ASL mod_sec rules install question

Customer support forums for the modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the real time modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
webjive
Forum User
Forum User
Posts: 22
Joined: Wed Nov 09, 2011 3:22 am
Location: US

ASL mod_sec rules install question

Unread post by webjive »

Was digging through the WIKI to figure out how to stop this errors:

collections_remove_stale: Failed to access DBM file "/usr/local/apache/conf/modsec/data/msa/user": Permission denied
collection_store: Failed to access DBM file "/usr/local/apache/conf/modsec/data/msa/ip": Permission denied

Then I found this in the WIKI
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*

Do the above permission apply to a cPanel system running suPHP? nobody didn't seem correct for that setup and the WIKI didn't address that.

Thanks
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL mod_sec rules install question

Unread post by mikeshinn »

We dont use collections, so this is being caused by some rules you have installed, are you using some third party rules?
webjive
Forum User
Forum User
Posts: 22
Joined: Wed Nov 09, 2011 3:22 am
Location: US

Re: ASL mod_sec rules install question

Unread post by webjive »

Maybe, I put this rule in since the Joomla rule you have wasn't stopping the brute force attempts. Thought it might be related to ASL.

Code: Select all

<Location /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: ASL mod_sec rules install question

Unread post by mikeshinn »

Thats not one of our rules.
Post Reply