mod_security causes default apache page to come up

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

mod_security causes default apache page to come up

Unread post by jpkelly »

I installed mod_security via yum and installed the delayed rules.
but any access to the web server turns up a default apache page
adding my IP address to /etc/asl/whitelist allows me to access pages normally.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: mod_security causes default apache page to come up

Unread post by mikeshinn »

What do you see in your audit logs? Our modsecurity rules will log anything disruptive they do.
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

Re: mod_security causes default apache page to come up

Unread post by jpkelly »

found this in the error_log

Code: Select all

[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]
from the audit_log

Code: Select all

www.smallgod.net 76.14.57.52 - - [16/Mar/2011:14:30:12 --0700] "GET /favicon.ico HTTP/1.1" 403 957 "-" "-" P-yL2UgKIkkAAGxAYPMAAAAA "-" /20110316/20110316-1430/20110316-143012-P-yL2UgKIkkAAGxAYPMAAAAA 0 1667 md5:a20ed30954bd825b674e73fbacfc46f3 
webmail.polygonfx.com 76.126.180.209 - - [16/Mar/2011:14:30:12 --0700] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 300 "-" "-" P-6W6kgKIkkAAGxBausAAAAB "-" /20110316/20110316-1430/20110316-143012-P-6W6kgKIkkAAGxBausAAAAB 0 1726 md5:84a33b8e468b127f8d3a1d4915c90453 
smallgod.net 206.176.237.2 - - [16/Mar/2011:14:30:20 --0700] "GET /secure/roundcube/?_task=mail&_remote=1&_action=check-recent&_t=1300311019978&_mbox=INBOX&_list=1&_quota=1&_=1300311019979&_unlock=0 HTTP/1.1" 403 957 "-" "-" QHf-0UgKIkkAAG4hdkAAAAAC "-" /20110316/20110316-1430/20110316-143020-QHf-0UgKIkkAAG4hdkAAAAAC 0 1873 md5:1587b42110e80bfc1ea42f745ef5da34 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:21 --0700] "GET / HTTP/1.1" 403 5043 "-" "-" QIg0okgKIkkAAGxAYPQAAAAA "-" /20110316/20110316-1430/20110316-143021-QIg0okgKIkkAAGxAYPQAAAAA 0 1386 md5:f0a27628bb36b3cf896700360742c21b 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/apache_pb.gif HTTP/1.1" 403 957 "-" "-" QJDxwkgKIkkAAGxBauwAAAAB "-" /20110316/20110316-1430/20110316-143022-QJDxwkgKIkkAAGxBauwAAAAB 0 1139 md5:6e5efb92e7f3458b531390310c103022 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/powered_by_rh.png HTTP/1.1" 403 957 "-" "-" QJD0vUgKIkkAAG4hdkEAAAAC "-" /20110316/20110316-1430/20110316-143022-QJD0vUgKIkkAAG4hdkEAAAAC 0 1145 md5:ac0c4d717a7e764efb33826d1f671cc8 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:26 --0700] "GET /instructors/ HTTP/1.1" 403 957 "-" "-" QNl5zUgKIkkAAGxAYPUAAAAA "-" /20110316/20110316-1430/20110316-143026-QNl5zUgKIkkAAGxAYPUAAAAA 0 1473 md5:456d888b8d84772df9521e67f09c6849 
www.dnaebeats.com 220.181.18.13 - - [16/Mar/2011:14:30:27 --0700] "GET /music/beat05.mp3 HTTP/1.0" 403 958 "-" "-" QNvvoEgKIkkAAGxBau0AAAAB "-" /20110316/20110316-1430/20110316-143027-QNvvoEgKIkkAAGxBau0AAAAB 0 934 md5:64e9022afcb4cfa833cede20e894ac89 
www.kittyfeet.com 186.42.77.137 - - [16/Mar/2011:14:30:27 --0700] "GET /30music/storm.jpg HTTP/1.1" 403 958 "-" "-" QN7JqkgKIkkAAG4hdkIAAAAC "-" /20110316/20110316-1430/20110316-143027-QN7JqkgKIkkAAG4hdkIAAAAC 0 1264 md5:db512a0afdea2095263a3c64dd63c080 
kittyfeet.com 220.181.27.12 - - [16/Mar/2011:14:30:29 --0700] "GET /smelly.mp3 HTTP/1.0" 403 958 "-" "-" QPprR0gKIkkAAGxAYPYAAAAA "-" /20110316/20110316-1430/20110316-143029-QPprR0gKIkkAAGxAYPYAAAAA 0 926 md5:e626d9c14b759579ae8df1d80a10c598 
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: mod_security causes default apache page to come up

Unread post by mikeshinn »

[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]
That means you have the RBL rules activated, and that IP is on the spamhaus blacklist. You may want to contact spamhaus to let them know if you believe thats in error.

Or disable the RBL rules.
jpkelly
Forum User
Forum User
Posts: 85
Joined: Sat Jan 20, 2007 6:57 pm

Re: mod_security causes default apache page to come up

Unread post by jpkelly »

Thanks. I disabled the RBL rules. Is it me or they a little harsh? (RBL rules)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: mod_security causes default apache page to come up

Unread post by faris »

By default, with the delayed rules, I think everything is enabled by default. The idea is that you then disable anything you don't want. The XBL rules are very aggressive and do cause problems and personally I don't use them. They are not enabled by default in the standard rules.

Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?

Also this issue with the apache default page instead of a "denied" page coming up when *certain* rules trigger - that can be very confusing for new customers and old hands alike. Maybe it would be sensible to change this so that all triggered rules result in a "denied"?

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: mod_security causes default apache page to come up

Unread post by mikeshinn »

Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?
Thanks for the suggestion Faris, we don't enable or disable anything with the free/unsupported/delayed rules. Thats all up to the user. Unlike with ASL, users of the free/unsupported/delayed rules just download whatever conf files they want and configure Apache themselves, we dont enable, configure or install anything, the user does. So if its enabled, they enabled it, which is why we provide instructions about the optimal configuration of our rules (which includes not enabling the RBL rules). So, if the RBL rules are enabled, its because the user enabled them, per the wiki:

https://www.atomicorp.com/wiki/index.ph ... rity_2.5.x
The recommended ruleset to load is:

Include /full/path/to/your/rules/modsecurity.d/05_asl_exclude.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf
So, if you have the RBL rules enabled, go back and make sure you followed our instructions about setting up modsecurity and not someone elses.

For ASL users, this is moot since the RBL rules are disabled by default, plus you can control that from the GUI. In ASL 3.0 this all changes, as RBLs will be something the user defines and it will be generated.

For users that dont use ASL, they will have to do what they do now, manually configure things for their needs and read the documentation online.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: mod_security causes default apache page to come up

Unread post by faris »

Ah. Right. Didn't know that. Thanks.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply