logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: mod_security block Apache totally !!!!
Author
underxp



Joined: 16 Jan 2006
Posts: 34

PostPosted: Mon 29 May '06 5:08    Post subject: mod_security block Apache totally !!!! Reply with quote

Hello, I want to use mod_status with Apache 2.0.x, I download from here and install it, copy and paste rules from here as:
Code:

<IfModule mod_security.c>
SecFilterEngine On
 
#SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
 
# Accept almost all byte values
SecFilterForceByteRange 10 128
 
# Server masking is optional
SecServerSignature "Microsoft-IIS/4.0"
 
#SecUploadDir logs
#SecUploadKeepFiles Off
 
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/security.log
 
## -- Common attacks --------------------
 
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"

#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
 
# Only accept request encodings we know how to handle.
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
 
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
 
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
 
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
 
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
 
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"

## -- PHP attacks --------------------
 
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
 
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
 
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"

## -- Awstats-------------------------

SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"

## -- SQL Injection Attacks --------------------
 
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
 
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"

# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"

## -- Command execution --------------------
 
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
 
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
</IfModule>


When i activated this module, NONE page is accesible now, security.log says:
Code:

==29000000==============================
Request: Ap2058 127.0.0.1 - - [28/May/2006:23:22:05 --0400] "GET / HTTP/1.1" 403 179 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" - "-"
----------------------------------------
GET / HTTP/1.1
Accept: */*
Accept-Language: es-ve
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 20 Nov 2004 18:16:24 GMT
If-None-Match: "2233-2c-9efc6e00"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: localhost
Connection: Keep-Alive
mod_security-message: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [msg "Common attacks"] [severity "EMERGENCY"]
mod_security-action: 403

HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 179
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--29000000--


I can't open any page. I think that is a problem with mod_deflate and the rule:
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

I disabled this rule and Apache serves page fine. Can anyone tell me why mod_security block any request ?
Back to top
underxp



Joined: 16 Jan 2006
Posts: 34

PostPosted: Mon 29 May '06 5:10    Post subject: Reply with quote

Btw, i have this directives for mod_deflate:
Code:

<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
  DeflateCompressionLevel 9
  DeflateMemLevel 9
  DeflateWindowSize 15
  DeflateBufferSize 8096
  DeflateFilterNote deflate_ratio
  LogFormat "%v %h %l %u %t \"%r\" %>s %b mod_deflate: %{deflate_ratio}n pct." vhost_with_deflate_info
  CustomLog logs/deflate.log vhost_with_deflate_info
</IfModule>
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 29 May '06 17:36    Post subject: Reply with quote

Nothing to do with deflate.

Looks like you removed the line with "chain" at the end:

You have:

# Only accept request encodings we know how to handle.
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

It must be:

# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"


Steffen
Back to top
underxp



Joined: 16 Jan 2006
Posts: 34

PostPosted: Tue 30 May '06 2:37    Post subject: Reply with quote

Thanks Stefen I'll try and post results laters
Back to top
underxp



Joined: 16 Jan 2006
Posts: 34

PostPosted: Tue 30 May '06 2:39    Post subject: Reply with quote

I catch the error:
Code:

# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
 
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"


REQUEST_METHOD is duplicated and the last don't have chain
Back to top


Reply to topic   Topic: mod_security block Apache totally !!!! View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules