0

I have similar problem like question How do I enable mod_security in Ubuntu 10.04? , but i do not have the "minimal" file with me which i can replace and make it work. My configuration is also different. here is my /etc/modsecurity/modsecurity.conf

 SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_SEMICOLON_MISSING}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" SecPcreMatchLimit 1000 SecPcreMatchLimitRecursion 1000 SecRule TX:/^MSC_/ "!@streq 0" \ "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /tmp/ SecDataDir /tmp/ SecUploadDir /opt/modsecurity/var/upload/ SecUploadKeepFiles RelevantOnly SecUploadFileMode 0600 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHKZ SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log SecAuditLogStorageDir /opt/modsecurity/var/audit/ SecArgumentSeparator & SecCookieFormat 0

And my /etc/apache2/mods-enabled/modsecurity.conf is:

<IfModule security2_module> # Default Debian dir for modsecurity's persistent data SecDataDir /var/cache/modsecurity Include /usr/share/modsecurity-crs/base_rules/*conf Include /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf # Include all the *.conf files in /etc/modsecurity. # Keeping your local configuration in that directory # will allow for an easy upgrade of THIS file and # make your life easier #Include "/etc/modsecurity/*.conf" </IfModule>

and /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf is :

SecComponentSignature "core ruleset/2.2.0" SecRuleEngine On SecDefaultAction "phase:2,deny,log" SecAction "phase:1,id:'981207',t:none,nolog,pass, \ setvar:tx.critical_anomaly_score=5, \ setvar:tx.error_anomaly_score=4, \ setvar:tx.warning_anomaly_score=3, \ setvar:tx.notice_anomaly_score=2" SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5" SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4" SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0" SecAction "phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255" SecAction "phase:1,id:'981212',t:none,nolog,pass, \ setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \ setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded multipart/form-data text/xml application/xml application/x-amf', \ setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \ setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \ setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'" SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "chain,phase:1,id:'981053',t:none,t:lowercase,pass,nolog" SecRule REQBODY_PROCESSOR "!@streq XML" "ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}" SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}" SecRule &TX:REAL_IP "!@eq 0" "phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}" SecRule &TX:REAL_IP "@eq 0" "phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"

No malicious access is being blocked, even in log files it says there are critical alerts, but request is not being blocked. i just want my requests to be blocked. what is wrong in configuration??

Improve this question

1 Answer 1

Reset to default
-1

was able to teak some settings, and correct usage of conf files made it work

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.