Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 01-14-2008, 10:54 PM   #1
Registered: Jun 2004
Location: Inland NW, US
Distribution: Ubuntu
Posts: 366
Blog Entries: 1

Rep: Reputation: 44
apache / mod_security: fixing false positives

I am using Apache with mod_security and I got the following error today when I was trying to edit my wiki:

[Mon Jan 14 22:30:03 2008] [error] [client] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\ \\\b|\\\\/etc\\\\/)" at ARGS:wpTextbox1. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "localhost"] [uri "/mediawiki/index.php?title=Linux_Random_Number_Generator&action=submit"] [unique_id "PhhjkkClkldfnG4B11x3AdAAC"]
This is because I was trying to post text that contained a description of how to access something in /etc on the wiki page (hence the Remote file Access Attempt. Matched signature: </etc/>

I looked through the mod_security rules and found that this was the culprit:

# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \"capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',,id:'950005',severity:'2'"
I don't want to turn mod_security off, but i couldn't figure out how to go about fixing this from the documentation. I don't understand which part of this rule to modify to tell it to not apply it to anything mediawiki/*

Does anyone know how to turn this specific rule off just for the mediawiki portion of my site? That is, I want this rule to apply to every other portion of the site (where there will be no POST requests), except for on the wiki part.

Last edited by jrtayloriv; 01-14-2008 at 11:06 PM. Reason: clarification
Old 01-15-2008, 07:56 AM   #2
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Something like this:
<LocationMatch "/mediawiki/index.php.*">
SecFilterRemove 950005
Old 01-26-2008, 10:51 PM   #3
Registered: Jun 2004
Location: Inland NW, US
Distribution: Ubuntu
Posts: 366

Original Poster
Blog Entries: 1

Rep: Reputation: 44
Sorry I took so long to respond. I recently just moved into a new home, and have been dealing with all of that.

Thank you very much for your response. I was reading some other documents and they said to create a separate rules file in the mod_security rules folder called 15_custom_rules.conf. Is this correct? Should I put what you suggested into that file, or into one of the already existing files?

Old 03-01-2008, 04:03 PM   #4
LQ Newbie
Registered: Feb 2008
Distribution: Gentoo
Posts: 1

Rep: Reputation: 0
I am using mod_security 2.1.2 with modsecurity-core-rules_2.1-1.5.1.tar.gz.

I create a modsecurity_crs_99_custom_rules.conf file with this content:

 <LocationMatch "/mediawiki/index.php.*">
 SecRuleRemoveById 950005
 SecRuleRemoveById 950006
And the problem is solved!


apache, mediawiki, modsecurity

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache mod_security Setup Help? helptonewbie Linux - Security 9 12-20-2007 08:46 AM
apache mod_security module sachin1361 Linux - Enterprise 2 03-17-2007 04:51 PM
mod_security for apache zsoltrenyi Linux - Security 0 02-08-2005 06:36 AM
Apache mod_security logging everything? ridertech Linux - Security 2 08-13-2004 01:10 PM
Chkrootkit False Positives Sabicas Linux - Software 0 08-03-2004 12:42 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 08:18 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration