mod-security interview questions
Top mod-security frequently asked interview questions
How do I get the size of the response/request body in Mod Security?
I keep getting this error for example:
[Mon Sep 17 23:34:38 2012] [error] [client 192.168.1.1] ModSecurity: Output filter: Response body too large (over limit of 1000, total not specified). [hostname "example.com"] [uri "/index.php"] [unique_id "asdf"]
It's not telling me the total; how can I figure the total out?
Source: (StackOverflow)
Is there a way to know if mod_security is activated on an apache server using PHP? (without curl)
Source: (StackOverflow)
Hi guys I am running mp3 songs download website when I try to download song I get this error.
Not Acceptable!
An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
My website is http://www.playlist.pk/ you can see to try by download any song. kindly inform me how I can solve this error?
Source: (StackOverflow)
What does ARGS , ARGS_NAMES actually mean in mod_security core rule sets?
I have already referred to the Modsecurity2 Apache Reference but I didnt get any clear idea.
Can someone give me a specific idea , preferably with an explanation, what it actually is and how something actually triggers a rule positive like the one below.
The rule below is triggered positive for cases like " x and 6" etc, in general any "and" followed by a digit. I understand what the request filename is, in this case. what i dont understand is what are ARGS and ARGS_NAMES. I need a specific example with reference to the rule below.
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \
"phase:2,rev:'2.2.5',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
Source: (StackOverflow)
I know I can inspect GET query string parameters in rewritecond as follows:
RewriteCond %{REQUEST_URI} ^/somepath/somepath
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} try=3
RewriteCond %{QUERY_STRING} name=([^&]*)
RewriteRule ^/somepath/somepath(.*) /otherpath/otherpath?name=%1 [R]
How do I inspect POST parameters that are in the request body? I hear mod_security can do it, but I'm not finding any examples of how I'd use mod_security in conjunction with mod_rewrite like the above example.
I intend to use something like this to handle POSTs:
RewriteCond %{REQUEST_URI} ^/somepath/somepath
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^/somepath/somepath(.*) /otherpath/otherpath [PT]
...except that I need a RewriteCond that inspects the POST parameters to see if "try=3".
Can modsecurity inspect the request body and load the result of that inspection in an environment variable? that would work...
Source: (StackOverflow)
I have an assignment to develop a web application firewall. I have been researching for some source codes about that.My main source was ModSecurity.
Main question is that:
-Which framework or programming language I can use, to develop a web application firewall? Which one would be the most useful?
-Can I use Django & Python?
It would be a starting point for the project research.
Source: (StackOverflow)
Hi I'm experiencing a super weird problem.
Whenever I post links to my website on Facebook, they come up as Forbidden.
The site itself works great and I have no seen this when linking on other sites.
Could this be a server misconfiguration? Any thoughts on where to look?
here's some Info:
I have a dedicated server running WHM 11.25.0
i have 2 sites hosted here using cPanel 11.25.0
the error msg:
Forbidden
You don't have
permission to access
/blog/deepwater-horizon-11/ on this
server.
Additionally, a 404
Not Found error was encountered while
trying to use an ErrorDocument to
handle the request.
Apache/2.2.14 (Unix)
mod_ssl/2.2.14 OpenSSL/0.9.8i DAV/2
mod_auth_passthrough/2.1
mod_bwlimited/1.4 FrontPage/5.0.2.2635
Server at www.offshoreinjuries.com
Port 80
UPDATE:
Here is a sample link if it helps. (notice going the linked page directly works fine)
http://www.facebook.com/l.php?u=http%3A%2F%2Fwww.offshoreinjuries.com%2Fblog%2Fdeepwater-horizon-11%2F&h=834ea
UPDATE and ANSWER:
Found the issue and added a complete answer below.
Source: (StackOverflow)
I've created a Wordpress plugin which became popular but I'm getting lots of complaints that it's not working. After logging in to many user's WP websites(after asking for admin password) I noticed that the last problem I can't easily solve is mod_security and mod_security2 blocking some AJAX requests or .htaccess which is causing 500 error on some configurations.
So first of all why is this piece of code causing some servers to return 500 error
<IfModule mod_security2.c>
SecRuleRemoveById 300015
SecRuleRemoveById 300016
SecRuleRemoveById 300017
SecRuleRemoveById 950907
SecRuleRemoveById 950005
SecRuleRemoveById 950006
SecRuleRemoveById 960008
SecRuleRemoveById 960011
SecRuleRemoveById 960904
SecRuleRemoveById phpids-17
SecRuleRemoveById phpids-20
SecRuleRemoveById phpids-21
SecRuleRemoveById phpids-30
SecRuleRemoveById phpids-61
on other servers removing rules by id this way is causing 500 error:
<IfModule mod_security.c>
SecRuleRemoveById 300015
...
SecRuleRemoveById phpids-61
</IfModule>
so for now the only working thing which is not causing any server to crash is
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
but it's not enough for servers with mod_security2 !
How to write a cross-server .htaccess file, and what IF conditions should I add to disable mod_security and mod_security2 anywhere where it applies and not cause 500 errors on other configurations?
Edit:
Not only in Apache. Anywhere where .htaccess is used.
Source: (StackOverflow)
I am trying to install ModSecurity in Windows to help protect my Coldfusion/Railo websites. I downloaded the MSI and installed it but it does not seem to block SQL injection when I tested to make sure it was working.
My question is, does anybody know of a step-by-step way of installing it in Windows? I cannot find much information with details but have found numerous sources on how to install it in Linux.
I even looked at the ModSecurity Handbook by Ivan Ristic under the Windows installation page and it does not give very much detail.
Thanks in advance.
Source: (StackOverflow)
I've been having tonnes of issues with Mod Security. I am busy writing a CMS for a project at work and while developing a page to edit a certain database record I kept getting 403 errors. After hours of banging my head against my desk, adjusting bits of code I finally just changed the script to which my form was being posted, to contain a simple echo "test";
. Even submitting to this simple page was kicking up a 403 error. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine (In particular I reduce the amount of text within a textarea).
After checking the logs (Yep, this wasn't the first thing I did - sigh) I noticed that I was getting numerous errors from ModSecurity, such as:
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//global": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 16:34:45 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Failed to access DBM file "/etc/httpd/logs//ip": Permission denied [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkAlW1shFcAAHTMK80AAAAF"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null). [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
[Mon Aug 12 17:11:33 2013] [error] [client XX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "93"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "XXXXXXX.XXX"] [uri "/admin/index.php"] [unique_id "UgkJNW1shFcAAHXUMHkAAAAH"]
I've been messing around, Googling and changing rules for days to no avail. The only thing I seem to be able to do is turn ModSecurity off for this vhost. This is fine by me while I'm developing the CMS, but in production this isn't really something I want to do. Does anyone have any ideas on what is causing this issue and how to sort it? The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them (Though I have tried upping the limits through SecPcreMatchLimit
and SecPcreMatchLimitRecursion
). It seems rather that there's something wrong with the amount of data I am sending through.
Source: (StackOverflow)
I'm doing a POST request to a rest service made with django and piston uploading a file, but when I do the request i get this (strange?) error:
[Sun Jul 04 16:12:38 2010] [error] [client 79.39.191.166] ModSecurity: Output filter: Failed to read bucket (rc 104): Connection reset by peer [hostname "url"] [uri "/api/odl/"] [unique_id "TDEVZEPNBIMAAGLwU9AAAAAG"]
What does it mean? And how can I debug it?
Source: (StackOverflow)
I've seen the module named standalone in the package of Mod_Security; but I'm not sure how to use it after making and installing it!
Is there any good resources for the start up?
Source: (StackOverflow)
I`m getting lots of false positives [??]after just setting up mod_security. I'm running it in detection only so no issues yet but these filters will start blocking requests once I need it to go live.
Afraid I don't 100% understand what the significance of these filters are, I get 100s of them on nearly every domain & all the requests look legitimate.
Request Missing a User Agent Header
Request Missing an Accept Header
What is the best thing to do here? Should I disable these filters? Can I set the severity lower so that requests won't be blocked?
Here is a complete entry
[22/Nov/2011:21:32:37 --0500] u6t6IX8AAAEAAHSiwYMAAAAG 72.47.232.216 38543 72.47.232.216 80
--5fcb9215-B--
GET /Assets/XHTML/mainMenu.html HTTP/1.0
Host: www.domain.com
Content-type: text/html
Cookie: pdgcomm-babble=413300:451807c5d49b8f61024afdd94e57bdc3; __utma=100306584.1343043347.1321115981.1321478968.1321851203.4; __utmz=100306584.1321115981.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=XXXXXXXX%20clip%20ons
--5fcb9215-F--
HTTP/1.1 200 OK
Last-Modified: Wed, 23 Nov 2011 02:01:02 GMT
ETag: "21e2a7a-816d"
Accept-Ranges: bytes
Content-Length: 33133
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
--5fcb9215-H--
Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.1"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "66"] [id "960009"] [rev "2.2.1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/httpd/modsecurity_crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 4, SQLi=5, XSS=): Request Missing a User Agent Header"]
Stopwatch: 1322015557122593 24656 (- - -)
Stopwatch2: 1322015557122593 24656; combined=23703, p1=214, p2=23251, p3=2, p4=67, p5=168, sr=88, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); core ruleset/2.2.1.
Server: Apache/2.2.3 (CentOS)
Source: (StackOverflow)
I'm not very technical so apologies up front! Unfortunately, I've been left to figure this out though as the company who deal with my dedicated server are being less than helpful.
Really hoping someone can shed some light on this. We host around 100 websites and currently, all sites on our server are up and down like yoyos. There doesn't seem to be a pattern - it's very sporadic and intermittent. Usually, you can just click around one of the sites, for example www.innivo.com for a few mins and you’ll see the site drop out, and then after a few refreshes, it will come back, then back down – you get the idea.
In Chrome, I get: No data received
Unable to load the web page because the server sent no data.
Error code: ERR_EMPTY_RESPONSE
In Firefox I get:
The connection was reset
The connection to the server was reset while the page was loading.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
The server doesn’t go down completely, it just doesn’t seem to serve the page. This also agrees with the firewall theory I mentioned on the call.
We have paid a lot of money to a security company who have removed a few bits of malware in the hope that it would fix the problem, but they now say that the server is completely clean and exploit free. My service provider is saying they won't help until I upgrade PHP on the server but although I'm going to do this, I'm pretty sure that this won't fix the sites dropping out all the time.
I found this post which describes EXACTLY what is happening, but he doesn’t really say how to fix it, or even if his ever got fixed but it’s the closest thing I’ve found!
http://progblog10.blogspot.co.uk/2013/09/modsecurity-causes-sporadic-no-data.html
I looked for this on the server but mod_security didn’t seem to exist otherwise I would have tried to disable it to see if it made a difference. I think though, that this firewall theory sounds plausible. I wonder if we have some other type of firewall which was maybe activated or updated when we updated CPanel last week.
I'm running WHM / CPanel / Apache
Any help would be massively appreciated. Hoping that this has happened to someone else!
Source: (StackOverflow)