LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-15-2014, 04:59 AM   #1
Highjo
Member
 
Registered: Jan 2007
Posts: 36

Rep: Reputation: 0
Unhappy modsecurity seems to have broken apache2 reverse proxy ubuntu server 12.04


this is the first time I have run into issue like this one. I have a java application setting behind a apache2 using `mod_ajp on 8009`. I have noticed that I could not get the client's IP so I have created another virtual host file and switched to `mod_jk`. I have then disabled the virtual host using `mod_ajp`. So my `mod_jk` has been working fine until I started the security hardening from thefanclub I have applied the method shown on the notpad2.blogpost.com and I was still fine. This morning I have seen logs in the modsecu_audit.log file :

Code:
Action: Intercepted (phase 1)
    Stopwatch: 1394809780952048 3090 (- - -)
    Stopwatch2: 1394809780952048 3090; combined=812, p1=492, p2=0, p3=0, p4=0, p5=253,  sr=143, sw=67, l=0, gc=0
    Response-Body-Transformed: Dechunked
    Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
    Server: Apache
    WebApp-Info: "default" "C35A8A3AB916218E923E5A8E6A73595B" ""

    --81b0e75f-Z--

On the virtualhost error.log I have the errors below

Code:
    [Thu Mar 13 11:18:43 2014] [error] [client xxx.xxx.xxx.xxx] client denied by server  configuration: 
    [Thu Mar 13 11:18:44 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied  with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file   "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"]  [line "220"] [id "960020"] [rev "2.2.5"] [msg "Pragma Header requires Cache-Control Header  for HTTP/1.1 requests."] [severity "NOTICE"] [tag "RULE_MATURITY/5"] [tag  "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960020"]  [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/"] [hostname "mysite.com"] [uri "/"] [unique_id "UyGUFAqzjt0AADfWBbEAAAAA"]
    [Thu Mar 13 11:23:52 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"]  [tag "PCI/6.5.10"] [hostname "mysite.com"] [uri "/"] [unique_id "UyGVSAqzjt0AADfWBbIAAAAH"]

On the main apache error.log I have:

Code:
[Fri Mar 14 15:07:11 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" 
     required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning -  Sticky SessionID Data 
     Changed - IP Address Mismatch."] [hostname "mysite.com"] [uri "/"] [unique_id  "UyMbH8QokBEAAH5mFvgAAAAB"]
     [Fri Mar 14 15:09:35 2014] [notice] SIGUSR1 received.  Doing graceful restart
     [Fri Mar 14 15:09:36 2014] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 mod_jk/1.2.32 configured -- resuming normal operations
     [Fri Mar 14 15:09:40 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash" 
     required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data 
      Changed - IP Address Mismatch."] [hostname "mysite.com"] [uri "/"] [unique_id "UyMbtMQokBEAAH7dJ3sAAACB"
I have disabled modsecurity but it now shows the default index page "it works". I have even reactivated the known working virtualhost using `mod_ajp` and none of them seems to be working anymore.

I understand the page is blocked etc but I can't figure out why the reverse proxy would stop working.

  • Question 1 is this a known issue or misconfiguration?
  • Question 2 how do I get the virtual host back up? quick fix would be
removing modsecurity(even though I do not see the correlation).

All suggestions are welcomed . Thanks
 
Old 04-06-2014, 10:43 PM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,856
Blog Entries: 36

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
Like any kind of security firewall it will only allow what you tell it to. I think your first destination should be the modsecurity reference manual to learn how to configure it.
 
Old 04-12-2014, 05:29 AM   #3
Highjo
Member
 
Registered: Jan 2007
Posts: 36

Original Poster
Rep: Reputation: 0
Hello Thanks,

Definitely it's a mod_security issue. Will have a look at the reference.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How To Set Up nginx As A Reverse Proxy For Apache2 On Ubuntu 12.04 LXer Syndicated Linux News 0 10-07-2012 06:21 AM
[SOLVED] Ubuntu-Server Reverse Proxy secondhandman Linux - Networking 5 05-04-2012 12:23 PM
Apache2 SSL Reverse Proxy doublejoon Linux - Networking 4 08-04-2011 10:29 AM
configure reverse proxy and apache2 hobbitmage Linux - Newbie 2 07-04-2009 06:21 PM
Apache2.2 as reverse proxy 4play Linux - Server 1 06-25-2009 01:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration