How to block and to test for unauthorized access

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
electronvolts
New Forum User
New Forum User
Posts: 2
Joined: Mon Apr 23, 2012 8:18 pm
Location: Canada

How to block and to test for unauthorized access

Unread post by electronvolts »

Hello everyone,

Ive been using modsecurity with your delayed ruleset to help protect my apache2 web server for some time now. Its been working great until just recently. I was thumbing through my servers web access logs and found some entries that are worrying me. My question is how can I write a new rule for modsec that will block this unauthorized access and how can I test to ensure the new rule is working. I suppose I could write a mod_rewrite rule for this if I had to, but I would much rather write a modsec rule for this. Thanks for your time.

The unauthorized access:
120.38.196.182 - - [22/Apr/2012:17:17:06 -0600] "GET http://5566.net/ HTTP/1.1" 200 9101

Modsecurity Version:
ModSecurity for Apache/2.6.1

Modsecuirty ruleset:
modsec-201202181610

Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
deflate_module (static)
log_config_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
dir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
unique_id_module (shared)
headers_module (shared)
php5_module (shared)
evasive20_module (shared)
security2_module (shared)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: How to block and to test for unauthorized access

Unread post by mikeshinn »

Can you expand a little on what you want to do? For example, is that your domain? What do you want to block, just that specific request or something broader? And what happens when that request is made to your system?
electronvolts
New Forum User
New Forum User
Posts: 2
Joined: Mon Apr 23, 2012 8:18 pm
Location: Canada

Re: How to block and to test for unauthorized access

Unread post by electronvolts »

Hello again,

I will try to provide whatever details are required to the best of my ability.
5566.net is not my domain. It appears a clever hacker has found a way to use that request to open external domains through my server. When that request is made, my server seams to act like a type of proxy server. As you can see in my previous post I do not have any sort of proxy modules loaded on my server. Which leads me to belive im dealing with some sorta new exploit. I would like to block any requests that try to load external domains through my server. I'll provide a few examples of legit requests and abusive requests below.

example of legit request:
"GET /index.php HTTP/1.1"

examples of requests that I want to block:
"GET http://5566.net/ HTTP/1.1"
"GET http://www.5566.net/ HTTP/1.1"
"GET http://*.*.*/ HTTP/1.1"

Thanks in advance,
-Volts
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: How to block and to test for unauthorized access

Unread post by mikeshinn »

Thats interesting, so you dont have any proxy modules loaded and yet apache is proxying? Have you tested those URLs yourself to see if they are actually proxying? Or is the 200 error being returned from your domain because you have something else intercepting these requests?

And if it is proxying, whats your hostname as I'd love to see how apache is doing that.
Post Reply