LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-14-2008, 10:54 PM   #1
jrtayloriv
Member
 
Registered: Jun 2004
Location: Inland NW, US
Distribution: Ubuntu
Posts: 366
Blog Entries: 1

Rep: Reputation: 44
apache / mod_security: fixing false positives


I am using Apache with mod_security and I got the following error today when I was trying to edit my wiki:

Quote:
[Mon Jan 14 22:30:03 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\ \\\b|\\\\/etc\\\\/)" at ARGS:wpTextbox1. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "localhost"] [uri "/mediawiki/index.php?title=Linux_Random_Number_Generator&action=submit"] [unique_id "PhhjkkClkldfnG4B11x3AdAAC"]
This is because I was trying to post text that contained a description of how to access something in /etc on the wiki page (hence the Remote file Access Attempt. Matched signature: </etc/>

I looked through the mod_security rules and found that this was the culprit:

Quote:
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',,id:'950005',severity:'2'"
I don't want to turn mod_security off, but i couldn't figure out how to go about fixing this from the documentation. I don't understand which part of this rule to modify to tell it to not apply it to anything mediawiki/*

Does anyone know how to turn this specific rule off just for the mediawiki portion of my site? That is, I want this rule to apply to every other portion of the site (where there will be no POST requests), except for on the wiki part.

Last edited by jrtayloriv; 01-14-2008 at 11:06 PM. Reason: clarification
 
Old 01-15-2008, 07:56 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Something like this:
Code:
<LocationMatch "/mediawiki/index.php.*">
SecFilterRemove 950005
</LocationMatch>
 
Old 01-26-2008, 10:51 PM   #3
jrtayloriv
Member
 
Registered: Jun 2004
Location: Inland NW, US
Distribution: Ubuntu
Posts: 366

Original Poster
Blog Entries: 1

Rep: Reputation: 44
Sorry I took so long to respond. I recently just moved into a new home, and have been dealing with all of that.

Thank you very much for your response. I was reading some other documents and they said to create a separate rules file in the mod_security rules folder called 15_custom_rules.conf. Is this correct? Should I put what you suggested into that file, or into one of the already existing files?

Thanks,
jrtayloriv
 
Old 03-01-2008, 04:03 PM   #4
diogot
LQ Newbie
 
Registered: Feb 2008
Distribution: Gentoo
Posts: 1

Rep: Reputation: 0
I am using mod_security 2.1.2 with modsecurity-core-rules_2.1-1.5.1.tar.gz.

I create a modsecurity_crs_99_custom_rules.conf file with this content:

Code:
 <LocationMatch "/mediawiki/index.php.*">
 SecRuleRemoveById 950005
 SecRuleRemoveById 950006
 </LocationMatch>
And the problem is solved!
 
  


Reply

Tags
apache, mediawiki, modsecurity


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache mod_security Setup Help? helptonewbie Linux - Security 9 12-20-2007 08:46 AM
apache mod_security module sachin1361 Linux - Enterprise 2 03-17-2007 04:51 PM
mod_security for apache zsoltrenyi Linux - Security 0 02-08-2005 06:36 AM
Apache mod_security logging everything? ridertech Linux - Security 2 08-13-2004 01:10 PM
Chkrootkit False Positives Sabicas Linux - Software 0 08-03-2004 12:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration