logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: How to tune mod_security 2.6 error msg?
Author
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Thu 14 Jul '11 2:11    Post subject: How to tune mod_security 2.6 error msg? Reply with quote

After use mod_fcgid to run php scripts,the error msgs appear.Before,it works fine.My apache ver is 2.2.19.

The modsecurity logs show:

Code:
ModSecurity: Failed to write to DBM file "C:/Apache2.2/logs/data/tmp/resource": Invalid argument
 


I search from google,but can't find the solution...
Crying or Very sad

What is the right argument?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 14 Jul '11 20:06    Post subject: Reply with quote

ModSecurity uses the SDBM library, which comes with the Apache Portable Runtime (APR). When using ModSecurity collections for anything beyond trivial use, you may quickly hit the arbitrary SDBM library limit of 1008 bytes. That limit is on the combined size of both the key and record length.

Solution: Use shorter keys, as they are stored in triplicate

--------------------------------
or (not recommended) Recompile APR to support a higher storage limit:
within apr-util --> sdbm_private.h

set the block sizes to something like the following
Code:

/* if the block/page size is increased, it breaks perl apr_sdbm_t
 * compatibility */
#define DBLKSIZ 16384
#define PBLKSIZ 8192
#define PAIRMAX 8008                    /* arbitrary on PBLKSIZ-N
*/
#else
#define DBLKSIZ 16384
#define PBLKSIZ 8192
#define PAIRMAX 10080                   /* arbitrary on PBLKSIZ-N
*/
#endif
#define SPLTMAX 10


You now increased the SDBM library limit to 10080 bytes.
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Sat 16 Jul '11 8:02    Post subject: Reply with quote

Where can I increase the SDBM library limit?Or need to compile it again?Rolling Eyes


James Blond wrote:


You now increased the SDBM library limit to 10080 bytes.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Sat 16 Jul '11 19:35    Post subject: Reply with quote

You can't increase it in the config.

James Blond wrote:

Solution: Use shorter keys, as they are stored in triplicate


change the code and recompile can leet to unexcepted results with other stuff.

Can't you use shorter keys?
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Sun 17 Jul '11 4:07    Post subject: Reply with quote

I am a newbie at mod_security.
Can you explain what is shorter key?And ,How to increase the limit?

regards.


James Blond wrote:
You can't increase it in the config.

James Blond wrote:

Solution: Use shorter keys, as they are stored in triplicate


change the code and recompile can leet to unexcepted results with other stuff.

Can't you use shorter keys?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Sun 17 Jul '11 21:11    Post subject: Reply with quote

There are some limitations on the size of the KEY used when creating collections. You should use %{remote_addr} with initcol instead of %{request_uri}. This will initiate/access a persistent collection and use the client’s IP address as the key. Since %{request_uri} is redirected with fcgid it is might longer than with the module with apache resolves it.
Back to top
maskego



Joined: 16 Apr 2010
Posts: 238

PostPosted: Fri 22 Jul '11 9:27    Post subject: Reply with quote

Can you give some files or examples?Such as file name...etc...
Rolling Eyes


James Blond wrote:
There are some limitations on the size of the KEY used when creating collections. You should use %{remote_addr} with initcol instead of %{request_uri}. This will initiate/access a persistent collection and use the client’s IP address as the key. Since %{request_uri} is redirected with fcgid it is might longer than with the module with apache resolves it.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Fri 22 Jul '11 10:19    Post subject: Reply with quote

This is just an example. I'm not using mod sec myself Wink
Code:

SecRule REQUEST_URI "^/path/to/script.pl$" phase:1,log,pass,ctl:debugLogLevel=9


In this example REQUEST_URI is used. Depending on your urls REQUEST_URI can be very long. So it might blow the SDBM library limit. So it is might better to use REMOTE_ADDR for blocking someone. Or using SecRule ARGS:variablename "something" phase:1,pass,ctl:debugLogLevel=9

But as I wrote above I have only none to little experience using mod_security.

Do you know which rule creates that error message?
Back to top


Reply to topic   Topic: How to tune mod_security 2.6 error msg? View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules