I installed mod_security via yum and installed the delayed rules.
but any access to the web server turns up a default apache page
adding my IP address to /etc/asl/whitelist allows me to access pages normally.
mod_security causes default apache page to come up
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: mod_security causes default apache page to come up
What do you see in your audit logs? Our modsecurity rules will log anything disruptive they do.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: mod_security causes default apache page to come up
found this in the error_log
from the audit_log
Code: Select all
[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]
Code: Select all
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:14:30:12 --0700] "GET /favicon.ico HTTP/1.1" 403 957 "-" "-" P-yL2UgKIkkAAGxAYPMAAAAA "-" /20110316/20110316-1430/20110316-143012-P-yL2UgKIkkAAGxAYPMAAAAA 0 1667 md5:a20ed30954bd825b674e73fbacfc46f3
webmail.polygonfx.com 76.126.180.209 - - [16/Mar/2011:14:30:12 --0700] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 300 "-" "-" P-6W6kgKIkkAAGxBausAAAAB "-" /20110316/20110316-1430/20110316-143012-P-6W6kgKIkkAAGxBausAAAAB 0 1726 md5:84a33b8e468b127f8d3a1d4915c90453
smallgod.net 206.176.237.2 - - [16/Mar/2011:14:30:20 --0700] "GET /secure/roundcube/?_task=mail&_remote=1&_action=check-recent&_t=1300311019978&_mbox=INBOX&_list=1&_quota=1&_=1300311019979&_unlock=0 HTTP/1.1" 403 957 "-" "-" QHf-0UgKIkkAAG4hdkAAAAAC "-" /20110316/20110316-1430/20110316-143020-QHf-0UgKIkkAAG4hdkAAAAAC 0 1873 md5:1587b42110e80bfc1ea42f745ef5da34
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:21 --0700] "GET / HTTP/1.1" 403 5043 "-" "-" QIg0okgKIkkAAGxAYPQAAAAA "-" /20110316/20110316-1430/20110316-143021-QIg0okgKIkkAAGxAYPQAAAAA 0 1386 md5:f0a27628bb36b3cf896700360742c21b
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/apache_pb.gif HTTP/1.1" 403 957 "-" "-" QJDxwkgKIkkAAGxBauwAAAAB "-" /20110316/20110316-1430/20110316-143022-QJDxwkgKIkkAAGxBauwAAAAB 0 1139 md5:6e5efb92e7f3458b531390310c103022
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/powered_by_rh.png HTTP/1.1" 403 957 "-" "-" QJD0vUgKIkkAAG4hdkEAAAAC "-" /20110316/20110316-1430/20110316-143022-QJD0vUgKIkkAAG4hdkEAAAAC 0 1145 md5:ac0c4d717a7e764efb33826d1f671cc8
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:26 --0700] "GET /instructors/ HTTP/1.1" 403 957 "-" "-" QNl5zUgKIkkAAGxAYPUAAAAA "-" /20110316/20110316-1430/20110316-143026-QNl5zUgKIkkAAGxAYPUAAAAA 0 1473 md5:456d888b8d84772df9521e67f09c6849
www.dnaebeats.com 220.181.18.13 - - [16/Mar/2011:14:30:27 --0700] "GET /music/beat05.mp3 HTTP/1.0" 403 958 "-" "-" QNvvoEgKIkkAAGxBau0AAAAB "-" /20110316/20110316-1430/20110316-143027-QNvvoEgKIkkAAGxBau0AAAAB 0 934 md5:64e9022afcb4cfa833cede20e894ac89
www.kittyfeet.com 186.42.77.137 - - [16/Mar/2011:14:30:27 --0700] "GET /30music/storm.jpg HTTP/1.1" 403 958 "-" "-" QN7JqkgKIkkAAG4hdkIAAAAC "-" /20110316/20110316-1430/20110316-143027-QN7JqkgKIkkAAG4hdkIAAAAC 0 1264 md5:db512a0afdea2095263a3c64dd63c080
kittyfeet.com 220.181.27.12 - - [16/Mar/2011:14:30:29 --0700] "GET /smelly.mp3 HTTP/1.0" 403 958 "-" "-" QPprR0gKIkkAAGxAYPYAAAAA "-" /20110316/20110316-1430/20110316-143029-QPprR0gKIkkAAGxAYPYAAAAA 0 926 md5:e626d9c14b759579ae8df1d80a10c598
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: mod_security causes default apache page to come up
That means you have the RBL rules activated, and that IP is on the spamhaus blacklist. You may want to contact spamhaus to let them know if you believe thats in error.[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]
Or disable the RBL rules.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: mod_security causes default apache page to come up
Thanks. I disabled the RBL rules. Is it me or they a little harsh? (RBL rules)
Re: mod_security causes default apache page to come up
By default, with the delayed rules, I think everything is enabled by default. The idea is that you then disable anything you don't want. The XBL rules are very aggressive and do cause problems and personally I don't use them. They are not enabled by default in the standard rules.
Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?
Also this issue with the apache default page instead of a "denied" page coming up when *certain* rules trigger - that can be very confusing for new customers and old hands alike. Maybe it would be sensible to change this so that all triggered rules result in a "denied"?
Faris.
Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?
Also this issue with the apache default page instead of a "denied" page coming up when *certain* rules trigger - that can be very confusing for new customers and old hands alike. Maybe it would be sensible to change this so that all triggered rules result in a "denied"?
Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: mod_security causes default apache page to come up
Thanks for the suggestion Faris, we don't enable or disable anything with the free/unsupported/delayed rules. Thats all up to the user. Unlike with ASL, users of the free/unsupported/delayed rules just download whatever conf files they want and configure Apache themselves, we dont enable, configure or install anything, the user does. So if its enabled, they enabled it, which is why we provide instructions about the optimal configuration of our rules (which includes not enabling the RBL rules). So, if the RBL rules are enabled, its because the user enabled them, per the wiki:Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?
https://www.atomicorp.com/wiki/index.ph ... rity_2.5.x
So, if you have the RBL rules enabled, go back and make sure you followed our instructions about setting up modsecurity and not someone elses.The recommended ruleset to load is:
Include /full/path/to/your/rules/modsecurity.d/05_asl_exclude.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
For ASL users, this is moot since the RBL rules are disabled by default, plus you can control that from the GUI. In ASL 3.0 this all changes, as RBLs will be something the user defines and it will be generated.
For users that dont use ASL, they will have to do what they do now, manually configure things for their needs and read the documentation online.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: mod_security causes default apache page to come up
Ah. Right. Didn't know that. Thanks.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>