I am having the Modsec 2.5.9 I am using the defaults rules by the cpanel when i try to update the rules along with default rules given by the cpanel i am getting internal server error (500 Error)
Trying to install mod_security 2.5 on Red Hat box with Apache 2.0.52 per ModSecurity.org installation instructions.
Getting no errors when running: ./configure --with-apxs=/usr/sbin/apxs or make
But, when I run 'make test' I get the following:
# make test /bin/sh /usr/lib/apr/build/libtool --silent --mode=compile gcc -O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -pthread -O2 -g -Wall -Werror -I/usr/include/pcre -I/usr/include/libxml2 -I/usr/include/apr-0 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0 -o msc_test.lo -c msc_test.c In file included from re.h:36, from modsecurity.h:46, from msc_test.c:13: apache2.h:14:23: http_core.h: No such file or directory apache2.h:15:26: http_request.h: No such file or directory apache2.h:16:19: httpd.h: No such file or directory apache2.h:17:24: ap_release.h: No such file or directory In file included from re.h:36, from modsecurity.h:46, from msc_test.c:13: apache2.h:60: error: syntax error before '*' token apache2.h:63: error: syntax error before '*' token apache2.h:72: error: syntax error before "ap_filter_t" apache2.h:80: error: syntax error before '*' token apache2.h:82: error: syntax error before '*' token apache2.h:89: error: syntax error before '*' token In file included from msc_test.c:13: modsecurity.h:48:23: ap_config.h: No such file or directory modsecurity.h:53:25: http_config.h: No such file or directory modsecurity.h:54:22: http_log.h: No such file or directory modsecurity.h:55:27: http_protocol.h: No such file or directory modsecurity.h:123:19: unixd.h: No such file or directory In file included from msc_test.c:13: modsecurity.h:145: error: syntax error before "AP_MODULE_DECLARE_DATA" modsecurity.h:145: warning: type defaults to `int' in declaration of `security2_module' modsecurity.h:145: warning: data definition has no type or storage class modsecurity.h:147: error: syntax error before "module_directives" modsecurity.h:147: warning: type defaults to `int' in declaration of `module_directives' modsecurity.h:147: warning: data definition has no type or storage class modsecurity.h:209: error: syntax error before "request_rec" modsecurity.h:209: warning: no semicolon at end of struct or union modsecurity.h:210: warning: type defaults to `int' in declaration of `r' modsecurity.h:210: warning: data definition has no type or storage class modsecurity.h:223: error: syntax error before '*' token modsecurity.h:223: warning: type defaults to `int' in declaration of `if_brigade' modsecurity.h:223: warning: data definition has no type or storage class modsecurity.h:229: error: syntax error before '*' token modsecurity.h:229: warning: type defaults to `int' in declaration of `of_brigade' modsecurity.h:229: warning: data definition has no type or storage class modsecurity.h:376: error: syntax error before '}' token modsecurity.h:496: error: syntax error before "apr_global_mutex_t" modsecurity.h:496: warning: no semicolon at end of struct or union modsecurity.h:499: error: syntax error before '}' token In file included from msc_test.c:15: pdf_protect.h:18: error: syntax error before '*' token msc_test.c:39: error: syntax error before "ap_filter_t" msc_test.c: In function `msr_log': msc_test.c:56: error: dereferencing pointer to incomplete type msc_test.c:59: error: dereferencing pointer to incomplete type msc_test.c:60: error: dereferencing pointer to incomplete type msc_test.c:60: error: dereferencing pointer to incomplete type msc_test.c:61: error: dereferencing pointer to incomplete type msc_test.c:62: error: dereferencing pointer to incomplete type msc_test.c:67: error: dereferencing pointer to incomplete type msc_test.c:72: error: dereferencing pointer to incomplete type msc_test.c: At top level: msc_test.c:77: error: syntax error before '*' token msc_test.c:81: error: syntax error before '*' token msc_test.c:85: error: syntax error before '*' token msc_test.c:89: error: syntax error before '*' token msc_test.c: In function `test_tfn': msc_test.c:156: error: dereferencing pointer to incomplete type msc_test.c: In function `test_op': msc_test.c:190: error: dereferencing pointer to incomplete type msc_test.c:201: error: dereferencing pointer to incomplete type msc_test.c:208: error: dereferencing pointer to incomplete type msc_test.c:224: error: dereferencing pointer to incomplete type msc_test.c: In function `init_msr': msc_test.c:254: error: `request_rec' undeclared (first use in this function) msc_test.c:254: error: (Each undeclared identifier is reported only once msc_test.c:254: error: for each function it appears in.) msc_test.c:255: error: syntax error before ')' token msc_test.c:300: error: invalid application of `sizeof' to incomplete type `modsecurity.h' msc_test.c:300: error: invalid application of `sizeof' to incomplete type `modsecurity.h' msc_test.c:301: error: dereferencing pointer to incomplete type msc_test.c:302: error: dereferencing pointer to incomplete type msc_test.c:303: error: dereferencing pointer to incomplete type msc_test.c:304: error: dereferencing pointer to incomplete type msc_test.c:305: error: dereferencing pointer to incomplete type msc_test.c:306: error: dereferencing pointer to incomplete type msc_test.c:307: error: dereferencing pointer to incomplete type msc_test.c:308: error: dereferencing pointer to incomplete type msc_test.c:309: error: dereferencing pointer to incomplete type msc_test.c:310: error: dereferencing pointer to incomplete type msc_test.c:311: error: dereferencing pointer to incomplete type msc_test.c:312: error: dereferencing pointer to incomplete type msc_test.c:313: error: dereferencing pointer to incomplete type msc_test.c:314: error: dereferencing pointer to incomplete type msc_test.c:315: error: dereferencing pointer to incomplete type msc_test.c:316: error: dereferencing pointer to incomplete type msc_test.c:317: error: dereferencing pointer to incomplete type msc_test.c:318: error: dereferencing pointer to incomplete type msc_test.c:319: error: dereferencing pointer to incomplete type msc_test.c:320: error: dereferencing pointer to incomplete type msc_test.c:321: error: dereferencing pointer to incomplete type msc_test.c:322: error: dereferencing pointer to incomplete type msc_test.c:323: error: dereferencing pointer to incomplete type msc_test.c:324: error: dereferencing pointer to incomplete type msc_test.c:325: error: dereferencing pointer to incomplete type msc_test.c: At top level: modsecurity.h:147: warning: array 'module_directives' assumed to have one element make: *** [msc_test.lo] Error 1
All of the 'No such file or directory' files are located in /usr/include/httpd/
We have several clients who use phplist for their opt-in lists. ATT and a few others are blocking emails. The main reason is because the email from the list (email@client.com) originates from comcast.net. ATT and others appear to block based upon that discrepancy.
Questions for anyone who works with phplist:
1) If the client simply sends from the comcast.net email (and not from email@client.com) and we allow this as a valid sending source in phplist, will this solve our problem?
2) We attempted to send via webmail, which would have trumped all issues, however because the clients are sending email which incorporates graphics in a template, webmail is a poor choice.
3) Is there another workaround that we are not seeing?
#Server PHP - hosts php and handles apache/mysql requests. #Server 2 - handles mail and dns requests.
Yesterday we moved mail from # server 2 to a new mail server, a cPanel one, all mailboxes are created, users can send and recieve email using webmail, mail clients, etc.
But.. while trying to send mails using PHP authenticated from the #Server PHP/Apache/MySQL , we got this error from the mail servers:
Code: We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. SMTP -> FROM SERVER: SMTP -> FROM SERVER: SMTP -> ERROR: HELO not accepted from server: SMTP -> get_lines(): $data was "" SMTP -> get_lines(): $str is "220-srv247.serverhost.com This was working when mails were recieved/sent in Sendmail (an Ensim box), now with Exim 4.x on a cPanel box we got this issue.
Already added IP address from #server php into all Exim whitelists, also added the IP to /etc/alwaysrely, but didn't help.
Im using RHE 5.2 on the mail server and latest Release build.
Sep 4 19:11:11 debian sm-mta[25383]: l84FYDPw016811: to=, ctladdr= (2001/2001), delay=01:36:58, xdelay=00:00:00, mailer=esmtp, pri=930403, relay=lsean.ezweb.ne.jp., dsn=4.0.0, stat=Deferred: Connection timed out with lsean.ezweb.ne.jp. We're absolutely unable to track or find out who is sending it or how to stop this.
So I'm wondering if it is possible to prevent sendmail from sending to:
lsean.ezweb.ne.jp, OR docomo.ne.jp, OR softbank.ne.jp
/var/mail/vhostswww logs are not showing helpful info at all. Eg:
Code: --l84GRnX5029819.1188924137/debian--
Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-2022-JP Mime-Version: 1.0 From: hanako.@docomo.ne.jp Subject: To: a_j.n-y_bluespider-tattoo@softbank.ne.jp Message-Id: <200709041410.l84EA0Fh007971@debian> Date: Tue, 4 Sep 2007 16:10:00 +0200 Tue, 4 Sep 2007 16:10:00 +0200 by debian (8.13.4/8.13.4/Submit) id l84EA0Fh007971; Received: (from vhostswww@localhost) for ; Tue, 4 Sep 2007 16:10:00 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EA0jk007973 Received: from debian (localhost [127.0.0.1]) Return-Path:
<<< 503 No recipients specified 550 5.1.1 ... User unknown <<< 550 Invalid recipient: >>> DATA ... while talking to mx.softbank.ne.jp.: ----- Transcript of session follows -----
(reason: 550 Invalid recipient: )
----- The following addresses had permanent fatal errors -----
from localhost [127.0.0.1] The original message was received at Tue, 4 Sep 2007 16:10:00 +0200
--l84GRnX5029819.1188924137/debian
This is a MIME-encapsulated message
Auto-Submitted: auto-generated (failure) Subject: Returned mail: see transcript for details boundary="l84GRnX5029819.1188924137/debian" Content-Type: multipart/report; report-type=delivery-status; MIME-Version: 1.0 To: Message-Id: <200709041642.l84GRnX5029819@debian> From: Mail Delivery Subsystem Date: Tue, 4 Sep 2007 18:42:17 +0200 Tue, 4 Sep 2007 18:42:17 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX5029819; Received: from localhost (localhost) Return-Path: From MAILER-DAEMON Tue Sep 4 18:42:17 2007
--l84GRnX4029819.1188924135/debian--
Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=ISO-2022-JP Mime-Version: 1.0 From: hanako.@docomo.ne.jp Subject: To: a_j.n-y_bluespider-tattoo@softbank.ne.jp Message-Id: <200709041411.l84EB8CS011861@debian> Date: Tue, 4 Sep 2007 16:11:08 +0200 Tue, 4 Sep 2007 16:11:08 +0200 by debian (8.13.4/8.13.4/Submit) id l84EB8CS011861; Received: (from vhostswww@localhost) for ; Tue, 4 Sep 2007 16:11:09 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) with ESMTP id l84EB8f6011862 Received: from debian (localhost [127.0.0.1]) Return-Path:
<<< 503 No recipients specified 550 5.1.1 ... User unknown <<< 550 Invalid recipient: >>> DATA ... while talking to mx.softbank.ne.jp.: ----- Transcript of session follows -----
(reason: 550 Invalid recipient: )
----- The following addresses had permanent fatal errors -----
from localhost [127.0.0.1] The original message was received at Tue, 4 Sep 2007 16:11:09 +0200
--l84GRnX4029819.1188924135/debian
This is a MIME-encapsulated message
Auto-Submitted: auto-generated (failure) Subject: Returned mail: see transcript for details boundary="l84GRnX4029819.1188924135/debian" Content-Type: multipart/report; report-type=delivery-status; MIME-Version: 1.0 To: Message-Id: <200709041642.l84GRnX4029819@debian> From: Mail Delivery Subsystem Date: Tue, 4 Sep 2007 18:42:15 +0200 Tue, 4 Sep 2007 18:42:15 +0200 by debian (8.13.4/8.13.4/Debian-3sarge3) id l84GRnX4029819; Received: from localhost (localhost) Return-Path: From MAILER-DAEMON Tue Sep 4 18:42:15 2007
--l84GRnX3029819.1188924134/debian-- How would I solve this problem as it's making our server load skyhigh 24/7.
Additional info about system: > Debian Linux, latest kernel > Sendmail (we've tried postfix, exim, with same results) > Non cPanel system.
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524288 SecDefaultAction "phase:2,auditlog,log,pass,status:500" SecAuditEngine On SecAuditLogType Serial SecAuditLog logs/modsec_audit.log SecAuditLogParts "ABIFHZ" SecRequestBodyInMemoryLimit 131072 SecDebugLog logs/modsec_debug.log SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code: Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code: <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.
I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.
I deactivated the rule detecting IP in pageheaders.
Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"
detected by rule file crs_40 line 114, id 950005
question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?
Trying to use an RBL with ModSecurity but this matches everything whether listed or not. SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"
What I would like to do is do an RBL lookup and any POST operations.
Any good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
I've been having the hardest time getting mod_security on my new CentOS 5.2 64-bit box.
Everything is a straight, simple, standard install - nothing special or custom. Plesk and all the apps that come with it installed fine, everything was going great. Then I tried to compile mod_sec, and things have been nothing but problems. I think I've finally sorted out the problems with the compiler, but now I get this error:
/usr/bin/ld: warning: i386 architecture of input file `.libs/msc_lua.o' is incompatible with i386:x86-64 output
