LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   mod_security (https://www.linuxquestions.org/questions/linux-security-4/mod_security-219410/)

ridertech 08-18-2004 05:19 PM

mod_security
 
I'm having issues with Apache's mod_security and I can't find the cause. First of all, I've been unable to find a url on my site that causes one of the filters to block it and second, nothing is getting logged. I've confirmed that /var/log/httpd/modsec_log exists and its permissons are set to 644. Can someone please help? I've been troubleshooting this for days now.

Code:

# Server directory for config, error and log files
ServerRoot "/usr/local/apache"

# Server Options
Timeout 120
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

# Prefork Server
StartServers        5
MinSpareServers      5
MaxSpareServers    10
MaxClients        150
MaxRequestsPerChild  0

# Ports Available
Listen 80
Listen 443

# Dynamic Shared Object (DSO) Support
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule security_module modules/mod_security.so
LoadModule php5_module modules/libphp5.so

# User/Group
User apache
Group apache

# Server Info
ServerAdmin root@localhost
ServerName 192.168.1.3

UseCanonicalName Off

<IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 1 255
    SecFilterScanPOST On
    SecFilterDefaultAction "deny,log,status:403"

    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/httpd/modsec_log

#    SecFilterDebugLog /var/log/httpd/modsec_debug_log
#    SecFilterDebugLevel 4
   
    # Prevent OS-specific keywords
    SecFilter /etc/passwd

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Prevent XSS attacks (HTML/Javascript)
    SecFilter "<(.|\n)+>"

    # Prevent Nmap version scan
    SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\:)$"
</IfModule>

# Minimal permissions for any directory
<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

DirectoryIndex index.html index.php

# Prevent files from being viewed
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

<Files ~ "\.inc$">
    Order allow,deny
    Deny from all
</Files>

# Mime types information
TypesConfig conf/mime.types
DefaultType text/plain

AddType application/x-httpd-php .php
AddType application/x-httpd-php .inc
AddType application/x-httpd-php .class

#########################################
# Logging
#########################################
HostnameLookups Off

# Move ErrorLog every 24 hours
ErrorLog /var/log/httpd//error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/httpd/access_log common

LogFormat "%{Referer}i -> %U" referer
CustomLog /var/log/httpd/referer_log referer

# IP and user-agent for tracking purposes
LogFormat "%h \"%{User-agent}i\"" agent
CustomLog /var/log/httpd/agent_log agent

# Combined log that is rolled every 24 hours
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/httpd/combined_log combined

# Info given out should be minimal
ServerTokens Minimal
ServerSignature Off

# Disable the method TRACE
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]

# Default charset, prevents XSS
AddDefaultCharset ISO-8859-1

# Ugly but important hacks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

#######################
### VIRTUAL HOSTING ###
#######################

NameVirtualHost *:80

<VirtualHost *:80>
    ServerName www.mysite.net
    ServerAlias mysite.net *.mysite.net
    DocumentRoot /web/mysitenet
   
    <Directory "/web/mysitenet">
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mysite.com
    ServerAlias mysite.com *.mysite.com
    DocumentRoot /web/mysitecom

    <Directory "/web/mysitecom">
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>


unSpawn 09-01-2004 05:16 PM

I'm having issues with Apache's mod_security and I can't find the cause.
Please first set the proper logging options like "On" instead of RelevantOnly.

First of all, I've been unable to find a url on my site that causes one of the filters to block it
What do you exactly mean? You mean you werent able to request a dir traversal?
Maybe you wanna try some basic rule from the examples/FAQ to verify it's in working order.

and second, nothing is getting logged.
See above. If you need more logging then enable debug logging.


All times are GMT -5. The time now is 12:35 PM.