Mod_security In Error_log
Jul 14, 2007
In /usr/local/apache/logs/error_log there are hundreds of these lines:
Quote:
mod_security: Filtering against POST payload requested but payload is not available [hostname "www.somedomain.com"]
This is a result of:
Code:
SecFilterScanPOST Off
Is there a way to exclude that line being logged in error_log file? If I turn it ON, those errors won't show up in error_log anymore, however, it'll break some scripts on my server. I prefer to leave it OFF.
View 9 Replies
ADVERTISEMENT
Nov 30, 2007
We used to be on a reseller acct (RedHat Enterprise, Apache 1.x, PHP4, cPanel 10) that would generate error_log files under the directory of the error(s). This was done without any special scripts under those directories or anything, it just did it.
Googling it, it appears that Apache did this by default but apparently it doesn't anymore.
With CentOS 5, Apache 2.2.x, PHP5 and cPanel 11 I can't figure out how to enable these error logs. I've Googled my brains out, been through the php.ini and httpd.conf and nada, nothing. The errors show up in the cPanel error logs but it's much easier and quicker when it generates the log file in the offending directory.
I rely heavily on these log files.
View 3 Replies
View Related
Nov 22, 2008
I've just had my server transfered and many files were missing. So, now I have a 100 Mb error_log file...
What should I do ?
If I rename it, I suppose the server will create a new one and it will be ok ?
How can I fix a size limit to the error_log files ?
I'm using Centos 5 + CPanel.
View 4 Replies
View Related
Jan 18, 2008
i have error show always in the apache error_log
[Fri Jan 18 07:17:06 2008] [notice] cannot use a full URL in a 401 ErrorDocument directive --- ignoring! ...
View 2 Replies
View Related
Jul 4, 2007
The filesize is almost 200MB, how can I set log rotator to rotate them every 2 weeks?
I typed touch error_log in ssh but the filesize didn't change to 0
View 5 Replies
View Related
Sep 3, 2009
When I was a customer at hostgator, whenever a terminating error within php was displayed it would log in the parent directory in a file called "error_log".
I want this to happen now on our dedicated server. I've looked at my local apache error log and it doesn't appear to show the same info as hostgator's setup showed.
Can anyone tell me how to set that up?
View 2 Replies
View Related
Nov 4, 2009
All accounst in my dedicated server start to show a very strange error_log with the following entries:
====
[04-Nov-2009 21:28:51] PHP Warning: PHP Startup: Unable to load dynamic library '/usr/local/lib/php/extensions/no-debug-non-zts-20060613/php_interbase.dll' - /usr/local/lib/php/extensions/no-debug-non-zts-20060613/php_interbase.dll: cannot open shared object file: No such file or directory in Unknown on line 0 .....
====
Always when a php script is accessed, new entrie with this error above is created.
I dont understand because php script have not any relation with intebase or pgsql and my server have not this e db installed.
View 5 Replies
View Related
Nov 5, 2009
I want to provide access to the last 50 entries of my error_log to my programmer. I do not want to provide him ssh access to my server for this.
I am on a Virtuozzo VPS with Plesk as my Control Panel.
View 8 Replies
View Related
Mar 5, 2008
Lately our VPS has needed to be restarted frequently (1-2x daily for the past 5 or so days).
I have pulled our eror_log file and pasted below the last several days. I am hoping someone can take a look at it and point me in the right direction.
Because of limitations, I cannot post anything with urls, but the two errors that have been occuring most frequently are below
Code:
[Mon Mar 3 07:37:22 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:37:32 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:37:42 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:37:52 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:38:02 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Mon Mar 3 07:38:12 2008] [error] (12)Cannot allocate memory: fork: Unable to fork new process
[Wed Mar 5 07:44:02 2008] [error] Bad pid (15524) in scoreboard slot 44
[Wed Mar 5 07:44:02 2008] [error] Bad pid (3750) in scoreboard slot 46
[Wed Mar 5 07:44:02 2008] [error] Bad pid (3751) in scoreboard slot 47
View 7 Replies
View Related
Feb 9, 2008
My error logs say the following:
[Wed Jan 30 22:31:33 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:31:33 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:29:36 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:29:36 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:27:18 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:27:18 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:26:48 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:26:48 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:26:47 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/500.shtml
[Wed Jan 30 22:26:47 2008] [alert] [client 150.101.99.206] /home/soupnazi/public_html/Dolphin/.htaccess: Invalid command 'php_flag', perhaps misspelled or defined by a module not included in the server configuration
[Wed Jan 30 22:20:21 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/404.shtml
[Wed Jan 30 22:20:21 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/favicon.ico
[Wed Jan 30 22:20:19 2008] [error] [client 150.101.99.206] File does not exist: /home/soupnazi/public_html/500.shtml
Apache/1.3.41 (Unix) PHP/4.4.7 mod_log_bytes/1.2 mod_bwlimited/1.4 mod_auth_passthrough/1.8 FrontPage/5.0.2.2635 mod_ssl/2.8.30 OpenSSL/0.9.7a
I need to delete that file its huge.
View 4 Replies
View Related
Aug 3, 2008
Is there a way to view the error_log starting from the bottom? My error_log is HUGE.
View 4 Replies
View Related
Apr 21, 2008
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
View 2 Replies
View Related
Apr 19, 2008
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
View 3 Replies
View Related
Dec 1, 2007
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code:
Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
View 0 Replies
View Related
Jul 27, 2008
I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.
So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?
View 2 Replies
View Related
Jul 23, 2007
I am having lots of problems installing mod_security on RH5 64 w/ Plesk.
mainly related to apr0, subversion, and the headers.
Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?
View 3 Replies
View Related
Oct 2, 2007
I've got this:
mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]
how to disable/exclude this uri in mentioned host from being catched by mod_security?
View 4 Replies
View Related
Mar 29, 2007
how many people are actually using mod_security 2 instead of 1?
And why did you choose the version you did?
View 4 Replies
View Related
Jun 5, 2007
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
View 14 Replies
View Related
May 11, 2009
I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.
View 2 Replies
View Related
Jul 24, 2009
I installed Mod_Security on my Cent OS server today and having some problem in configurating it.
Problem -
I have added this module in 'httpd.conf' file
Code:
<IfModule mod_security.c>
SecFilterEngine On
SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
</IfModule>
But my website is multi forum hosting and requires 'index.php' file to pass parameter to make it work.
Example -
[url]
[url]
[url]
So i had to delete below mention code from above module.
Code:
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
View 0 Replies
View Related
May 25, 2009
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies
View Related
Aug 15, 2008
I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
View 4 Replies
View Related
May 20, 2009
I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.
I deactivated the rule detecting IP in pageheaders.
Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"
detected by rule file crs_40 line 114, id 950005
question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?
View 4 Replies
View Related
Jun 4, 2008
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
View 3 Replies
View Related
Dec 24, 2008
Trying to use an RBL with ModSecurity but this matches everything whether listed or not.
SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"
What I would like to do is do an RBL lookup and any POST operations.
View 2 Replies
View Related
Feb 25, 2008
make this rules work on apache 2 mod_security 2?
View 4 Replies
View Related
Dec 17, 2008
Any good secure rules for mod_security 2 that work well for shared servers?
Can someone share what rules you are using to secure your shared servers. Have tried a few different sets of rules, but a few customers always end up with errors and disabling it for their domain name doesn't sound like a safer option for them or the server.
Share your mod_sec 2 rules.
View 2 Replies
View Related
May 7, 2008
How can i disable some words from the contain of the page by Mod_Security2?
View 6 Replies
View Related
Jun 29, 2008
I've been having the hardest time getting mod_security on my new CentOS 5.2 64-bit box.
Everything is a straight, simple, standard install - nothing special or custom. Plesk and all the apps that come with it installed fine, everything was going great. Then I tried to compile mod_sec, and things have been nothing but problems. I think I've finally sorted out the problems with the compiler, but now I get this error:
/usr/bin/ld: warning: i386 architecture of input file `.libs/msc_lua.o' is incompatible with i386:x86-64 output
Repeated, for every file it tries to link.
View 3 Replies
View Related
Jun 17, 2008
I installed new cPanel server and enabled modsecurity inside
WHM > Manage Plugins > modsecurity
When I create a phpinfo() file, it doesn't showup. Are they any configuration that I should do? How about adding the rules?
View 6 Replies
View Related
