Threaded Mode | Linear Mode

nex89 · 02-19-2010 12:28 AM

Hallo,

es lag wohl daran, dass ich nur die minimal.conf im config Verzeichnis hatte und diese den Aufruf nicht blockt. Habe nun einmal alle modsecurity*.conf in mein config Verzeichnis gepackt und Apache neugestartet.

Code:

-rw-r--r-- 1 root root   2133 18. Feb 15:18 modsecurity_35_bad_robots.data

-rw-r--r-- 1 root root    175 18. Feb 15:18 modsecurity_35_scanners.data

-rw-r--r-- 1 root root   2645 18. Feb 15:18 modsecurity_40_generic_attacks.data

-rw-r--r-- 1 root root   1328 18. Feb 15:18 modsecurity_41_sql_injection_attacks.data

-rw-r--r-- 1 root root    488 18. Feb 15:18 modsecurity_42_comment_spam.data

-rw-r--r-- 1 root root   6038 18. Feb 15:18 modsecurity_46_et_sql_injection.data

-rw-r--r-- 1 root root    917 18. Feb 15:18 modsecurity_46_et_web_rules.data

-rw-r--r-- 1 root root   2305 18. Feb 15:18 modsecurity_50_outbound.data

-rw-r--r-- 1 root root  56714 18. Feb 15:18 modsecurity_50_outbound_malware.data

-rw-r--r-- 1 root root  16786 18. Feb 15:17 modsecurity_crs_20_protocol_violations.conf

-rw-r--r-- 1 root root   7001 18. Feb 15:17 modsecurity_crs_21_protocol_anomalies.conf

-rw-r--r-- 1 root root   3509 18. Feb 15:17 modsecurity_crs_23_request_limits.conf

-rw-r--r-- 1 root root   6710 18. Feb 15:17 modsecurity_crs_30_http_policy.conf

-rw-r--r-- 1 root root   2884 18. Feb 15:17 modsecurity_crs_35_bad_robots.conf

-rw-r--r-- 1 root root 134391 18. Feb 15:17 modsecurity_crs_40_generic_attacks.conf

-rw-r--r-- 1 root root  11551 18. Feb 15:17 modsecurity_crs_41_phpids_converter.conf

-rw-r--r-- 1 root root  91728 18. Feb 15:17 modsecurity_crs_41_phpids_filters.conf

-rw-r--r-- 1 root root  74868 18. Feb 15:17 modsecurity_crs_41_sql_injection_attacks.conf

-rw-r--r-- 1 root root 113795 18. Feb 15:17 modsecurity_crs_41_xss_attacks.conf

-rw-r--r-- 1 root root   1467 18. Feb 15:17 modsecurity_crs_42_tight_security.conf

-rw-r--r-- 1 root root   3219 18. Feb 15:17 modsecurity_crs_45_trojans.conf

-rw-r--r-- 1 root root   1501 18. Feb 15:17 modsecurity_crs_47_common_exceptions.conf

-rw-r--r-- 1 root root   2763 18. Feb 15:17 modsecurity_crs_48_local_exceptions.conf

-rw-r--r-- 1 root root   1985 18. Feb 15:17 modsecurity_crs_49_enforcement.conf

-rw-r--r-- 1 root root   1187 18. Feb 15:17 modsecurity_crs_49_inbound_blocking.conf

-rw-r--r-- 1 root root  59859 18. Feb 15:17 modsecurity_crs_50_outbound.conf

-rw-r--r-- 1 root root   1278 18. Feb 15:17 modsecurity_crs_59_outbound_blocking.conf

-rw-r--r-- 1 root root   2553 18. Feb 15:17 modsecurity_crs_60_correlation.conf

-rw-r----- 1 root root   2512 18. Feb 15:21 modsecurity-minimal.conf

Nun verstößt z.B. der Aufruf von index.php?page=/etc/passwd gegen mehrere Regeln. Ich frage mich nur ob nun wirklich alles läuft wenn ihr die Logs so seht? Müsste er den Besucher nicht normal auf eine Fehlerseite oder so umleiten? Ich meine als Besucher öffnet er ganz normal die index.php bei dem Aufruf von index.php?page=/etc/passwd

Hier die modsec_audit.log:

Code:

--22d16a0d-A--

[18/Feb/2010:15:21:31 +0100] S31M61jGtk0AADs7DCwAAAAA 79.196.44.234 57725 88.198.182.77 80

--22d16a0d-B--

GET /index.php?page=/etc/passwd HTTP/1.1

Host: meine-seite.de

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; de-de) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10

Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Language: de-de

Accept-Encoding: gzip, deflate

Connection: keep-alive

--22d16a0d-F--

HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 567

Keep-Alive: timeout=15, max=100

Connection: Keep-Alive

Content-Type: text/html

--22d16a0d-E--

--22d16a0d-H--

Message: Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity2/modsecurity_crs_30_http_policy.conf"] [line "30"] [id "960032"] [msg "Method is not allowed by policy"] [data "GET"] [severity "CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]

Message: Match of "within %{tx.allowed_http_versions}" against "REQUEST_PROTOCOL" required. [file "/etc/modsecurity2/modsecurity_crs_30_http_policy.conf"] [line "77"] [id "960034"] [msg "HTTP protocol version is not allowed by policy"] [data "HTTP/1.1"] [severity "CRITICAL"] [tag "POLICY/PROTOCOL_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.10"]

Message: Pattern match "\/etc\/" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_40_generic_attacks.conf"] [line "220"] [id "958700"] [rev "2.0.5"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]

Message: Pattern match "\/etc\/" at REQUEST_URI. [file "/etc/modsecurity2/modsecurity_crs_40_generic_attacks.conf"] [line "243"] [id "958710"] [rev "2.0.5"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"]

Message: Pattern match "(?:%c0%ae\/)|(?:(?:\/|\\)(home|conf|usr|etc|proc|opt|s?bin|local|dev|tmp|kern|[br]oot|sys|system|windows|winnt|program|%[a-z_-]{3,}%)(?:\/|\\))|(?:(?:\/|\\)inetpub|localstart\.asp|boot\.ini)" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_41_phpids_filters.conf"] [line "86"] [id "900011"] [msg "Detects specific directory and path traversal"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]

Message: Pattern match "(?:etc\/\W*passwd)" at ARGS:page. [file "/etc/modsecurity2/modsecurity_crs_41_phpids_filters.conf"] [line "131"] [id "900012"] [msg "Detects etc/passwd inclusion attempts"] [data "etc/passwd"] [severity "CRITICAL"] [tag "WEB_ATTACK/DT"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]

Message: Operator GE matched 0 at TX:anomaly_score. [file "/etc/modsecurity2/modsecurity_crs_49_inbound_blocking.conf"] [line "18"] [msg "Inbound Anomaly Score Exceeded (Total Score: 10, SQLi=, XSS=): 900012-Detects etc/passwd inclusion attempts"]

Message: Warning. Operator GE matched 0 at TX:inbound_anomaly_score. [file "/etc/modsecurity2/modsecurity_crs_60_correlation.conf"] [line "35"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10, SQLi=, XSS=): 900012-Detects etc/passwd inclusion attempts"]

Apache-Handler: fcgid-script

Stopwatch: 1266502891824070 26192 (853 7567 -)

Response-Body-Transformed: Dechunked

Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).

Server: Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g

--22d16a0d-Z--

Vielen Dank für euere Hilfe!

------------- EDIT ---------------
Die modsecurity_crs_10_config.conf war wohl doch wichtig, die musste auch in dem Ordner liegen, wo alle anderen configs liegen Wink

Habe jetzt die minimal.conf, die modsecurity_crs_10_config.conf und alle basic rules geladen. Nun läuft es wunderbar, nur bei ispcp hat es direkt in der auditlog fehler gegeben....
Habe dann in der 00_master.conf modsecurity für ispcp deaktiviert, dann hat er auch keine Fehler mehr in der auditlog ausgegeben!

So, dann müsste doch jetzt alles gut sein oder? Muss ich halt nur -wenn ich was neues installiere- die Auditlog checken, ob es mit anderen Sachen auch Probleme gibt, oder?

Vielen Dank an alle für ihre Hilfe!

Threaded Mode \| Linear Mode Installation mod_security
Author	Message