1