From fbsd at 1command.com Sun Jul 2 20:22:26 2006 From: fbsd at 1command.com (Chris H.) Date: Sun, 02 Jul 2006 17:22:26 -0700 Subject: [Modsecurity] (GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH) - How to prevent? Message-ID: <20060702172226.48mmtjkb48s04ows@webmail.1command.com> Greetings, I'm attempting to prevent the following request methods by selected IP's GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH How can this be done? I already have the following for matching the IP's: SecFilterSelective REMOTE_ADDR "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn|nn.nnn.mmm.nnn)$" \ "action(s)" Thank you for all your time and consideration. -- panic: kernel trap (ignored) ----------------------------------------------------------------- FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006 ///////////////////////////////////////////////////////////////// -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: PGP Digital Signature Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060702/5e49e210/attachment.bin From mike at gotroot.com Mon Jul 3 09:23:44 2006 From: mike at gotroot.com (Michael Shinn) Date: Mon, 03 Jul 2006 09:23:44 -0400 Subject: [Modsecurity] (GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH) - How to prevent? In-Reply-To: <20060702172226.48mmtjkb48s04ows@webmail.1command.com> References: <20060702172226.48mmtjkb48s04ows@webmail.1command.com> Message-ID: <1151933024.3419.3.camel@localhost.localdomain> On Sun, 2006-07-02 at 17:22 -0700, Chris H. wrote: > Greetings, > I'm attempting to prevent the following request methods by selected IP's > GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH > > How can this be done? > > I already have the following for matching the IP's: > SecFilterSelective REMOTE_ADDR > "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn|nn.nnn.mmm.nnn)$" \ > "action(s)" It sounds like what you might want is a chain. You can link rules together by adding chain as the action for the rule. Example: SecFilter foo chain SecFilter bar So in your case, something like this should work (YMMV, please test first): SecFilterSelective REMOTE_ADDR "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn| nn.nnn.mmm.nnn)$" chain SecFilterSelective HTTP_METHOD "(GET|HEAD|POST|PUT|PROPFIND|OPTIONS| SEARCH)" "actions" > > Thank you for all your time and consideration. > > > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From jknight at oceansuit.com Tue Jul 4 01:09:06 2006 From: jknight at oceansuit.com (Jeffrey Knight) Date: Tue, 04 Jul 2006 01:09:06 -0400 Subject: [Modsecurity] ModSecurity 2.0: First Build Message-ID: <44A9F7F2.3070803@oceansuit.com> I'm installing Modsecurity 2.0 from source for the first time. An out-of-the-box "make" failed for me in a couple places: I first had to get pcre-devel (pcre.h was missing: I got it with a up2date pcre-devel) then I had to change the default Makefile to: -------Makefile-------------- .... top_dir = /usr/lib/httpd ... INCLUDES = -I . -I /usr/include/pcre .... --------------------------------- I see that the pcre dependency is hinted at in modsecurity-apache-reference_2.0.0-rc-2.rtf page 5, but I'd hate to seen new 2.0 users be turned off by a couple errors on the make. Thanks for all the hard work on 2.0. -Jeff -- Jeffrey Knight www.oceansuit.com Phone: 646-236-3051 Toll Free: 877-623-2678 From admin at refugeez.net Tue Jul 4 19:24:09 2006 From: admin at refugeez.net (Janak) Date: Tue, 4 Jul 2006 19:24:09 -0400 Subject: [Modsecurity] TorrentFlux and Mod_Security .. Message-ID: <2ef337100607041624u71b604eqf34a9372aa704a37@mail.gmail.com> Anyone using Torrenttflux (http://www.torrentflux.com/) and mod security knows how to add exception in mod_security for torrentflux ? I am using http://www.gotroot.com/tiki-index.php?page=mod_security+rules these rules for mod_security. Rightnow with these rules it just says connecting to peers, it sees the tracker but does not download anything. If i turn off mod_security everything works fine. But like to have mod_security On for security purpose. thnx From mike at gotroot.com Tue Jul 4 21:25:32 2006 From: mike at gotroot.com (Michael Shinn) Date: Tue, 04 Jul 2006 21:25:32 -0400 Subject: [Modsecurity] TorrentFlux and Mod_Security .. In-Reply-To: <2ef337100607041624u71b604eqf34a9372aa704a37@mail.gmail.com> References: <2ef337100607041624u71b604eqf34a9372aa704a37@mail.gmail.com> Message-ID: <1152062732.3503.0.camel@localhost.localdomain> What do you see in your audit_log file? On Tue, 2006-07-04 at 19:24 -0400, Janak wrote: > Anyone using Torrenttflux (http://www.torrentflux.com/) and mod > security knows how to add exception in mod_security for torrentflux ? > I am using http://www.gotroot.com/tiki-index.php?page=mod_security+rules > these rules for mod_security. Rightnow with these rules it just says > connecting to peers, it sees the tracker but does not download > anything. If i turn off mod_security everything works fine. But like > to have mod_security On for security purpose. > > thnx > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Michael T. Shinn KeyID:0xDAE2EC86 Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 Got Root? http://www.gotroot.com modsecurity rules: http://www.modsecurityrules.com Troubleshooting Firewalls: http://troubleshootingfirewalls.com From fbsd at 1command.com Wed Jul 5 06:11:58 2006 From: fbsd at 1command.com (Chris H.) Date: Wed, 05 Jul 2006 03:11:58 -0700 Subject: [Modsecurity] (GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH) - How to prevent? In-Reply-To: <1151933024.3419.3.camel@localhost.localdomain> References: <20060702172226.48mmtjkb48s04ows@webmail.1command.com> <1151933024.3419.3.camel@localhost.localdomain> Message-ID: <20060705031158.6iptg6y2lcocw4ck@webmail.1command.com> Hello, and thank you for your response... Quoting Michael Shinn : > On Sun, 2006-07-02 at 17:22 -0700, Chris H. wrote: >> Greetings, >> I'm attempting to prevent the following request methods by selected IP's >> GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH >> >> How can this be done? >> >> I already have the following for matching the IP's: >> SecFilterSelective REMOTE_ADDR >> "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn|nn.nnn.mmm.nnn)$" \ >> "action(s)" > > It sounds like what you might want is a chain. Indeed. I was sure of that but wasn't sure of how to best impliment it. > You can link rules > together by adding chain as the action for the rule. Example: > > SecFilter foo chain > SecFilter bar > > So in your case, something like this should work (YMMV, please test > first): > > SecFilterSelective REMOTE_ADDR "^(nnn.nn.nnn.nnn|nnn.nn.nn.nn| > nn.nnn.mmm.nnn)$" chain > SecFilterSelective HTTP_METHOD "(GET|HEAD|POST|PUT|PROPFIND|OPTIONS| > SEARCH)" "actions" Thanks. I'll try it. I felt the immediate need to try something and ended up doing this: SecFilterSelective REQUEST_METHOD \ "^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS|SEARCH)$" \ chain SecFilterSelective REMOTE_ADDR "^(list|of|bad|ips|here)$" \ "deny,log,exec:/bin/echo Sorry this method is not permitted by your host" Which returns the following in the log: ======================================== UNIQUE_ID: RKtFjNix8yIAAKYSFEU Request: bad.ip.number.here - - [04/Jul/2006:21:52:29 -0700] "HEAD / HTTP/1.1" 403 0 Handler: server-parsed ---------------------------------------- HEAD / HTTP/1.1 Connection: close Host: my.domain.here Referer: http://www.offending.domain/ User-Agent: Mozilla/4.0 (compatible; blah blah blah) mod_security-executed: /bin/echo Sorry this method is not permitted by your host mod_security-message: Access denied with code 403. Pattern match "^(long|list|of|naughty|ips|here)$" at REMOTE_ADDR. mod_security-action: 403 So it at least takes action. But what I _really_ hope to achive here; is to _completely_ block their request, and _only_ return the message. In other words, _prevent_ the server from returning _anything_ but the message supplied by /bin/echo. Will your suggestion achieve this for me? Thanks again for your response. --Chris > >> >> Thank you for all your time and consideration. >> >> >> _______________________________________________ >> Modsecurity mailing list >> Modsecurity at gotroot.com >> http://lists.gotroot.com/mailman/listinfo/modsecurity > -- > Michael T. Shinn KeyID:0xDAE2EC86 > Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86 > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86 > > Got Root? http://www.gotroot.com > modsecurity rules: http://www.modsecurityrules.com > Troubleshooting Firewalls: http://troubleshootingfirewalls.com > > -- panic: kernel trap (ignored) ----------------------------------------------------------------- FreeBSD 5.4-RELEASE-p12 (SMP - 900x2) Tue Mar 7 19:37:23 PST 2006 ///////////////////////////////////////////////////////////////// -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: PGP Digital Signature Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060705/94a8e753/attachment.bin From lerra82 at gmail.com Mon Jul 10 14:55:34 2006 From: lerra82 at gmail.com (Lezgin Bakircioglu) Date: Mon, 10 Jul 2006 20:55:34 +0200 Subject: [Modsecurity] Problem with robots.txt with header pattern matching "^$" Message-ID: <44B2A2A6.90105@gmail.com> Hi everybody, I have problem with a rule thats denying webcrawler to index my pages. I am using Debian 3.1 stable with apache2 and using the modsecurity package from the debian repository with the gotroot rules. Now, I have used modsecurity for 6 months now so I am still cind of new to it. I cant find the rule that is blocking the header pattern matching "^$". Anybody that can help me? I have my mailbox in the modsecurity list from 2006-02 but nothing. Anyway, how is it going with the 2.0 version?:) ======================================== Request: 209.237.238.224 - - [13/Apr/2006:17:37:08 +0200] "GET /robots.txt HTTP/1.0" 500 68 Handler: (null) ---------------------------------------- GET /robots.txt HTTP/1.0 Connection: close Host: www.xxx.com User-Agent: From: mod_security-message: Access denied with code 500. Pattern match "^$" at HEADER mod_security-action: 500 HTTP/1.0 500 Internal Server Error Last-Modified: Wed, 05 Apr 2006 23:13:03 GMT ETag: "1a8cc78-44-410b72a627dc0" Accept-Ranges: bytes Content-Length: 68 Connection: close Content-Type: text/html From bernd at ak-47.at Mon Jul 10 15:12:42 2006 From: bernd at ak-47.at (Bernd Essl) Date: Mon, 10 Jul 2006 21:12:42 +0200 Subject: [Modsecurity] Problem with robots.txt with header pattern matching "^$" In-Reply-To: <44B2A2A6.90105@gmail.com> References: <44B2A2A6.90105@gmail.com> Message-ID: <1152558762.5354.7.camel@kungfoo> On Mon, 2006-07-10 at 20:55 +0200, Lezgin Bakircioglu wrote: > Hi everybody, I have problem with a rule thats denying webcrawler to > index my pages. > I am using Debian 3.1 stable with apache2 and using the modsecurity > package from the debian repository with the gotroot rules. > Now, I have used modsecurity for 6 months now so I am still cind of new > to it. > I cant find the rule that is blocking the header pattern matching "^$". > Anybody that can help me? I have my mailbox in the modsecurity list from > 2006-02 but nothing. im searching rules like this: # rgrep '\^\$' /etc/modsec/* (you should use your ruleset-folder path). i think the rule is to block proxy servers, but not shure. regards bernd > > Anyway, how is it going with the 2.0 version?:) > > ======================================== > Request: 209.237.238.224 - - [13/Apr/2006:17:37:08 +0200] "GET > /robots.txt HTTP/1.0" 500 68 > Handler: (null) > ---------------------------------------- > GET /robots.txt HTTP/1.0 > Connection: close > Host: www.xxx.com > User-Agent: > From: > mod_security-message: Access denied with code 500. Pattern match "^$" at > HEADER > mod_security-action: 500 > > HTTP/1.0 500 Internal Server Error > Last-Modified: Wed, 05 Apr 2006 23:13:03 GMT > ETag: "1a8cc78-44-410b72a627dc0" > Accept-Ranges: bytes > Content-Length: 68 > Connection: close > Content-Type: text/html > _______________________________________________ > Modsecurity mailing list > Modsecurity at gotroot.com > http://lists.gotroot.com/mailman/listinfo/modsecurity -- Bernd Essl Key ID: 0x6867B899 Fingerprint: DAF6 DC26 6FE3 E29D 765B 5CDC ED99 FF68 6867 B899 lynx -source http://ak-47.at/files/pgp/bernd.asc | gpg --import -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part Url : http://lists.gotroot.com/pipermail/modsecurity/attachments/20060710/89ac24a3/attachment.bin From wk at diskspace4you.com Wed Jul 12 08:51:03 2006 From: wk at diskspace4you.com (Blackstorm) Date: Wed, 12 Jul 2006 14:51:03 +0200 Subject: [Modsecurity] Problem Joomla mod_security Message-ID: <000501c6a5b1$d79505a0$e1c80a0a@network> Hello, i am a newbie in mod_security and have the following Problem. I have installed a CentOS4.3 Box with Mod Security Version 1.9.4 and all Roles from Gotroot.com. When i login to the Joomla Admin and klick on Global Configuration and save entire changes is the following error occurred: Forbidden - You do not have permission to access this document. When i look in the audit.log file the following entry is indicated. I have changed Domain and IP in the following entry. ==b46a2106============================== Request: www.domain.com 80.30.172.10 - - [12/Jul/2006:14:19:48 +0200] "POST /administrator/index2.php HTTP/1.1" 403 962 "https://www.domain.com/administrator/index2.php?option=com_config &hidemainmenu=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4" - "-" ---------------------------------------- POST /administrator/index2.php HTTP/1.1 Host: www.domain.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q= 0.8,image/png,*/*;q=0.5 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://www.domain.com/administrator/index2.php?option=com_config &hidemainmenu=1 Cookie: 0bf476054166d391db703895d14a54fd=28a7189c5b880b4ca60093d4405d953f; virtuemart=cc0f88d9888d0caed5969b8c9b2d767b; __utma=213567489.108317749.1152681911.1152681911.1152681911.1; __utmc=213567489; __utmz=213567489.1152681911.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none ); dced49c144572773182058bbee80370c=f0e383bbea97449d128adf8237d345fc; PHPSESSID=b2c1200b3e049f8f86454841ffd94794; locale=de-DE; psaContext=server Authorization: Basic aGR3b2w6QmxhU2Noa2U= Content-Type: application/x-www-form-urlencoded Content-Length: 2718 mod_security-action: 403 mod_security-message: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[: space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] 2718 config_offline=0&config_offline_message=Diese+Seite+ist+wegen+eines+Updates+ kurzzeitig+nicht+erreichbar.%3Cbr+%2F%3E+Bitte+probieren+sie+in+k%FCrze+noch +einmal.+&config_error_message=This+site+is+temporarily+unavailable.%3Cbr+%2 F%3E+Please+notify+the+System+Administrator+admin%40domain.com&config_sitena me=Domains+und+Webspace+um+nur+3%2C99+Euro%2FMonat%2C+Webhosting%2C+Webspace %2C+Domains%2C+Domainregistrierungen%2C+Speicherplatz%2C+Gratis+Gaestebuch&c onfig_shownoauth=0&config_allowUserRegistration=1&config_useractivation=0&co nfig_uniquemail=1&config_frontend_login=1&config_frontend_userparams=1&confi g_debug=0&config_editor=htmlarea3_xtd-c&config_list_limit=10&config_favicon= &config_lang=germani&config_offset_user=1&config_locale=germani&config_link_ titles=0&config_readmore=0&config_vote=0&config_hideAuthor=1&config_hideCrea teDate=1&config_hideModifyDate=1&config_hits=1&config_hidePdf=1&config_hideP rint=1&config_hideEmail=1&config_icons=1&config_multipage_toc=1&config_back_ button=0&config_item_navigation=1&config_ml_support=0&config_host=localhost& config_user=domain&config_db=domain&config_dbprefix=mos_&config_gzip=0&confi g_lifetime=900&config_session_life_admin=1800&config_admin_expired=1&config_ session_type=0&config_error_reporting=-1&config_helpurl=&filePermsMode=1&con fig_fileperms=0644&filePermsUserRead=1&filePermsUserWrite=1&filePermsGroupRe ad=1&filePermsWorldRead=1&dirPermsMode=1&config_dirperms=0755&dirPermsUserRe ad=1&dirPermsUserWrite=1&dirPermsUserSearch=1&dirPermsGroupRead=1&dirPermsGr oupSearch=1&dirPermsWorldRead=1&dirPermsWorldSearch=1&config_MetaDesc=Domain s+und+Webspace+um+nur+3%2C99+Euro%2FMonat%2C+Domain%2C+Domains%2C+Domainregi strierung%2C+Webhosting%2C+Domainregistrierungen%2C+Webspace%2C+Speicherplat z%2C+Provider%2C+Domainpaket%2C+Gratis+Counter%2C+Gratis+Gaestebuch&config_M etaKeys=domains%2C+domain%2C+domainregistrierung%2C+webhosting%2C+domainregi strierungen%2C+speicherplatz%2C+webspace%2C+webhosting%2C+provider%2C+domain paket%2C+webseiten%2C+programmierung%2C+design%2C+webdesign&config_MetaTitle =1&config_MetaAuthor=1&config_mailer=mail&config_mailfrom=office%40domain.co m&config_fromname=Domain&config_sendmail=%2Fusr%2Fsbin%2Fsendmail&config_smt pauth=0&config_smtpuser=&config_smtppass=&config_smtphost=localhost&config_c aching=0&config_cachepath=%2Fvar%2Fwww%2Fvhosts%2Fdomain.com%2Fhttpdocs%2Fca che&config_cachetime=900&config_enable_stats=0&config_enable_log_items=0&con fig_enable_log_searches=0&config_sef=1&config_pagetitles=1&option=com_config &config_absolute_path=%2Fvar%2Fwww%2Fvhosts%2Fdomain.com%2Fhttpdocs&config_l ive_site=http%3A%2F%2Fwww.domain.com&config_secret=TYteIbPtQ78ejtYX&task=app ly HTTP/1.1 403 Forbidden Last-Modified: Mon, 20 Mar 2006 20:21:14 GMT ETag: "44d041-3c2-e675a280" Accept-Ranges: bytes Content-Length: 962 Connection: close Content-Type: text/html --b46a2106-- Best Regards Blackstorm -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20060712/e776be5a/attachment.html From etharp at earthlink.net Mon Jul 17 18:23:21 2006 From: etharp at earthlink.net (ET) Date: Mon, 17 Jul 2006 18:23:21 -0400 Subject: [Modsecurity] do you know why I get this hit? Message-ID: <44BC0DD9.4080601@earthlink.net> do you know why I get this hit? from IP 200.208.159.132 and http://europa-eu-un.org:80/articles/el/article_2128_el.htm? A computer at IP 200.208.159.132 (of course I 'whois' it) is hitting my home (personal) webserver, and leaves a log entry; 200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST /javascript:void();? HTTP/1.1" 500 2668 the " POST /Javascript:void();? " caught my attention, and the fact it gets caught by modsecurity for "^$" then I got to noticing I have had an unsual number of hits where newlan=greek shows up just lately. as I read further up on the logs I notice this page as a referer http://europa-eu-un.org:80/articles/el/article_2128_el.htm? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is from my access log; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ host156-94-static.34-85-b.business.telecomitalia.it - - [17/Jul/2006:10:12:34 -0400] "GET /index.php?newlang=greek HTTP/1.0" 200 30998 host156-94-static.34-85-b.business.telecomitalia.it - - [17/Jul/2006:10:12:34 -0400] "GET /index.php?newlang=greek HTTP/1.0" 200 30998 "http://europa-eu-un.org:80/articles/el/article_2128_el.htm?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" host156-94-static.34-85-b.business.telecomitalia.it - - [17/Jul/2006:10:12:34 -0400] "GET /index.php?newlang=greek HTTP/1.0" 200 30998 "http://europa-eu-un.org:80/articles/el/article_2128_el.htm?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is also from my access log; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST /javascript:void();? HTTP/1.1" 500 2668 200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST /javascript:void();? HTTP/1.1" 500 2668 "http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 200.208.159.132 - - [17/Jul/2006:10:14:00 -0400] "POST /javascript:void();? HTTP/1.1" 500 2668 "http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 200.208.159.132 - - [17/Jul/2006:10:14:10 -0400] "GET /index.php?newlang=greek HTTP/1.1" 200 30998 200.208.159.132 - - [17/Jul/2006:10:14:10 -0400] "GET /index.php?newlang=greek HTTP/1.1" 200 30998 "http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 200.208.159.132 - - [17/Jul/2006:10:14:10 -0400] "GET /index.php?newlang=greek HTTP/1.1" 200 30998 "http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 200.208.159.132 - - [17/Jul/2006:10:14:28 -0400] "POST /javascript:void();? HTTP/1.1" 506 2668 200.208.159.132 - - [17/Jul/2006:10:14:28 -0400] "POST /javascript:void();? HTTP/1.1" 506 2668 "http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" 200.208.159.132 - - [17/Jul/2006:10:14:28 -0400] "POST /javascript:void();? HTTP/1.1" 506 2668 "http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ this is from the mod security log (audit_log) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ======================================== Request: 200.208.159.132 - - [17/Jul/2006:10:14:01 --0400] "POST /javascript:void();? HTTP/1.1" 500 2668 Handler: type-map ---------------------------------------- POST /javascript:void();? HTTP/1.1 Via: 1.0 BRMAO2SRVISA02 Content-type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: ed-tharp.is-a-geek.org:80 Referer: http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek Connection: Keep-Alive mod_security-message: Access denied with code 500. Pattern match "^$" at HEADER mod_security-action: 506 28 [POST payload not available] HTTP/1.1 500 Internal Server Error Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Vary: accept-language, accept-charset ======================================== Request: 200.208.159.132 - - [17/Jul/2006:10:14:28 --0400] "POST /javascript:void();? HTTP/1.1" 500 2668 Handler: type-map ---------------------------------------- POST /javascript:void();? HTTP/1.1 Via: 1.0 BRMAO2SRVISA02 Content-type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Host: ed-tharp.is-a-geek.org:80 Referer: http://ed-tharp.is-a-geek.org:80/index.php?newlang=greek Connection: Keep-Alive mod_security-message: Access denied with code 500. Pattern match "^$" at HEADER mod_security-action: 506 28 [POST payload not available] HTTP/1.1 500 Internal Server Error Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close Content-Type: text/html; charset=iso-8859-1 Content-Language: en Vary: accept-language, accept-charset ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- reg. Linux User 167806 webhome http://ed-tharp.is-a-geek.org From etharp at earthlink.net Mon Jul 17 18:38:27 2006 From: etharp at earthlink.net (ET) Date: Mon, 17 Jul 2006 18:38:27 -0400 Subject: [Modsecurity] relay of question from Mandriva lists... Message-ID: <44BC1163.4060006@earthlink.net> Using ML 2006.0 Community. I've got apache-mod_security installed, and have just installed apache-tools, which includes the blacklist tool. I know there's supposed to be a way to get mod_security to use the blacklist tool, so that when someone triggers one of its rules you can have it pass a command to that, which will in turn stick the IP address into iptables for a time. I can't seem to find the right bit of documentation to show me how to configure mod_security to use it. Anyone know? ############ after further discussion about the security risks of having the user Apache runs as/on having access to root functions... like writing to the firewall... Noticed SecFilterDefaultAction. Looks like I can edit that.... # Action to take by default SecFilterDefaultAction "deny,log,status:500,exec:'/var/www/cgi-bin/blacklist.cgi REMOTE_ADDR 3600'" I'll give that a try and see if it works. According to the documentation on the modsecurity.org website: "You can have one binary executed per filter match. Execution will add the header mod_security-executed to the list of request headers." So I guess the next time someone hits my server with one of the things which trigger a rule hit, I'll look for that entry and check to see if the IP address in question got itself blocked. Maybe this will work yet. ############ any further thoughts? -- reg. Linux User 167806 webhome http://ed-tharp.is-a-geek.org From quien-sabe at metaorg.com Wed Jul 19 10:30:30 2006 From: quien-sabe at metaorg.com (Who Knows) Date: Wed, 19 Jul 2006 07:30:30 -0700 Subject: [Modsecurity] PNphpBB2 rule fix Message-ID: <44BE4206.5030108@metaorg.com> Attempting to email a link to a friend in PNphpBB2 the following error is generated: ==4ef6f40a============================== Request: www.aidant.net 67.135.233.237 - - [19/Jul/2006:07:09:43 --0700] "GET /index.php?name=PNphpBB2&file=http://www.aidant.net/index&name=PNphpBB2&file=viewtopic&t=4 HTTP/1.1" 406 382 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060614 Fedora/1.5.0.4-1.2.fc5 Firefox/1.5.0.4 pango-text" - "-" ---------------------------------------- GET /index.php?name=PNphpBB2&file=http://www.aidant.net/index&name=PNphpBB2&file=viewtopic&t=4 HTTP/1.1 Host: www.aidant.net User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060614 Fedora/1.5.0.4-1.2.fc5 Firefox/1.5.0.4 pango-text Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: pnphpbb2mysql_data=a%3A1%3A%7Bs%3A6%3A%22userid%22%3Bs%3A1%3A%224%22%3B%7D; POSTNUKESID=0012264c999d035237289bec299e408e; pnphpbb2mysql_sid=e75f1de11e611e1360f393782a00fa94; pnphpbb2mysql_t=a%3A1%3A%7Bi%3A4%3Bi%3A1153316928%3B%7D mod_security-action: 406 mod_security-message: Access denied with code 406. Pattern match "\\.php(3|4|5)?(\\?|&).*=(ht|f)tps?:/.*(\\?|&)" at REQUEST_URI [id "300018"] [rev "1"] [msg "Generic PHP code injection protection"] [severity "CRITICAL"] HTTP/1.1 406 Not Acceptable Content-Length: 382 Connection: close Content-Type: text/html; charset=iso-8859-1 --4ef6f40a-- I was unable to create a local exclusion that would work, but the following patch to rules.conf did the trick. --- rules.orig 2006-07-19 07:21:46.000000000 -0700 +++ rules.conf 2006-07-19 07:25:35.000000000 -0700 @@ -176,7 +176,7 @@ #really broad furl_fopen attack sig #tune this for your system #MTS -SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-server/adjs)" "chain,id:300018,rev:1,severity:2,msg:'Generic PHP code injection protection'" +SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/gallery/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-server/adjs|PNphpBB2&file=http)" "chain,id:300018,rev:1,severity:2,msg:'Generic PHP code injection protection'" SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/.*(\?|&)" #Genenric PHP body attack From etharp at earthlink.net Thu Jul 27 06:43:22 2006 From: etharp at earthlink.net (ET) Date: Thu, 27 Jul 2006 06:43:22 -0400 Subject: [Modsecurity] Please more N00B advice Message-ID: <44C898CA.1070603@earthlink.net> I want to block IP from "50.68.232.72.reverse.layeredtech.com I would be happy with "SecFilterSelective REMOTE_ADDR 50\.68\.232\.72" in badips.conf if it worked I would also be happy blocking layeredtech.com where should I put it, what should it say, and where should I have looked to find the answer? -- reg. Linux User 167806 webhome http://ed-tharp.is-a-geek.org