Apache + Mod_Security Problem :(

nex89

New Member
Hallo,

ich habe gerade auf meinem vServer mit Apache2 mod_security installiert (bzw. es versucht...).

Habe es nach folgendem HowTo gemacht:
http://www.isp-control.net/documentation/doku.php?id=howto:security:mod_security_on_debian


Habe alles so gemacht wie in dem HowTo beschrieben bis Punkt 10. Bei Punkt 11 soll ich in der Datei "/etc/modsecurity2/modsecurity_crs_10_config.conf" SecDebugLog und SecAuditLog umändern.
Jedoch finde ich dort diese beiden Einträge garnicht?


Aber das sollte ja auch ohne die beiden Einstellungen funktionieren denke ich...irgendwie glaube ich dass irgendwas in dem HowTo fehlt?



(cat /var/log/apache2/error.log | grep ModSecurity gibt auch garnichts aus...)
 
Last edited by a moderator:
Ohne einen Eintrag für SecAuditLog kann ja auch nichts geloggt werden, woher soll modsec denn wissen wohin es loggen soll? ;)

Code:
SecAuditLogType Serial
SecAuditLog /var/log/apache2/audit.log
SecAuditLogParts "ABIHZ"

SecDebugLog             /var/log/apache2/modsec_debug.log
SecDebugLogLevel        0


Je nach Geschmack anpassen...;)
 
Last edited by a moderator:
Ohne einen Eintrag für SecAuditLog kann ja auch nichts geloggt werden, woher soll modsec denn wissen wohin es loggen soll? ;)

Code:
SecAuditLogType Serial
SecAuditLog /var/log/apache2/audit.log
SecAuditLogParts "ABIHZ"

SecDebugLog             /var/log/apache2/modsec_debug.log
SecDebugLogLevel        0


Je nach Geschmack anpassen...;)

danke aber wo muss das rein?
 
In modsecurity_crs_10_config.conf, bei mir steht es unter "# Log files structure" bzw. "# Whether to send ModSecurity messages to a separate debug log."

;)
 
In modsecurity_crs_10_config.conf, bei mir steht es unter "# Log files structure" bzw. "# Whether to send ModSecurity messages to a separate debug log."

;)
Danke! Meine sieht so aus:

Code:
server:/etc/modsecurity2# cat modsecurity_crs_10_config.conf
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------


## -- Configuration ----------------------------------------------------------
#
# Specify CRS version in the audit logs.
#
SecComponentSignature "core ruleset/2.0.5"

#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"

# You most likely already have a base ModSecurity configuration.  The data
# presented in this file should work in conjunction with your configs.
# There are also some references to some directive settings that you will
# want to double check.

#
# -=[ Paranoid Mode ]=-
#
# There are many different transactional variables that can be inspected for
# attacks.  Some variables, such as ARGS, has the best false negative/false
# positive ratio where it will catch the vast majority of attack payloads and
# not have a high false positive rate.  This is also true for some security
# checks such as @validateByteRange checks where we are initially only inspecting
# for Nul Bytes.
#
# There are, however, some possibilities for false negative issues with inspecting
# parsed data and this could lead to missed attacks.  If you
# want to lessen the chances for false negatives, then you should enable 
# "Paranoid Mode" processing by setting the following line to 1.  This will process
# additional rules that are inspecting variables with a higher false positive rate.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"


#
# -=[ Anomaly Scoring Threshold Levels ]=-
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators.  If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5" 
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match.  If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20".  This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"
SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"


# 
# -=[ Anomaly Scoring Severity Levels ]=-
#
# These are the default scoring points for each severity level.  You may 
# adjust these to you liking.  These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
#    - 2: Critical - Anomaly Score of 20.
#         Is the highest severity level possible without correlation.  It is
#         normally generated by the web attack rules (40 level files).
#    - 3: Error - Anomaly Score of 15.
#         Is generated mostly from outbound leakage rules (50 level files).
#    - 4: Warning - Anomaly Score of 10.
#         Is generated by malicious client rules (35 level files).
#    - 5: Notice - Anomaly Score of 5.
#         Is generated by the Protocol policy and anomaly files.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=20, \
setvar:tx.error_anomaly_score=15, \
setvar:tx.warning_anomaly_score=10, \
setvar:tx.notice_anomaly_score=5" 


#
# -=[ HTTP Policy Settings ]=-
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.  
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives.  Uncomment the items you wish to set.
# 
## Maximum number of arguments in request limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"

## Limit argument name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"

## Limit value name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"

## Limit arguments total length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"

## Individual file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"

## Combined file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"


# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.  
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .htr .htw .ida .idc .idq .inc .ini .key .licx .lnk .log .mdb .old .pass .pdb .pol .printer .pwd .resources .resx .sql .sys .vb .vbs .vbproj .vsdisco .webinfo .xsd .xsx', \
setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'"

# 
#
# -=[ Blocking Action ]=-
# What to do when the anomaly score threshold is exceeded. 
#
# The default is to log the error and let the request go through.
# This is a reasonable setting to start with because you do not
# want to reject legitimate requests with an untuned rule set.
#
# The following line's settings will be inherited by rules that
# do blocking in the 49 inbound and 59 outbound blocking files.
#
# Change to a disruptive action such as deny, drop or redirect if you
# want to block the transaction.
#
SecDefaultAction "phase:2,pass"


#
# Review your SecRuleEngine settings.  If you want to 
# allow blocking, then set it to On however check your SecDefaultAction setting
# to ensure that it is set appropriately.
#
SecRuleEngine On

server:/etc/modsecurity2#


Habe die Datei nun um

SecDataDir /etc/modsecurity2/logs

SecDebugLog /etc/modsecurity2/logs/modsec_debug.log
SecDebugLogLevel 5

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /etc/modsecurity2/logs/modsec_audit.log

erweitert.


Nun sagt modsec_debug.log das:
Code:
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising transaction (txid S3wot1jGtk0AAEjUCqkAAAAA).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Adding request argument (QUERY_STRING): name "page", value "/etc/passwd"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transaction context created (dcfg 16b8708).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_HEADERS.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] PdfProtect: Not enabled here.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Second phase starting (dcfg 16b8708).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Input filter: This request does not have a body.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #1: 393
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase REQUEST_BODY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e0090; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "45"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e0090: SecRule "REQBODY_PROCESSOR_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against REQBODY_PROCESSOR_ERROR.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 9 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17daac0; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "64"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17daac0: SecRule "MULTIPART_STRICT_ERROR" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart request body failed strict validation: PE %{REQBODY_PROCESSOR_ERROR}, BQ %{MULTIPART_BOUNDARY_QUOTED}, BW %{MULTIPART_BOUNDARY_WHITESPACE}, DB %{MULTIPART_DATA_BEFORE}, DA %{MULTIPART_DATA_AFTER}, HF %{MULTIPART_HEADER_FOLDING}, LF %{MULTIPART_LF_LINE}, SM %{MULTIPART_SEMICOLON_MISSING}, IQ %{MULTIPART_INVALID_QUOTING}, IH %{MULTIPART_INVALID_HEADER_FOLDING}, IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_STRICT_ERROR.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 1 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e2708; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "68"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e2708: SecRule "MULTIPART_UNMATCHED_BOUNDARY" "!@eq 0" "phase:2,auditlog,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Transformation completed in 0 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Executing operator "!eq" with param "0" against MULTIPART_UNMATCHED_BOUNDARY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Operator completed in 2 usec.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Recipe: Invoking rule 17e31b8; [file "/etc/modsecurity2/modsecurity-minimal.conf"] [line "76"].
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][5] Rule 17e31b8: SecRule "TX:/^MSC_/" "!@streq 0" "phase:2,log,auditlog,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Rule returned 0.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Time #2: 629
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding PDF XSS protection output filter (r 184d3f8).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Hook insert_filter: Adding output filter (r 184d3f8).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_HEADERS.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Response body buffering is not enabled.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Completed receiving response body (non-buffering).
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase RESPONSE_BODY.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Output filter: Output forwarding complete.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Initialising logging.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Starting phase LOGGING.
[17/Feb/2010:18:34:47 +0100] [meine-seite.de/sid#1826408][rid#184d3f8][/phpinfo.php][4] Audit log: Ignoring a non-relevant request.


Da frage ich mich nur:

0) Läuft es nun wirklich richtig? (Kann es garnicht glauben)
1) Warum fehlten die Einstellungen in meiner Datei? Ist direkt von modsecurity.org heruntergeladen worden. Habe ich da irgendwas falsch gemacht?
2) Warum gibt er keinen Fehler oder so aus? Habe die php.info so aufgerufen: phpinfo.php?page=/etc/passwd


Vielen Dank!
 
Last edited by a moderator:
Scheint zu laufen, schau mal nach der audit.log File, dort findest du detailiertere Infos über geloggte/geblockte Requests, auch die IDs der Regeln die getriggert wurden. Ob es eine Fehlermeldung gibt oder nicht hängt von der gertriggerten Regel ab, mit den IDs kannst du diese dann finden und ggf. anpassen, natürlich kannst du auch eigene Regeln erstellen.

Alle Infos zu den Regeln findest du in der (sehr guten) Dokumentation auf http://www.modsecurity.org , die Mailing List ( https://lists.sourceforge.net/lists/listinfo/mod-security-users ) ist auch zu empfehlen.

Warum das nicht in dem Howto stand kann ich dir nicht sagen, bin nicht der Verfasser...^^

;)
 
Last edited by a moderator:
MOD: Fullquote entfernt.

Hallo, vielen Dank. Ich hatte ja nur die minimal config Datei und da hat auditlog nichts geloggt, da der Aufruf von z.B. index.php?page=/etc/passwd gegen keine Regel verstoßen hat. Nun habe ich auch noch die CoreRules in das Config Verzeichnis gepackt und auditlog loggt nun auch mit:
Code:
--22d16a0d-A--
[18/Feb/2010:15:21:31 +0100] S31M61jGtk0AADs7DCwAAAAA 79.196.44.234 57725 88.198.182.77 80
--22d16a0d-B--
GET /index.php?page=/etc/passwd HTTP/1.1
Host: meine-seite.de
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; de-de) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: de-de
Accept-Encoding: gzip, deflate
Connection: keep-alive
 
--22d16a0d-F--
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 567
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
 
--22d16a0d-E--
 
--22d16a0d-H--
Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity2/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/modsecurity2/modsecurity_crs_30_http_policy.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]
Message: Pattern match "\/etc\/" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_40_generic_attacks.conf"] [line "220"] [id "958700"] [rev "2.0.5"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]
Message: Pattern match "\/etc\/" at REQUEST_URI. [file "/etc/modsecurity2/modsecurity_crs_40_generic_attacks.conf"] [line "243"] [id "958710"] [rev "2.0.5"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]
Message: Pattern match "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_41_phpids_filters.conf"] [line "86"] [id "900011"] [msg "Detects specific directory and path traversal"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Pattern match "(?:etc\/\W*passwd)" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_41_phpids_filters.conf"] [line "131"] [id "900012"] [msg "Detects etc/passwd inclusion attempts"] [data "etc/passwd"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Operator GE matched 0 at TX:anomaly_score. [file "/etc/modsecurity2/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10, SQLi=, XSS=): 900012-Detects etc/passwd inclusion attempts"]
Message: Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file "/etc/modsecurity2/modsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10, SQLi=, XSS=): 900012-Detects etc/passwd inclusion attempts"]
Apache-Handler: fcgid-script
Stopwatch: 1266502891824070 26192 (853 7567 -)
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g
 
--22d16a0d-Z--


Allerdings frage ich mich, wenn der Aufruf von index.php?page=/etc/passwd gegen soviele Regeln verstößt, warum sieht es für den Benutzer so aus, als ob garnichts wäre? Er öffnet dann ganz normal die index.php anstatt mit einer Fehlerseite rauszurücken..ist das so normal?

Aber wenn ihr euch die Ausgabe der auditlog anschaut, müsste doch alles funktionieren, richtig? Also kann ich es eigentlich so lassen?
 
Last edited by a moderator:
Dem User eine Fehlermeldung zu geben ist ja nicht immer erwünscht (keine Meldung gibt einem Angreifer eben auch keine Infos aus denen er eventuell Rückschlüsse ziehen könnte), und ob es solch eine Rückmeldung an den User gibt hängt wie gesagt immer mit den getriggerten Regeln zusammen. Wenn du möchtest dass es solch eine Rückmeldung gibt musst du die entsprechende Regel ändern bzw. eine Neue erstellen.
Schau zur Sicherheit in modsecurity_crs_10_config.conf nach ob "SecRuleEngine" auf "On" gesetzt ist (und nicht auf "DetectionOnly"), ist dies der Fall ist Mod Security komplett aktiv.

;)
 
Back
Top