EzDevInfo.com

mod-security interview questions

Top mod-security frequently asked interview questions

Mod Security response/request body size?

How do I get the size of the response/request body in Mod Security?

I keep getting this error for example:

[Mon Sep 17 23:34:38 2012] [error] [client 192.168.1.1] ModSecurity: Output filter: Response body too large (over limit of 1000, total not specified). [hostname "example.com"] [uri "/index.php"] [unique_id "asdf"]

It's not telling me the total; how can I figure the total out?


Source: (StackOverflow)

How to check if mod_security is activated with PHP (without curl)

Is there a way to know if mod_security is activated on an apache server using PHP? (without curl)


Source: (StackOverflow)

Advertisements

This error was generated by Mod_Security

Hi guys I am running mp3 songs download website when I try to download song I get this error.

Not Acceptable!

An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.

My website is http://www.playlist.pk/ you can see to try by download any song. kindly inform me how I can solve this error?


Source: (StackOverflow)

What does ARGS , ARGS_NAMES actually mean in mod_security crs?

What does ARGS , ARGS_NAMES actually mean in mod_security core rule sets?

I have already referred to the Modsecurity2 Apache Reference but I didnt get any clear idea.

Can someone give me a specific idea , preferably with an explanation, what it actually is and how something actually triggers a rule positive like the one below.

The rule below is triggered positive for cases like " x and 6" etc, in general any "and" followed by a digit. I understand what the request filename is, in this case. what i dont understand is what are ARGS and ARGS_NAMES. I need a specific example with reference to the rule below.

SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
    "phase:2,rev:'2.2.5',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"

Source: (StackOverflow)

How do I use Apache mod_rewrite rewritecond with POST parameters?

I know I can inspect GET query string parameters in rewritecond as follows:

RewriteCond %{REQUEST_URI} ^/somepath/somepath
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} try=3
RewriteCond %{QUERY_STRING} name=([^&]*)
RewriteRule ^/somepath/somepath(.*) /otherpath/otherpath?name=%1 [R]

How do I inspect POST parameters that are in the request body? I hear mod_security can do it, but I'm not finding any examples of how I'd use mod_security in conjunction with mod_rewrite like the above example.

I intend to use something like this to handle POSTs:

RewriteCond %{REQUEST_URI} ^/somepath/somepath
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^/somepath/somepath(.*) /otherpath/otherpath [PT]

...except that I need a RewriteCond that inspects the POST parameters to see if "try=3".

Can modsecurity inspect the request body and load the result of that inspection in an environment variable? that would work...


Source: (StackOverflow)

web application firewall development

I have an assignment to develop a web application firewall. I have been researching for some source codes about that.My main source was ModSecurity.

Main question is that:

-Which framework or programming language I can use, to develop a web application firewall? Which one would be the most useful?

-Can I use Django & Python?

It would be a starting point for the project research.


Source: (StackOverflow)

Facebook links to my site resolve as 403 forbidden

Hi I'm experiencing a super weird problem.
Whenever I post links to my website on Facebook, they come up as Forbidden.
The site itself works great and I have no seen this when linking on other sites.
Could this be a server misconfiguration? Any thoughts on where to look?

here's some Info:
I have a dedicated server running WHM 11.25.0
i have 2 sites hosted here using cPanel 11.25.0

the error msg:

Forbidden

You don't have permission to access /blog/deepwater-horizon-11/ on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.offshoreinjuries.com Port 80

UPDATE:
Here is a sample link if it helps. (notice going the linked page directly works fine)
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.offshoreinjuries.com%2Fblog%2Fdeepwater-horizon-11%2F&h=834ea

UPDATE and ANSWER:
Found the issue and added a complete answer below.


Source: (StackOverflow)

How to disable mod_security and mod_security2 in .htaccess

I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.

So first of all why is this piece of code causing some servers to return 500 error

<IfModule mod_security2.c>
  SecRuleRemoveById 300015
  SecRuleRemoveById 300016
  SecRuleRemoveById 300017
  SecRuleRemoveById 950907
  SecRuleRemoveById 950005
  SecRuleRemoveById 950006
  SecRuleRemoveById 960008
  SecRuleRemoveById 960011
  SecRuleRemoveById 960904
  SecRuleRemoveById phpids-17
  SecRuleRemoveById phpids-20
  SecRuleRemoveById phpids-21
  SecRuleRemoveById phpids-30
  SecRuleRemoveById phpids-61

on other servers removing rules by id this way is causing 500 error:

<IfModule mod_security.c>
  SecRuleRemoveById 300015
  ...
  SecRuleRemoveById phpids-61
</IfModule>

so for now the only working thing which is not causing any server to crash is

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

but it's not enough for servers with mod_security2 !

How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?

Edit: Not only in Apache. Anywhere where .htaccess is used.


Source: (StackOverflow)

Installing ModSecurity with OWASP for Windows

I am trying to install ModSecurity in Windows to help protect my Coldfusion/Railo websites. I downloaded the MSI and installed it but it does not seem to block SQL injection when I tested to make sure it was working.

