2 Jul 17:38
Re: New installation woes
Dimitri Yioulos <dyioulos <at> firstbhph.com>
2009-07-02 15:38:16 GMT
2009-07-02 15:38:16 GMT
On Thursday 02 July 2009 11:14:39 am you wrote: > On Thu, Jul 2, 2009 at 11:02 AM, Dimitri Yioulos<dyioulos <at> firstbhph.com> wrote: > > LoadModule security2_module > > modules/mod_security2.so > > LoadFile /usr/lib/libxml2.so > > LoadFile /usr/lib/liblua.so.5.0 > > > > The LoadModule directive is all on one line. > > Do you have an include statement, as in > "include conf/modsecurity/*.conf" ? > > -- > Walt Williams, CISSP, SSCP > Ergo inimicus vobis factus sum, verum dicens > vobis? Ah, some light! Just before your reply arrived, I saw a post that referred to "include conf/modsecurity/*.conf". My httpd.conf still had the old "Include conf.d/*.conf" (conf.d is where the old "modsecurity.conf" lived. I incorrectly thought that copying "modsecurity_example.conf" to "conf.d/modsecurity.conf", with appropriate changes, would work). When I changed the httpd.conf directive to "Include conf.d/modsecurity/*.conf", I got the following in /var/log/httpd/error_log: [Thu Jul 02 11:17:59 2009] [error] [client 192.168.101.55] ModSecurity: Access denied with code 404 (phase 2). Pattern match "(?: \\b(?:m(?:ozilla\\/4\\.0 \\(compatible\\)|etis)| webtrends security analyzer|pmafind)\\b| n(?:-stealth|sauditor|essus|ikto)| b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s| webinspect|\\.nasl)" at REQUEST_HEADERS:User-Agent. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_35_bad_robots.conf"] [line "19"] [id "990002"] [msg "Request Indicates a Security Scanner Scanned the Site"] [severity "CRITICAL"] [tag "AUTOMATION/SECURITY_SCANNER"] [hostname "www.firstbhph.com"] [uri "/robots.txt"] [unique_id "i5OTBMCoAQMAAFn8lyMAAAAC"] Excellent! Thank you for pointing that out, nonetheless. It gets better. As well, I changed ownership on /var/log/mlogc to apache, and now all logging is working, as is modsecurity console. I do have another question that I hope you'll be kind enough to help me with. I'd like to whitelist my own network, as I'm getting the following: [Thu Jul 02 11:30:13 2009] [error] [client 192.168.100.74] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.1.3"] [uri "/rci/rci_command_7288.txt"] [unique_id "t0keNMCoAQMAAFn7leIAAAAB"] [Thu Jul 02 11:30:13 2009] [error] [client 192.168.100.74] ModSecurity: Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/conf.d/modsecurity/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname "192.168.1.3"] [uri "/rci/rci_command_7288.txt"] [unique_id "t0keNMCoAQMAAFn7leIAAAAB"] It's obviously important that our own requests not be blocked. Dimitri -- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
RSS Feed