Page 1 of 1
WAF red dot but says is disabled but is enabled?
Posted: Thu Sep 26, 2013 8:00 am
by craigedmonds
This ASL software is driving me around the bend. I am seeing in the logs today the following entries:
[Thu Sep 26 12:51:30 2013] [error] [client 212.89.9.133] ModSecurity: [file "/usr/local/apache/modsecurity.d/12_asl_brute.conf"] [line "61"] [id "377360"] [rev "2"] [msg "Atomicorp.com WAF Rules - Login Failure Detection: Wordpress Login Attempt Failure "] [severity "WARNING"] [tag "no_ar"] Warning. Pattern match "200" at RESPONSE_STATUS. [hostname "nacaloans.com"] [uri "/wp-login.php"] [unique_id "UkQfwW1Lp9kAADN9ZHAAAAAS"]
This is wordpress brute force attacks and I am getting hundreds of these a minute.
In the gui its saying that WAF DISABLED
In the configuration its saying tat WAF is enabled.
I thought ASL takes care of this?
I am shitting it at the moment as customers wordpress sites are getting hacked left right and centre with this annoying brute force attack.
Re: WAF red dot but says is disabled but is enabled?
Posted: Thu Sep 26, 2013 11:24 am
by mikeshinn
Whats the output of this command:
asl -s -f
Re: WAF red dot but says is disabled but is enabled?
Posted: Thu Sep 26, 2013 11:26 am
by craigedmonds
mikeshinn wrote:Whats the output of this command:
asl -s -f
quote a bit of stuff.
Code: Select all
[root@maggie ~]# asl -s -f
Starting Atomic Secured Linux scan, please be patient...
Checking Kernel security settings
ASL kernel: detected [OK]
KERNEXEC protections: detected [OK]
UDEREF protections: detected [OK]
Runtime module loading: disabled [OK]
GRsecurity administrative password: not set [INFO]
GRsecurity ACL database: not found [INFO]
Executable anonymous mapping: no [OK]
Executable bss: no [OK]
Executable data: no [OK]
Executable heap: no [OK]
Executable stack: no [OK]
Executable anonymous mapping (mprotect): no [OK]
Executable bss (mprotect): no [OK]
Executable data (mprotect): no [OK]
Executable heap (mprotect): no [OK]
Executable shared library bss (mprotect): no [OK]
Executable shared library data (mprotect): no [OK]
Executable stack (mprotect): no [OK]
Anonymous mapping randomisation test: no [OK]
Heap randomisation test (ET_EXEC): no [OK]
Heap randomisation test (ET_DYN): no [OK]
Main executable randomisation (ET_EXEC): no [OK]
Shared library randomisation test: no [OK]
Stack randomisation test (SEGMEXEC): no [OK]
Stack randomisation test (PAGEEXEC): no [OK]
Executable shared library bss: no [OK]
Executable shared library data: no [OK]
Writable text segments: no [OK]
Kernel Enforced Security Policies
Trusted Path Execution(TPE): enforced [OK]
TPE Mode: Unless Deny, Allow [INFO]
Disable Privileged I/O: enforced [OK]
Audit mount() events: not enforced [INFO]
Audit chdir() events: not enforced [INFO]
Audit ptrace() events: enforced [OK]
Audit text relocation events: not enforced [INFO]
Restrict chroot() capabilities: enforced [OK]
Chroot restrictions, deny chmod(): enforced [OK]
Chroot restrictions, deny chroot(): enforced [OK]
Chroot restrictions, deny fchdir(): enforced [OK]
Chroot restrictions, deny mknod(): enforced [OK]
Chroot restrictions, deny mount(): enforced [OK]
Chroot restrictions, deny pivot(): enforced [OK]
Chroot restrictions, deny external shmem access: enforced[OK]
Chroot restrictions, deny sysctl: enforced [OK]
Chroot restrictions, deny unix domain sockets: enforced [OK]
Chroot restrictions, set cwd to chroot dir: enforced [OK]
Chroot restrictions, process controls: enforced [OK]
Restrict dmesg: enforced [OK]
Enhanced FIFO restrictions: enforced [OK]
Fork() failure logging: enforced [OK]
Harden ptrace(): enforced [OK]
Network Stack, IP Blackhole policy: enforced [OK]
Linking Restrictions: enforced [OK]
Resource Logging: enforced [OK]
RWX map Logging: not enforced [INFO]
Signal Logging: enforced [OK]
Timechange Logging: enforced [OK]
Failed to set locale, defaulting to C
Checking General security settings
Checking for unnecessary services
Service FreeWnn: disabled [OK]
Service annacron: disabled [OK]
Service apmd: disabled [OK]
Service autofs: disabled [OK]
Service avahi-daemon: disabled [OK]
Service avahi-dnsconfd: disabled [OK]
Service bluetooth: disabled [OK]
Service canna: disabled [OK]
Service cups: disabled [OK]
Service cups-config-daemon: disabled [OK]
Service gpm: disabled [OK]
Service haldaemon: disabled [OK]
Service hidd: disabled [OK]
Service hplip: disabled [OK]
Service iiim: disabled [OK]
Service isdn: disabled [OK]
Service kdump: disabled [OK]
Service mDNSResponder: disabled [OK]
Service mcstrans: disabled [OK]
Service nfs: disabled [OK]
Service nfslock: disabled [OK]
Service nifd: disabled [OK]
Service pcscd: disabled [OK]
Service portmap: disabled [OK]
Service rpcidmapd: disabled [OK]
Service sbadm: disabled [OK]
Service xfs: disabled [OK]
Service X11: disabled [OK]
Checking for End of Life (EOL) operating systems
centos/6: Supported [OK]
Checking for POSIX ACL support: detected [OK]
Checking for updater: yum detected [OK]
Checking for updates: system is up to date [OK]
Checking for Superuser accounts (UID0)
Checking for Suspicious cron jobs
Checking for non-secure services
Telnet: not detected [OK]
Rlogin: not detected [OK]
Rsh: not detected [OK]
Checking system logging
Rsyslogd: detected [OK]
Rsyslog imklog module: detected [OK]
Checking mod_security settings
mod_security set to: enabled [OK]
Server signature set to: Apache [OK]
SecUploadDir set to: /var/asl/data/suspicious [OK]
SecUploadKeepFiles set to: off [OK]
Logfile set to: audit_log [OK]
Logging set to: Concurrent [OK]
Audit Logging to: /var/asl/data/audit [OK]
Logging elements set to: ABIFHZ [OK]
SecRequestBodyInMemoryLimit set to: 131072 [OK]
SecRequestBodyLimit set to: 134217728 [OK]
SecResponseBodyLimitAction set to: ProcessPartial [OK]
SecDataDir set to: /var/asl/data/msa [OK]
SecTmpDir set to: /tmp [OK]
Checking rule class settings
RBL Ruleset: off [LOW]
Bogus Search Engine Ruleset: off [HIGH]
Autowhitelist Search Engine Ruleset: off [LOW]
Antievasion Ruleset: on [OK]
Strict Multiform Ruleset: off [MODERATE]
Whitelist Ruleset: off [OK]
Advanced Antievasion Ruleset: off [HIGH]
Slow Denial of Service Protection: on [OK]
Exclude Ruleset: on [OK]
Anti-Malware Ruleset: on [OK]
Application Specific Rules: off [LOW]
Generic Attack Ruleset: on [OK]
Advanced Attack Ruleset: off [HIGH]
Data Loss Protection Ruleset: off [MODERATE]
Brute Force Protection Ruleset: on [OK]
Malicious Useragents Ruleset: on [OK]
Anti-Spam Ruleset: on [OK]
Anti-Spam URI RBL Ruleset: off [LOW]
Rootkit Detection Ruleset: on [OK]
Reconnaissance Attacks Ruleset: on [OK]
Data Leak Prevention Ruleset: on [OK]
Just In Time Patches: on [OK]
Malicious Output Removal Ruleset: on [OK]
Malicious Output Detector: on [OK]
Web Malware Upload Scanner: on [OK]
Checking for disabled rules
Error: does not exist.
Checking php settings
Checking for php installation: installed [OK]
Enforce safe_mode: enforced [OK]
Disable register_globals: enforced [OK]
Disable URL fopen: enforced [OK]
Disable expose_php: enforced [OK]
Disable display_errors: enforced [OK]
Checking for High-Risk functions
Function curl_exec: allowed [HIGH]
Function curl_multi_exec: allowed [HIGH]
Function dl: not allowed [OK]
Function exec: not allowed [OK]
Function fsockopen: allowed [HIGH]
Function passthru: not allowed [OK]
Function pcntl_exec: not allowed [OK]
Function pfsockopen: not allowed [OK]
Function popen: not allowed [OK]
Function posix_kill: not allowed [OK]
Function posix_mkfifo: not allowed [OK]
Function posix_setuid: not allowed [OK]
Function proc_close: not allowed [OK]
Function proc_open: not allowed [OK]
Function proc_terminate: not allowed [OK]
Function shell_exec: not allowed [OK]
Function system: not allowed [OK]
Checking for Moderate-Risk functions
Function ftp_exec: not allowed [OK]
Function leak: not allowed [OK]
Function posix_setpgid: not allowed [OK]
Function posix_setsid: not allowed [OK]
Function proc_get_status: not allowed [OK]
Function proc_nice: not allowed [OK]
Function show_source: not allowed [OK]
Checking for Low-Risk functions
Function escapeshellcmd: not allowed [OK]
Function phpinfo: allowed [LOW]
Checking executable stack flag on PHP extensions
/etc/init.d/ossec-hids: line 18: [: =: unary operator expected
Checking ossec-hids settings
Checking for ossec-hids installation: installed [OK]
ossec-hids set to: enabled [OK]
OSSEC is configured in server mode.
Checking for server installation: installed [OK]
Enable email notification: enabled [OK]
Notifications to address: servers@hsws.com [OK]
Notifications from address: asl@maggie.hsws.com [OK]
SMTP server: 127.0.0.1 [OK]
Max email per hour setting: 1 [OK]
Active Response: enabled [OK]
Active Response timeout: 600 [OK]
Verifying OSSEC whitelists
checking: 2.139.14.47 [OK]
checking: 61.17.231.6 [OK]
checking: 67.43.164.34 [OK]
checking: 77.206.98.122 [OK]
checking: 81.101.185.48 [OK]
checking: 82.152.125.29 [OK]
checking: 83.91.58.130 [OK]
checking: 85.13.231.163 [OK]
checking: 86.176.108.135 [OK]
checking: 88.48.243.18 [OK]
checking: 89.222.135.198 [OK]
checking: 89.234.7.214 [OK]
checking: 92.18.111.164 [OK]
checking: 92.23.32.41 [OK]
checking: 92.239.159.248 [OK]
checking: 94.194.44.251 [OK]
checking: 109.75.167.216 [OK]
checking: 109.75.167.217 [OK]
checking: 109.224.154.8 [OK]
checking: 117.218.70.51 [OK]
checking: 118.127.11.241 [OK]
checking: 122.166.240.148 [OK]
checking: 123.236.66.178 [OK]
checking: 127.0.0.1 [OK]
checking: 151.42.16.179 [OK]
checking: 151.42.49.185 [OK]
checking: 173.245.53.109 [OK]
checking: 182.188.206.44 [OK]
checking: 193.38.100.250 [OK]
checking: 195.195.237.10 [OK]
Excessive whitelists not detected: 30 [OK]
Checking for monitored log files
/var/log/messages: monitored [OK]
/var/log/secure: monitored [OK]
/var/log/maillog: monitored [OK]
/var/log/httpd/access_log: monitored [OK]
/var/log/httpd/audit_log: monitored [OK]
/var/log/tortixd/audit_log: monitored [OK]
/var/log/httpd/error_log: monitored [OK]
/var/log/httpd/suexec_log: monitored [OK]
/var/log/mysqld.log: monitored [OK]
Reloading ossec-hids: [ OK ]
Checking rkhunter settings
Checking for rkhunter installation: installed [OK]
rkhunter set to: enabled [OK]
Notifications sent to: servers@hsws.com [FIXED]
SSH root login check: enabled [FIXED]
Checking ssh settings
Enforce Protocol Version 2: enforced [OK]
SSH Port: 2633 [OK]
Strict modes enabled: enforced [OK]
Ignore .rhosts: enforced [OK]
Enforce Public Key authentication for users: enforced [OK]
Administrative users are: not defined [HIGH]
WARNING: SSH authentication will not be reconfigured at this time.
Disable Root Logins: no [HIGH]
Disable Password Authentication: no [HIGH]
Enable Privilege separation: enabled [OK]
Disallow GSSAPIAuthentication: enforced [OK]
Disallow GSSAPICleanupCredentials: enforced [OK]
SSH Banner: /etc/asl/banner [OK]
Enable UseDNS: enforced [OK]
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Checking httpd settings
Checking mod_evasive settings
Checking for mod_evasive installation: installed [OK]
mod_evasive set to: enabled [OK]
DOSHashTableSize set to: 4096 [OK]
DOSPageCount set to: 5 [OK]
DOSSiteCount set to: 200 [OK]
DOSPageInterval set to: 2 [OK]
DOSSiteInterval set to: 2 [OK]
DOSBlockingPeriod set to: 25 [OK]
checking: 2.139.14.47 [OK]
checking: 61.17.231.6 [OK]
checking: 67.43.164.34 [OK]
checking: 77.206.98.122 [OK]
checking: 81.101.185.48 [OK]
checking: 82.152.125.29 [OK]
checking: 83.91.58.130 [OK]
checking: 85.13.231.163 [OK]
checking: 86.176.108.135 [OK]
checking: 88.48.243.18 [OK]
checking: 89.222.135.198 [OK]
checking: 89.234.7.214 [OK]
checking: 92.18.111.164 [OK]
checking: 92.23.32.41 [OK]
checking: 92.239.159.248 [OK]
checking: 94.194.44.251 [OK]
checking: 109.75.167.216 [OK]
checking: 109.75.167.217 [OK]
checking: 109.224.154.8 [OK]
checking: 117.218.70.51 [OK]
checking: 118.127.11.241 [OK]
checking: 122.166.240.148 [OK]
checking: 123.236.66.178 [OK]
checking: 127.0.0.1 [OK]
checking: 151.42.16.179 [OK]
checking: 151.42.49.185 [OK]
checking: 173.245.53.109 [OK]
checking: 182.188.206.44 [OK]
checking: 193.38.100.250 [OK]
checking: 195.195.237.10 [OK]
Checking Mysql security settings
mysql security policy set to: enforced [OK]
Mysql Local LOAD DATA: disabled [OK]
Mysql Log Errors: enabled [OK]
Mysql Log authentication failures: enabled [OK]
Mysql symbolic links : disabled [OK]
Mysql query caching: enabled [OK]
Restarting clamav, this could take a moment...
Checking clamav settings
Checking for clamav installation: installed [OK]
ClamAV set to: enabled [OK]
Clamd listen address: 127.0.0.1 [OK]
Clamd log to syslog: yes [OK]
Clamav is in: application-only mode
Stopping Clam AntiVirus Daemon: [ OK ]
Starting Clam AntiVirus Daemon: [ OK ]
Checking psmon settings
Checking for psmon installation: not installed [FAILED]
Generating Report: Complete
Re: WAF red dot but says is disabled but is enabled?
Posted: Thu Sep 26, 2013 4:54 pm
by mikeshinn
So that means the WAF is working, it could just be a cache issue with your browser. At some point the WAF was disabled on your system, have you made any changes or upgrades to your system recently?
Re: WAF red dot but says is disabled but is enabled?
Posted: Fri Sep 27, 2013 3:24 am
by craigedmonds
last night I opedned the GUi on all my machines and there was an update so I updated all of them.
After that it was green across the board.
Re: WAF red dot but says is disabled but is enabled?
Posted: Fri Sep 27, 2013 12:51 pm
by mikeshinn
Any chance you can post /var/log/yum.log?