My question is, does anybody know of a step-by-step way of installing it in Windows? I cannot find much information with details but have found numerous sources on how to install it in Linux.

I even looked at the ModSecurity Handbook by Ivan Ristic under the Windows installation page and it does not give very much detail.

Thanks in advance.


Source: (StackOverflow)

ModSecurity maximum post limits (PCRE limit errors)

I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).

After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:

[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]

I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion). It seems rather that there's something wrong with the amount of data I am sending through.


Source: (StackOverflow)

ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer

I'm doing a POST request to a rest service made with django and piston uploading a file, but when I do the request i get this (strange?) error:

[Sun Jul 04 16:12:38 2010] [error] [client 79.39.191.166] ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer [hostname "url"] [uri "/api/odl/"] [unique_id "TDEVZEPNBIMAAGLwU9AAAAAG"]

What does it mean? And how can I debug it?


Source: (StackOverflow)

How to use mod_security as standalone?

I've seen the module named standalone in the package of Mod_Security; but I'm not sure how to use it after making and installing it! Is there any good resources for the start up?


Source: (StackOverflow)

mod_security false positives

I`m getting lots of false positives [??]after just setting up mod_security. I'm running it in detection only so no issues yet but these filters will start blocking requests once I need it to go live.

Afraid I don't 100% understand what the significance of these filters are, I get 100s of them on nearly every domain & all the requests look legitimate.

Request Missing a User Agent Header
Request Missing an Accept Header

What is the best thing to do here? Should I disable these filters? Can I set the severity lower so that requests won't be blocked?

Here is a complete entry

[22/Nov/2011:21:32:37 --0500] u6t6IX8AAAEAAHSiwYMAAAAG 72.47.232.216 38543 72.47.232.216 80
--5fcb9215-B--
GET /Assets/XHTML/mainMenu.html HTTP/1.0
Host: www.domain.com
Content-type: text/html
Cookie: pdgcomm-babble=413300:451807c5d49b8f61024afdd94e57bdc3; __utma=100306584.1343043347.1321115981.1321478968.1321851203.4; __utmz=100306584.1321115981.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=XXXXXXXX%20clip%20ons

--5fcb9215-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 23 Nov 2011 02:01:02 GMT
ETag: "21e2a7a-816d"
Accept-Ranges: bytes
Content-Length: 33133
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

--5fcb9215-H--
Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.1"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "2.2.1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 4, SQLi=5, XSS=): Request Missing a User Agent Header"]
Stopwatch: 1322015557122593 24656 (- - -)
Stopwatch2: 1322015557122593 24656; combined=23703, p1=214, p2=23251, p3=2, p4=67, p5=168, sr=88, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); core ruleset/2.2.1.
Server: Apache/2.2.3 (CentOS)

Source: (StackOverflow)

Detect if Mod_Security Is Installed With PHP?

Is there any simple way to detect if mod_security is installed & enabled using just PHP? Ideally without any exec() terminal type commands to be executed.

Some people have recommended using apache_get_modules() but this specific web-host does not allow it to show. This is also mentioned by other users here: http://www.devcomments.com/apache_get_modules-solution-to130703.htm


Source: (StackOverflow)

Sites up and down Intermittently with 'No data received' Error code: ERR_EMPTY_RESPONSE

I'm not very technical so apologies up front! Unfortunately, I've been left to figure this out though as the company who deal with my dedicated server are being less than helpful.

Really hoping someone can shed some light on this. We host around 100 websites and currently, all sites on our server are up and down like yoyos. There doesn't seem to be a pattern - it's very sporadic and intermittent. Usually, you can just click around one of the sites, for example www.innivo.com for a few mins and you’ll see the site drop out, and then after a few refreshes, it will come back, then back down – you get the idea.

In Chrome, I get: No data received

Unable to load the web page because the server sent no data.

Error code: ERR_EMPTY_RESPONSE


In Firefox I get: The connection was reset

The connection to the server was reset while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.


The server doesn’t go down completely, it just doesn’t seem to serve the page. This also agrees with the firewall theory I mentioned on the call.

We have paid a lot of money to a security company who have removed a few bits of malware in the hope that it would fix the problem, but they now say that the server is completely clean and exploit free. My service provider is saying they won't help until I upgrade PHP on the server but although I'm going to do this, I'm pretty sure that this won't fix the sites dropping out all the time.

I found this post which describes EXACTLY what is happening, but he doesn’t really say how to fix it, or even if his ever got fixed but it’s the closest thing I’ve found! http://progblog10.blogspot.co.uk/2013/09/modsecurity-causes-sporadic-no-data.html

I looked for this on the server but mod_security didn’t seem to exist otherwise I would have tried to disable it to see if it made a difference. I think though, that this firewall theory sounds plausible. I wonder if we have some other type of firewall which was maybe activated or updated when we updated CPanel last week.

I'm running WHM / CPanel / Apache

Any help would be massively appreciated. Hoping that this has happened to someone else!


Source: (StackOverflow)