Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
SecRuleRemoveById 949110 into the modesecurity.conf file. But I think this is not a good solution.
No, that is probably not good. If I am reading that correctly, that rule calculates the total anomaly score generated by other rules, so that really disables your whole block by score setup.
You can look through the modsecurity debug logs (which must of course be enabled) to see every matched rule and try to identify the one that is triggering on the phpMyAdmin page. I think you can also set the anomaly threshold higher for specific contexts like phpMyAdmin, but I am not sure how that is done at the moment. Perhaps someone else can suggest a better method.
You are on the right track though - read the errors produced by modsecurity, compare the matched rules with the necessary request data, add/modify/delete as appropriate.
If debug logging is not enabled, enable it with the SecDebugLogLevel directive to see more messages for that request.
In the end, it really comes down to understanding your overall configuration and rules, then adjusting them to allow the desired access without opening additional holes. I know, that is obvious, but you will have to do it as no one else can see your environment.
Hi Astrogeek,
Yes first this SecDebugLogLevel was commented and now enabled as SecDebugLogLevel 3. Next I remove the disabled rule and try to capture more logs. Below is what I captured in the modsec folder for modsecurity.
By reading further the logs it says
Quote:
SQL Injection Attack Detected via libinjection"] [data "Matched Data: s1nc found within ARGS:token: vD8/#HM"1Dh#~C./"]
OK, so that let's you identify one (or more) rules which are contributing to the total score. Debug logging is always helpful.
Now you will need to decide for yourself how you want to adjust to allow phpMyAdmin (unfortunately there is no AllowPhpMyAdminToPass directive!).
Again, I think that you can change the score threshold per directory, which would be an easy method. Or you can enable/disable rules per directory.
I would suggest browsing the modsecurity and OWASP rules websites, and also use your search engine of choice to look for additional information.
I found this page, Apache 2.2 Disable modsecurity For a Specific Directory. Although it is focused on disabling modsecurity for a directory, it provides a quick overview of how to modify modsecurity behavior within Location and Directory contexts, which is the first part of what you want.
Hi Astrogeek,
I have been googling mostly I found the disabling of directory for apache. I am looking solution for nginx and found this to be working now.
I should also mention that I am not very up to date on nginx, so my comments should be understood to have an apache bias where appropriate. Even so, I think modsecurity and directory/location syntax are very much similar - but adjust accordingly.
OK, I found this page, Anomaly Scoring Mode, on the Modsecurity website. Down page a little over half way...
Quote:
Now that we have the capability to do anomaly scoring, the next step is to set our thresholds. This is the score value at which, if the current transactional score is above, it will be denied. We have various different anomaly scoring thresholds to set for both specific vulnerability types and generic requests/response levels.
There is a lot to read there but I think this should include basically what you want.
Using a Location/Directory block as discussed in previous posts, you now need to set an appropriate, different threshold such as (not tested, just an example pulled from that page).
Code:
setvar:tx.sql_injection_score_threshold=25
So the idea would be that in the phpMyAdmin directory context you reset the threshold for sql injection rules higher than for default locations. I will have to again leave it to you to work out the exact syntax needed by your setup.
By the way, I agree with scasey - you need to make phpMyAdmin inaccessible to non-authorized users, by obscurity and by authentication other than just the phpMyAdmin login. It is a high value target for assorted spammer/scammers and other sub-human life forms.
I don't know from nginx, but want to add these suggestions:
Don't name the phpmyadmin directory phpmyadmin -- use some other completely unrelated name
Require a web server login to access the directory.
Yes, has nothing to do with your question, but both will help prevent hacking until you figure out how to adjust the scores.
Hi Scasey,
1. Yes I always rename into something not related but at time some directories inside still has some named phpmyadmin. Normally I download and unzip and upload the folder to /var/www/html.
2. I have never tried your web server login before will try and read about it.
Hi Astrogeek,
I am taking both your suggestion and scasey and I will go through the links and be back to update you guys soon on how to do it on nginx so that some one else could benefit too.
Hi Scasey,
I have already restricted the directory but the weird part is that when I tried to access http://myip/phpmyadmin then it prompt for user name and password but when I type http://myip/phpmyadmin/index.php it goes in directly.
Hi Scasey,
I have already restricted the directory but the weird part is that when I tried to access http://myip/phpmyadmin then it prompt for user name and password but when I type http://myip/phpmyadmin/index.php it goes in directly.
Once you’ve logged in you won’t need to log in again until you’ve closed all instances of your browser...assuming you didn’t save the login on your browser, of course.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.