Fail2ban mod_security testen
- Thread starter Karl34
- Start date
Also fail2ban habe ich grade mal ausprobiert, funktioniert nicht.
Ich sehe den fehlerhaften login im acces.log
Ich kann mich aber trotzdem mit dem passwort einloggen.
Hier mal meine fail2ban config:
jail.conf
Muss ich fail2ban noch scharfschalten???
Ich sehe den fehlerhaften login im acces.log
Ich kann mich aber trotzdem mit dem passwort einloggen.
Hier mal meine fail2ban config:
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 629 $
#
[Definition]
# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 4
# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sockjail.conf
Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision: 281 $
#
# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 217.150.244.116
bantime = 6000
maxretry = 4
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
# Choose default action. To change, just override value of 'action' with the
# JAILS
#
# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
[ssh]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 1
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
[xinetd-fail]
enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2
[ssh-ddos]
enabled = true
port = 22
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
#
# HTTP servers
#
[apache]
enabled = true
port = http,https
# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-noscript]
enabled = true
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6
[apache-overflows]
enabled = true
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2
#
# FTP servers
#
[vsftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6
[proftpd]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[wuftpd]
enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6
#
# Mail servers
#
[postfix]
enabled = true
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log
[couriersmtp]
enabled = true
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courierauth]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log
[sasl]
enabled = true
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
logpath = /var/log/mail.log
# DNS Servers
# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# }
#
# in your named.conf to provide proper logging
# Word of Caution:
# Given filter can lead to DoS attack against your DNS server
# since there is no way to assure that UDP packets come from the
# real source IP
[named-refused-udp]
enabled = false
port = domain,953
protocol = udp
filter = named-refused
logpath = /var/log/named/security.log
[named-refused-tcp]
enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log
Also das es wegen mit Plesk nicht klappen könnte ist mir nicht bekannt. 
gib mal in ssh " iptables -L " ein das ist mein Auszug
Das zeigt dir halt an was momentan überwacht wird durch fail2ban.
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-named-refused-tcp tcp -- anywhere anywhere multiport dports domain,953
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-courierauth tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-apache tcp -- anywhere anywhere multiport dports www,https
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-wuftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-couriersmtp tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports www,https
fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports www,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-named-refused-udp udp -- anywhere anywhere multiport dports domain,953
fail2ban-vsftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-pam-generic tcp -- anywhere anywhere
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports www,https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-multiport (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-courierauth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-couriersmtp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-named-refused-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-named-refused-udp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-pam-generic (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-vsftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-wuftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-xinetd-fail (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-xinetd-fail-log (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 6/min burst 2 LOG level warning prefix `fail2ban-xinetd-failROP '
DROP all -- anywhere anywhere
gib mal in ssh " iptables -L " ein das ist mein Auszug
Das zeigt dir halt an was momentan überwacht wird durch fail2ban.
Last edited by a moderator:
iptables -L
Ich deinstalliere es jetzt mal, und installiere es neu.
Modescurity läuft einwandfrei, habe es nochmal neu installiert.
Habe fail2ban jetzt nochmal neuinstalliert und es funktioniert.
iptables -L
Schaut das gut aus so????
Wo speichert fail2ban die geblockten ip´s???
Muss meine löschen, bin noch per ssh drauf.
Danke
Code:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationModescurity läuft einwandfrei, habe es nochmal neu installiert.
Habe fail2ban jetzt nochmal neuinstalliert und es funktioniert.
iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-named-refused-tcp tcp -- anywhere anywhere multiport dports domain,953
fail2ban-proftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-apache tcp -- anywhere anywhere multiport dports www,https
fail2ban-courierauth tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
fail2ban-wuftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-couriersmtp tcp -- anywhere anywhere multiport dports smtp,ssmtp
fail2ban-apache-overflows tcp -- anywhere anywhere multiport dports www,https
fail2ban-apache-multiport tcp -- anywhere anywhere multiport dports www,https
fail2ban-ssh-ddos tcp -- anywhere anywhere multiport dports ssh
fail2ban-named-refused-udp udp -- anywhere anywhere multiport dports domain,953
fail2ban-vsftpd tcp -- anywhere anywhere multiport dports ftp,ftp-data,ftps,ftps-data
fail2ban-pam-generic tcp -- anywhere anywhere
fail2ban-apache-noscript tcp -- anywhere anywhere multiport dports www,https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-apache (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-multiport (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-noscript (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-apache-overflows (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-courierauth (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-couriersmtp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-named-refused-tcp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-named-refused-udp (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-pam-generic (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-postfix (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-proftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-sasl (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-ssh-ddos (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-vsftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-wuftpd (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-xinetd-fail (0 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain fail2ban-xinetd-fail-log (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 6/min burst 2 LOG level warning prefix `fail2ban-xinetd-fail:DROP '
DROP all -- anywhere anywhereWo speichert fail2ban die geblockten ip´s???
Muss meine löschen, bin noch per ssh drauf.
Danke
Last edited by a moderator:
Huschi
Moderator
Hust hust!!!
Seinen aktuellen Status "speichert" fail2ban lediglich im Speicher. (Konkret: ein Array von Objekten (intern "Ticket" genannt).)
Er loggt zwar fleißig in sein Logfile, aber das ließt er nicht aus.
Möchte man eine IP manuell "entbannen" kann man entweder
a) fail2ban neu starten oder
b) den entsprechenden Drop aus der iptables löschen.
Die konkrete Befehlszeile für Unban findet man in /etc/fail2ban/action.d/iptables*.conf als "actionunban".
huschi.
Seinen aktuellen Status "speichert" fail2ban lediglich im Speicher. (Konkret: ein Array von Objekten (intern "Ticket" genannt).)
Er loggt zwar fleißig in sein Logfile, aber das ließt er nicht aus.
Möchte man eine IP manuell "entbannen" kann man entweder
a) fail2ban neu starten oder
b) den entsprechenden Drop aus der iptables löschen.
Die konkrete Befehlszeile für Unban findet man in /etc/fail2ban/action.d/iptables*.conf als "actionunban".
huschi.
Huschi
Moderator
Klar funktioniert das. Wenn man nur eine IP in dieser Chain hat. Sobald schon mehrere drin sind, entbannst Du damit IPs die aber fail2ban im Speicher noch als gebannt hat.
Oben schreibst Du nochwas mit Apache. Welche Logins möchtest Du denn mit fail2ban überwachen?
Aber ich melde jetzt schon Zweifel an, dass /var/log/apache*/*error.log die richtigen Logfiles sind.
huschi.
Oben schreibst Du nochwas mit Apache. Welche Logins möchtest Du denn mit fail2ban überwachen?
Aber ich melde jetzt schon Zweifel an, dass /var/log/apache*/*error.log die richtigen Logfiles sind.
huschi.
Hast recht Huschi, habs grade mal getestet.
ein:
und alle ip´s sind weg 
So ich habe jetzt ModSec in fail2ban eingebunden wie hier: http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_ModSecurity2.5
Funktioniert sehr gut, bis auf das wenn jemand einen 404 verursacht oder die Seite mit F5 10 mal hintereinander Refresht das die IP geblockt wird.
Hier mal meine modsec_audit.log:
Hier meine modsecurity_crs_10_config.conf
Welche regel greift bei einem 404 304?
bzw wie stelle ich das logging für die 404 304 ab?
Danke
ein:
Code:
/etc/init.d/fail2ban restartSo ich habe jetzt ModSec in fail2ban eingebunden wie hier: http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_ModSecurity2.5
Funktioniert sehr gut, bis auf das wenn jemand einen 404 verursacht oder die Seite mit F5 10 mal hintereinander Refresht das die IP geblockt wird.
Hier mal meine modsec_audit.log:
Code:
--dcfa4064-A--
[01/Jun/2010:13:20:27 +0200] TATs@1vSaTgAAARaIjYAAAAA 83.170.114.16 58705 91.21$
--dcfa4064-B--
GET /images/xxxxxx_logo.gif HTTP/1.1
Host: www.xxxxxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.3) Gecko/20100423 Ubu$
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxxxx.com/
Cookie: _fjvid1=fbd321ec7b3267bbeaf829ddd89da916e969a76370681ed9
If-Modified-Since: Mon, 31 May 2010 13:12:32 GMT
If-None-Match: "8e40a0-1643-487e39c08f000"
Cache-Control: max-age=0
--dcfa4064-F--
--dcfa4064-F--
HTTP/1.1 304 Not Modified
Last-Modified: Mon, 31 May 2010 13:12:32 GMT
ETag: "8e40a0-1643-487e39c08f000"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/gif
--dcfa4064-H--
Message: Unable to retrieve collection (name "global", key "global"). Use SecDa$
Message: Unable to retrieve collection (name "ip", key "83.170.114.16"). Use Se$
Stopwatch: 1275391227037337 3975 (730 3451 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core rul$
Server: Apache
--dcfa4064-Z--
--9284f03a-A--
[01/Jun/2010:13:20:27 +0200] TATs@1vSaTgAAAZpKvEAAAAH 83.170.114.16 58673 91.21$
--9284f03a-B--
GET /images/xxxxxxxx-$
Host: www.xxxxxxxxxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.3) Gecko/20100423 Ubu$
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxxx.com/
Cookie: _fjvid1=fbd321ec7b3267bbeaf829ddd89da916e969a76370681ed9
If-Modified-Since: Mon, 31 May 2010 12:51:51 GMT
If-None-Match: "8e409c-189c-487e35210c7c0"
Cache-Control: max-age=0
--9284f03a-F--
HTTP/1.1 304 Not Modified
Last-Modified: Mon, 31 May 2010 12:51:51 GMT
ETag: "8e409c-189c-487e35210c7c0"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Content-Type: image/jpeg
--9284f03a-H--
Message: Unable to retrieve collection (name "global", key "global"). Use SecDa$
Message: Unable to retrieve collection (name "ip", key "83.170.114.16"). Use Se$
Stopwatch: 1275391227930775 4762 (867 4265 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core rul$
Server: Apache
Content-Type: image/jpeg
--9284f03a-H--
Message: Unable to retrieve collection (name "global", key "global"). Use SecDa$
Message: Unable to retrieve collection (name "ip", key "83.170.114.16"). Use Se$
Stopwatch: 1275391227930775 4762 (867 4265 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core rul$
Server: Apache
--9284f03a-Z--Hier meine modsecurity_crs_10_config.conf
Code:
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.2.0.5
# Copyright (C) 2006-2010 Breach Security Inc. All rights reserved.
#
# The ModSecurity Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
## -- Configuration ----------------------------------------------------------
#
# Specify CRS version in the audit logs.
#
SecComponentSignature "core ruleset/2.0.5"
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
SecAction "phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
# You most likely already have a base ModSecurity configuration. The data
# presented in this file should work in conjunction with your configs.
# There are also some references to some directive settings that you will
# want to double check.
#
# -=[ Paranoid Mode ]=-
#
# There are many different transactional variables that can be inspected for
# attacks. Some variables, such as ARGS, has the best false negative/false
# positive ratio where it will catch the vast majority of attack payloads and
# not have a high false positive rate. This is also true for some security
# checks such as @validateByteRange checks where we are initially only inspecting
# for Nul Bytes.
#
# There are, however, some possibilities for false negative issues with inspecting
# parsed data and this could lead to missed attacks. If you
# want to lessen the chances for false negatives, then you should enable
# "Paranoid Mode" processing by setting the following line to 1. This will process
# additional rules that are inspecting variables with a higher false positive rate.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.paranoid_mode=0"
#
# -=[ Anomaly Scoring Threshold Levels ]=-
#
# These variables are used in macro expansion in the 49 inbound blocking and 59
# outbound blocking files.
#
# **MUST HAVE** ModSecurity v2.5.12 or higher to use macro expansion in numeric
# operators. If you have an earlier version, edit the 49/59 files directly to
# set the appropriate anomaly score levels.
#
# You should set the score to the proper threshold you would prefer. If set to "5"
# it will work similarly to previous Mod CRS rules and will create an event in the error_log
# file if there are any rules that match. If you would like to lessen the number of events
# generated in the error_log file, you should increase the anomaly score threshold to
# something like "20". This would only generate an event in the error_log file if
# there are multiple lower severity rule matches or if any 1 higher severity item matches.
#
SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"
SecAction "phase:1,t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=15"
#
# -=[ Anomaly Scoring Severity Levels ]=-
#
# These are the default scoring points for each severity level. You may
# adjust these to you liking. These settings will be used in macro expansion
# in the rules to increment the anomaly scores when rules match.
#
# These are the default Severity ratings (with anomaly scores) of the individual rules -
#
# - 2: Critical - Anomaly Score of 20.
# Is the highest severity level possible without correlation. It is
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:tx.critical_anomaly_score=20, \
setvar:tx.error_anomaly_score=15, \
setvar:tx.warning_anomaly_score=10, \
setvar:tx.notice_anomaly_score=5"
#
# -=[ HTTP Policy Settings ]=-
# Set the following policy settings here and they will be propagated to the 23 rules
# file (modsecurity_common_23_request_limits.conf) by using macro expansion.
# If you run into false positives, you can adjust the settings here.
#
# Only the max number of args is uncommented by default as there are a high rate
# of false positives. Uncomment the items you wish to set.
#
## Maximum number of arguments in request limited
SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_num_args=255"
## Limit argument name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_name_length=100"
## Limit value name length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.arg_length=400"
## Limit arguments total length
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.total_arg_length=64000"
## Individual file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.max_file_size=1048576"
## Combined file size is limited
#SecAction "phase:1,t:none,nolog,pass,setvar:tx.combined_file_sizes=1048576"
# Set the following policy settings here and they will be propagated to the 30 rules
# file (modsecurity_crs_30_http_policy.conf) by using macro expansion.
# If you run into false positves, you can adjust the settings here.
#
SecAction "phase:1,t:none,nolog,pass, \
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \
setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml', \
setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \
setvar:'tx.restricted_extensions=.asa .asax .ascx .axd .backup .bak .bat .cdx .cer .cfg .cmd .com .config .conf .cs .csproj .csr .dat .db .dbf .dll .dos .ht$
setvar:'tx.restricted_headers=Proxy-Connection Lock-Token Content-Range Translate via if'"
#
#
# -=[ Blocking Action ]=-
# What to do when the anomaly score threshold is exceeded.
#
# The default is to log the error and let the request go through.
# This is a reasonable setting to start with because you do not
# want to reject legitimate requests with an untuned rule set.
#
# The following line's settings will be inherited by rules that
# do blocking in the 49 inbound and 59 outbound blocking files.
#
# Change to a disruptive action such as deny, drop or redirect if you
# want to block the transaction.
SecDefaultAction "phase:2,pass"
#
# Review your SecRuleEngine settings. If you want to
# allow blocking, then set it to On however check your SecDefaultAction setting
# to ensure that it is set appropriately.
#
SecRuleEngine On
SecFilterDebugLevel 0
SecDebugLog /etc/modsecurity2/logs/modsec_debug.log
SecAuditLog /etc/modsecurity2/logs/modsec_audit.log
SecAuditEngine RelevantOnly
#SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIFHZbzw wie stelle ich das logging für die 404 304 ab?
Danke