Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having issues with Apache's mod_security and I can't find the cause. First of all, I've been unable to find a url on my site that causes one of the filters to block it and second, nothing is getting logged. I've confirmed that /var/log/httpd/modsec_log exists and its permissons are set to 644. Can someone please help? I've been troubleshooting this for days now.
Code:
# Server directory for config, error and log files
ServerRoot "/usr/local/apache"
# Server Options
Timeout 120
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
# Prefork Server
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
# Ports Available
Listen 80
Listen 443
# Dynamic Shared Object (DSO) Support
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule security_module modules/mod_security.so
LoadModule php5_module modules/libphp5.so
# User/Group
User apache
Group apache
# Server Info
ServerAdmin root@localhost
ServerName 192.168.1.3
UseCanonicalName Off
<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modsec_log
# SecFilterDebugLog /var/log/httpd/modsec_debug_log
# SecFilterDebugLevel 4
# Prevent OS-specific keywords
SecFilter /etc/passwd
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Prevent XSS attacks (HTML/Javascript)
SecFilter "<(.|\n)+>"
# Prevent Nmap version scan
SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\:)$"
</IfModule>
# Minimal permissions for any directory
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
DirectoryIndex index.html index.php
# Prevent files from being viewed
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
# Mime types information
TypesConfig conf/mime.types
DefaultType text/plain
AddType application/x-httpd-php .php
AddType application/x-httpd-php .inc
AddType application/x-httpd-php .class
#########################################
# Logging
#########################################
HostnameLookups Off
# Move ErrorLog every 24 hours
ErrorLog /var/log/httpd//error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/httpd/access_log common
LogFormat "%{Referer}i -> %U" referer
CustomLog /var/log/httpd/referer_log referer
# IP and user-agent for tracking purposes
LogFormat "%h \"%{User-agent}i\"" agent
CustomLog /var/log/httpd/agent_log agent
# Combined log that is rolled every 24 hours
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/httpd/combined_log combined
# Info given out should be minimal
ServerTokens Minimal
ServerSignature Off
# Disable the method TRACE
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]
# Default charset, prevents XSS
AddDefaultCharset ISO-8859-1
# Ugly but important hacks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
#######################
### VIRTUAL HOSTING ###
#######################
NameVirtualHost *:80
<VirtualHost *:80>
ServerName www.mysite.net
ServerAlias mysite.net *.mysite.net
DocumentRoot /web/mysitenet
<Directory "/web/mysitenet">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName www.mysite.com
ServerAlias mysite.com *.mysite.com
DocumentRoot /web/mysitecom
<Directory "/web/mysitecom">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I'm having issues with Apache's mod_security and I can't find the cause.
Please first set the proper logging options like "On" instead of RelevantOnly.
First of all, I've been unable to find a url on my site that causes one of the filters to block it
What do you exactly mean? You mean you werent able to request a dir traversal?
Maybe you wanna try some basic rule from the examples/FAQ to verify it's in working order.
and second, nothing is getting logged.
See above. If you need more logging then enable debug logging.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
