LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-12-2004, 01:36 PM   #1
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Rep: Reputation: 15
Apache mod_security logging everything?


I copied the following portion of my httpd.conf from one server (which is logging just fine) to my new server. The problem is that mod_security seems to be logging every request rather than only the filtered errors.

I noticed that on my "old" server, every log entry contains a mod_security-message that explains the error. On the "new" server, there are entries for every request and only seven have that mod_security-message. Any ideas why the same config would log differently?


<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 32 126
SecFilterScanPOST On
SecFilterDefaultAction "deny,status:406"

SecAuditEngine On
SecAuditLog /var/log/httpd/modsec_log

# Prevent OS-specific keywords
SecFilter /etc/passwd

# Prevent path traversal (..) attacks
SecFilter "\.\./"

# Prevent XSS attacks (HTML/Javascript)
SecFilter "<(.|\n)+>"

# Prevent Nmap version scan
SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\$"
</IfModule>
 
Old 08-12-2004, 01:40 PM   #2
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Original Poster
Rep: Reputation: 15
Sorry, I found the issue...

SecAuditEngine RelevantOnly (rather than "SecAuditEngine On")
 
Old 08-13-2004, 01:10 PM   #3
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Original Poster
Rep: Reputation: 15
Something very odd is happening (or not happening) with Apache mod_security...

With "SecAuditEngine On", I'm able to use phpMyAdmin with now errors and mod_security logs everything.

With "SecAuditEngine RelevantOnly", I'm getting denied and redirected to a 406 error for some of the phpMyAdmin links and nothing is getting logged.

I'm not concerned about phpMyAdmin but rather the issue between everything/nothing getting logged. Does anyone see a problem in the settings above? These settings were copied from a server that is working just fine. Needless to say, I'm confused.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable logging RH 7.3 qmail-apache etc DropHit Red Hat 3 04-13-2005 04:44 AM
mod_security for apache zsoltrenyi Linux - Security 0 02-08-2005 06:36 AM
Disable all Apache 2.x logging hakcenter Linux - Networking 2 12-05-2003 12:34 AM
Apache logging WiWa Linux - Software 2 08-13-2003 02:33 AM
apache logging chege question santellij Linux - Software 5 11-18-2002 09:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration