Atomicorp

Security for Everyone
https://forums.atomicorp.com/

ASL mod_sec rules install question

https://forums.atomicorp.com/viewtopic.php?t=7568

Page 1 of 1

ASL mod_sec rules install question

Posted: Tue Apr 01, 2014 10:07 am
by webjive
Was digging through the WIKI to figure out how to stop this errors:

collections_remove_stale: Failed to access DBM file "/usr/local/apache/conf/modsec/data/msa/user": Permission denied
collection_store: Failed to access DBM file "/usr/local/apache/conf/modsec/data/msa/ip": Permission denied

Then I found this in the WIKI
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*

Do the above permission apply to a cPanel system running suPHP? nobody didn't seem correct for that setup and the WIKI didn't address that.

Thanks

Re: ASL mod_sec rules install question

Posted: Tue Apr 01, 2014 10:08 am
by mikeshinn
We dont use collections, so this is being caused by some rules you have installed, are you using some third party rules?

Re: ASL mod_sec rules install question

Posted: Tue Apr 01, 2014 10:30 am
by webjive
Maybe, I put this rule in since the Joomla rule you have wasn't stopping the brute force attempts. Thought it might be related to ASL.

Code: Select all

<Location /administrator/index.php>
        # Setup brute force detection. 

        # React if block flag has been set.
        SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"

        # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
        SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
        SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
        SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</location>

Re: ASL mod_sec rules install question

Posted: Tue Apr 01, 2014 11:24 am
by mikeshinn
Thats not one of our rules.
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited