LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-18-2004, 05:19 PM   #1
ridertech
Member
 
Registered: Dec 2003
Location: Seattle, Washington
Distribution: Debian 'Sarge'
Posts: 85

Rep: Reputation: 15
mod_security


I'm having issues with Apache's mod_security and I can't find the cause. First of all, I've been unable to find a url on my site that causes one of the filters to block it and second, nothing is getting logged. I've confirmed that /var/log/httpd/modsec_log exists and its permissons are set to 644. Can someone please help? I've been troubleshooting this for days now.

Code:
# Server directory for config, error and log files
ServerRoot "/usr/local/apache"

# Server Options
Timeout 120
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

# Prefork Server
StartServers         5
MinSpareServers      5
MaxSpareServers     10
MaxClients         150
MaxRequestsPerChild  0

# Ports Available
Listen 80
Listen 443

# Dynamic Shared Object (DSO) Support
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule security_module modules/mod_security.so
LoadModule php5_module modules/libphp5.so

# User/Group
User apache
Group apache

# Server Info
ServerAdmin root@localhost
ServerName 192.168.1.3

UseCanonicalName Off

<IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 1 255
    SecFilterScanPOST On
    SecFilterDefaultAction "deny,log,status:403"

    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/httpd/modsec_log

#    SecFilterDebugLog /var/log/httpd/modsec_debug_log
#    SecFilterDebugLevel 4
    
    # Prevent OS-specific keywords
    SecFilter /etc/passwd

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Prevent XSS attacks (HTML/Javascript)
    SecFilter "<(.|\n)+>"

    # Prevent Nmap version scan
    SecFilterSelective THE_REQUEST "^(HELP|default|\||TNMP|DmdT|\:)$"
</IfModule>

# Minimal permissions for any directory
<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>

DirectoryIndex index.html index.php

# Prevent files from being viewed
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

<Files ~ "\.inc$">
    Order allow,deny
    Deny from all
</Files>

# Mime types information
TypesConfig conf/mime.types
DefaultType text/plain

AddType application/x-httpd-php .php
AddType application/x-httpd-php .inc
AddType application/x-httpd-php .class

#########################################
# Logging
#########################################
HostnameLookups Off

# Move ErrorLog every 24 hours
ErrorLog /var/log/httpd//error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /var/log/httpd/access_log common

LogFormat "%{Referer}i -> %U" referer
CustomLog /var/log/httpd/referer_log referer

# IP and user-agent for tracking purposes
LogFormat "%h \"%{User-agent}i\"" agent
CustomLog /var/log/httpd/agent_log agent

# Combined log that is rolled every 24 hours
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
CustomLog /var/log/httpd/combined_log combined

# Info given out should be minimal
ServerTokens Minimal
ServerSignature Off

# Disable the method TRACE
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* [F]

# Default charset, prevents XSS
AddDefaultCharset ISO-8859-1

# Ugly but important hacks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

#######################
### VIRTUAL HOSTING ###
#######################

NameVirtualHost *:80

<VirtualHost *:80>
    ServerName www.mysite.net
    ServerAlias mysite.net *.mysite.net
    DocumentRoot /web/mysitenet
    
    <Directory "/web/mysitenet">
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mysite.com
    ServerAlias mysite.com *.mysite.com
    DocumentRoot /web/mysitecom

    <Directory "/web/mysitecom">
        Options None
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>
 
Old 09-01-2004, 05:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
I'm having issues with Apache's mod_security and I can't find the cause.
Please first set the proper logging options like "On" instead of RelevantOnly.

First of all, I've been unable to find a url on my site that causes one of the filters to block it
What do you exactly mean? You mean you werent able to request a dir traversal?
Maybe you wanna try some basic rule from the examples/FAQ to verify it's in working order.

and second, nothing is getting logged.
See above. If you need more logging then enable debug logging.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mod_security kingtas Linux - Security 4 01-20-2008 04:53 PM
mod_security and fedora linchat Fedora 0 09-30-2005 09:34 PM
mod_security for apache zsoltrenyi Linux - Security 0 02-08-2005 06:36 AM
mod_security running? kingtas Linux - Newbie 0 01-23-2005 10:56 AM
Apache mod_security logging everything? ridertech Linux - Security 2 08-13-2004 01:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration