Mod_security Won't Log Anything
Apr 19, 2008
using mod_security, but I believe that I have it installed correctly with some rules that should be generating entries in the security audit log. No matter what I do, I can't seem to get mod_security to generate any sort of log entries.
I am using version 2.1.7. I compiled it with no problems. In my httpd.conf file, I have the following relevant lines:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
I don't think there are any problems here, as I know it is running directives from the configuration file I edited. This is the file I'm working with:
modsecurity_crs_10_config.conf
Here are the relevant lines from the config file:
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
SecDefaultAction "phase:2,auditlog,log,pass,status:500"
SecAuditEngine On
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
SecAuditLogParts "ABIFHZ"
SecRequestBodyInMemoryLimit 131072
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 3
I know that the config file is being read because when I start apache, the log files (modsec_audit.log and modsec_debug.log) are created. The problem is that the files are empty and remain empty no matter what I do. I have even tried setting permissions on the files to 777.
Here are a couple of rules I created in an attempt to generate log entries:
SecRule REQUEST_BODY "viagra"
SecRule REMOTE_ADDR "^1.1.3.4$" auditlog,phase:1,allow
I put these in the same config file mentioned above. As far as I understand, the first rule should examine the request body (which would include data in POST requests) for the word, "viagra". Since my default action is phase:2,auditlog,log,pass,status:500, such requests should end up in the audit log. However, when I use a form on my site to post the word "viagra", nothing is generated in the log file.
The second rule, as far as I understand, should generate a log entry any time the IP address 1.2.3.4 is sent in the request headers. Instead of 1.2.3.4, of course, I have put in my real IP address. However, when I visit my server and browse pages, nothing is logged. I assume that my requests should generate log entries since I match the IP address.
View 3 Replies
ADVERTISEMENT
Oct 13, 2009
i am having an issue with my vps recently my ftp is down and i cant restart my ftp not sure how i can get this fix.
View 8 Replies
View Related
Nov 25, 2007
when I try to go to a site of mine with the www like this one [url] It won't work but if I take out the www like this[url]it does work.
I'm not sure what could be causing this. As far as I'm aware everything is setup okay. I understand it's impossible for anyone who reads this to properly diagnose the issue without access to my server.
View 6 Replies
View Related
Jun 17, 2009
I've got the latest grsec stable, but i'm having a problem with getting ip_conntrack working.
I did the following with make menuconfig after copying my default kernels config file...
Networking -> Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> Core Netfilter -> Configuration -> Netfilter Xtables support
(required for ip_tables) -> "conntrack" connection tracking match support.
After a compile and reboot:
error: "net.ipv4.netfilter.ip_conntrack_generic_timeout" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_icmp_timeout" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_udp_timeout" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_udp_timeout_stream" is an unknown key
error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key
error: "net.ipv4.ip_conntrack_max" is an unknown key
I did a ls on /lib/modules/2.6.27.10-grsec/kernel/net/ipv4/netfilter and dont see the modules that i see in the default kernels...
View 5 Replies
View Related
Jun 2, 2008
I'm having issues after changing my system time and rebooting for whatever reason it didn't take effect but now my VMWare servers wont boot. I get this error when trying to run a vmware-cmd
[root@plexus ~]# /usr/bin/vmware-cmd -l
/usr/bin/vmware-cmd: Could not connect to vmware-authd
(VMControl error -14: Unexpected response from vmware-authd: 511 Error connecting to /usr/sbin/vmware-serverd process.)
[root@plexus ~]#
also when i try logging into the web interface same error.
View 5 Replies
View Related
Jun 27, 2009
I've got a small box running as a fileserver with CentOS 5. Sometimes life is a little easier using a GUI for jobs rather than SSH.
As this is not accessible externally, I've got it to autologin to a non-privilaged user, and as part of that logon a VNC session is opened using the inbuilt remote desktop tool.
This was working perfectly, until I realised if I cold boot the server without a monitor attached, X11 wont start at all unless I attach a monitor to it.
I know I can start a VNC session from using vncserver, but this way allows me to logon to the server as if I was sat infront of it, rather than running an extra session.
Presumabley I can add something into /etc/X11/xorg.conf so X11 will start without a monitor hooked up?
View 1 Replies
View Related
Jan 25, 2008
I keep trying to restart Apache but it wont restart... I run a command line to restart it, but nothing happens. Here is what I have tried:
Quote:
-bash-3.1# chroot /home/fatehost.net/runtime_layeredpanel/
fatehost:/# /etc/
bash: /etc/: is a directory
fatehost:/# /etc/init.d
bash: /etc/init.d: is a directory
fatehost:/# /etc/init.d/httpd-users
Usage: /etc/init.d/apache2 start|stop|restart|reload|force-reload
fatehost:/# /etc/init.d/httpd-users start
Starting web server: Apache2(98)Address already in use: make_sock: could not bind to address 205.209.135.132:80
no listening sockets available, shutting down
Unable to open logs
fatehost:/# /etc/init.d/httpd-users restart
Forcing reload of web server: Apache2httpd (pid 5955) already running
.
fatehost:/# /etc/init.d/httpd-users force-reload
Forcing reload of web server: Apache2.
fatehost:/# /etc/init.d/httpd force-reload
Forcing reload of web server: Apache2.
fatehost:/# /etc/init.d/httpd-users restart
Forcing reload of web server: Apache2httpd (pid 13475) already running
.
fatehost:/#
fatehost:/# /etc/init.d/httpd-users start
Starting web server: Apache2(98)Address already in use: make_sock: could not bind to address 205.209.135.132:80
no listening sockets available, shutting down
Unable to open logs
fatehost:/# /etc/init.d/httpd-users stop
Stopping web server: Apache2.
fatehost:/#
fatehost:/# /etc/init.d/httpd-users start
Starting web server: Apache2(98)Address already in use: make_sock: could not bind to address 205.209.135.132:80
no listening sockets available, shutting down
Unable to open logs
fatehost:/#
fatehost:/# sudo /etc/init.d/httpd-users stop
bash: sudo: command not found
fatehost:/# su root /etc/init.d/httpd-users restart
Forcing reload of web server: Apache2httpd (pid 20391) already running
.
fatehost:/# /etc/init.d/httpd-users reboot
Usage: /etc/init.d/apache2 start|stop|restart|reload|force-reload
fatehost:/# reboot
WARNING: could not determine runlevel - doing soft reboot
(it's better to use shutdown instead of reboot from the command line)
shutdown: timeout opening/writing control channel /dev/initctl
init: timeout opening/writing control channel /dev/initctl
fatehost:/# WARNING: could not determine runlevel - doing soft reboot
bash: WARNING:: command not found
fatehost:/# (it's better to use shutdown instead of reboot from the command line)
> shutdown: timeout opening/writing control channel /dev/initctl
> init: timeout opening/writing control channel /dev/initctl
>
fatehost:/# /home/fatehost.net/runtime_layeredpanel
bash: /home/fatehost.net/runtime_layeredpanel: No such file or directory
fatehost:/#
View 6 Replies
View Related
Mar 6, 2007
I have complied exim 4.66 version using the source, now i do not seem to make it work
i am getting the fallowing error when i try send mail
$ exim xxx@xxxx.xxx
test
2007-03-06 12:36:44 1HOeWd-0000SH-EZ Cannot open main log file "/var/log/exim/mainlog": Permission denied: euid=8 egid=12
2007-03-06 12:36:44 1HOeWd-0000SH-EZ Failed to create spool file /var/spool/exim/input//1HOeWd-0000SH-EZ-D: Permission denied
2007-03-06 12:36:44 1HOeWd-0000SH-EZ Cannot open main log file "/var/log/exim/mainlog": Permission denied: euid=8 egid=12
exim: could not open panic log - aborting: see message(s) above
when i do $ service exim restart the service fail to stop and but starts OK.
there is no control panel installed on the box.
View 5 Replies
View Related
May 31, 2008
I'm running Plesk 8.4.0 and for whatever reason apparently IonCube didn't come pre installed or wasn't working so I tried installing it which is just getting the .so files and adding it to the php.ini that didn't work so I tried Zend the installer said it was complete but again no go. So I have this for an error
[root@liquidwind ~]# php -v
Failed loading /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: undefined symbol: zend_unmangle_property_name_ex
Failed loading /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: /usr/lib/php/modules/php_ioncube_loader_lin_5.1.so: undefined symbol: zend_unmangle_property_name_ex
Failed loading /usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so: /usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so: cannot restore segment prot after reloc: Permission denied
PHP 5.2.5 (cli) (built: Jan 19 2008 10:30:38)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies
[root@liquidwind ~]#
View 14 Replies
View Related
Nov 15, 2007
to implement a chat but I need that it wont overwhelm the server if is easy to set up it would be even better!
I am trying phpfreechat which uses ajax files as container, is that method better than using mysql as a acontainer?
View 3 Replies
View Related
Jun 27, 2009
I have this problem today after a fresh install...
I think its maybe i havent dont it proper im not sure..
But a client joined today and i have new account created auto after payment and well it says in the whmcs the user has an login and password but when i tried to login with it it said login failed
Also it trys to login to whm not cpanel with the account, even tho its set up as shared hosting in products...
the login link is : [url]( i removed name for security)
View 4 Replies
View Related
Oct 10, 2009
So this is a new problem for me, and I have no idea what could be broken?
My server works, but none of the sites load.
Server ip is 69.162.121.170, one of the sites is bloghost.cl
Where should I start looking? When you try to visit the site it just tells you it cant establish a connection. All I did was restart the server today, and now nothing works
View 3 Replies
View Related
Jan 23, 2009
We know the problem with geekstorage that their vps nodes are oversold.
i asked for a refund for the months i havent use yet, and they wont refund me, they just say that i will get credit, but i think it is not fair he can not hold my money for a service that has not been provided yet, im not asking for a full refund, just for the months i prepaid
i have 268 dollars in favor, i offer a deal to jay to just refund me 218 dollars instead of 268, and now he is not responding my tickets i have been waiting more than 24 hours to get a response
View 14 Replies
View Related
Jun 13, 2007
One of my customers has been having a problem with his index files not showing up. It'll display the parent directory, and you can clearly see the index.html file in there, but it won't show it as the index.
It happened in one directory, and I went into .htaccess and did DirectoryIndex index.php.... but now i'm wondering if its part of a bigger problem, because its happening to other folders now.
View 6 Replies
View Related
Apr 6, 2009
I built a web hosting server, the following is its state
Cent os 5
AMP server loaded updated (installed it as a complete suite during installation so it was all set to go with php mysql modules loaded)
webmin
usermin virtualmin
created 2 named based hosts.
now when i load up wordpress in a site and try to run install.php
the following pops up
"Sorry, I can't write to the directory. You'll have to either change the permissions on your WordPress directory or create your wp-config.php manually."
I had this issue before and research said to redo the entire server (tried everything and was fed up had fedora then"
you can have a look at www.itgrunts.com just click create config file and the errror pops up.
The php and mysql db work great on simple scripts but i dont know why this happens.
i worked with assigning the users and apache user to the directory and everything, no joy.
View 6 Replies
View Related
Apr 6, 2008
[root@server1 ~]# service httpd start
no listening sockets available, shutting down
Unable to open logs
CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0
apache 2.2
httpd.conf file was empty... I'm recompiling right now.
View 3 Replies
View Related
Jul 17, 2008
An automatic backup in plesk has filled up the disk space in my VPS. It seemed to crash first of all - couldn't access my website, then i tried to restart it. It wont restart and comes up with the error below.
As i can't get into plesk i don't know how to delete these old backup files, seem to be in a catch 22. Help
Jul 17, 2008 01:05:33 PM Start Process Completed
Jul 17, 2008 01:05:33 PM Click here to open/close operation details.Start VPS #48606643 Failed
Jul 17, 2008 01:05:33 PM Operation start with the VPS(s) VEID48606643 is started.
Jul 17, 2008 01:05:33 PM Starting VE ...
Jul 17, 2008 01:05:33 PM vzquota : (warning) block_soft_limit [10000100] < block_current_usage [10099244]
Jul 17, 2008 01:05:33 PM VE is mounted
Jul 17, 2008 01:05:33 PM Setting devperms 20002 dev 0x7f00
Jul 17, 2008 01:05:33 PM Setting devperms 20007 dev 0xac8
Jul 17, 2008 01:05:33 PM Adding port redirection to VE(1): 4643 8443
Jul 17, 2008 01:05:33 PM Adding IP address(es): 212.227.251.151
Jul 17, 2008 01:05:34 PM ERROR: Can't write to file /etc/sysconfig/network-scripts/ifcfg-venet0
Jul 17, 2008 01:05:34 PM bash: line 264: echo: write error: Disk quota exceeded
Jul 17, 2008 01:05:35 PM vzquota : (warning) block_soft_limit [10000100] < block_current_usage [10099244]
Jul 17, 2008 01:05:35 PM VE is unmounted
Jul 17, 2008 01:05:35 PM VE start failed
Jul 17, 2008 01:05:35 PM Operation start with the VPS(s) VEID48606643 is finished with errors: #1004 Error invoking vzctl utility: Starting VE ... vzquota : (warning) block_soft_limit [10000100] < block_current_usage [10099244] VE is mounted Setting devperms 20002 dev 0x7f00 Setting devperms 20007 dev 0xac8 Adding port redirection to VE(1): 4643 8443 Adding IP address(es): 212.227.251.151 ERROR: Can't write to file /etc/sysconfig/network-scripts/ifcfg-venet0 bash: line 264: echo: write error: Disk quota exceeded vzquota : (warning) block_soft_limit [10000100] < block_current_usage [10099244] VE is unmounted VE start failed . Failed
Jul 17, 2008 01:05:35 PM Complete Process Failed
View 4 Replies
View Related
Apr 21, 2008
I have been using mod_security 1.9.x since it first release on apache 1.3 and apache 2.0.x, rules are great and they work perfect with no issues at all with any php-mysql website. Do you recommend using mod_security 2.0 or 2.5 ? (I do know that 2.5 does not work with apache 1.3).
View 2 Replies
View Related
Dec 1, 2007
I am currently running a few small websites that use a CMS. Two are Dragonfly and one is Joomla.
I am getting sporadic errors with both systems that, upon research, seem to be related to Apache and the mod_security module. I am getting the following error:
Code:
Not Acceptable
An appropriate representation of the requested resource /somefolder/index.php could not be found on this server.
Well, I'm no idiot (although some people may tend to disagree ) and after some searching, I found that this most likely points to an Apache error. Most solutions suggest to put the following in my .htacess file for the site:
Code:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
It was noted that "SecFilterScanPOST Off" may or not be necessary. I have added the above to the .htaccess for each site (all 3 sites are subdomains) and have also added it to the .htaccess that is in the root folder for the site. Nothing has worked.
So my question is, is it possible that my webhost can override my .htaacess settings with their own? This is the only explanation that I can think of. But of course, I am no expert, which is why I turn to you good folks for help once again.
View 0 Replies
View Related
Jul 27, 2008
I want to add some more rules to to mod_security, however I am unsure if some of them are already being used.
So would it cause any problems if there are duplicate rules for the time being till I can check through all the rules?
View 2 Replies
View Related
Jul 23, 2007
I am having lots of problems installing mod_security on RH5 64 w/ Plesk.
mainly related to apr0, subversion, and the headers.
Any reason why everyone recommends to use version 1.94 of mod_security rather than the latest version available on www.modsecurity.org?
View 3 Replies
View Related
Oct 2, 2007
I've got this:
mod_security: Access denied with code 406. Error normalising REQUEST_URI: Invalid URL encoding detected: invalid characters used [hostname "www.mydomain.com"] [uri "/search/include/js_suggest/suggest.php?type=query&q=%u062E%u0636%u0631%u0627"]
how to disable/exclude this uri in mentioned host from being catched by mod_security?
View 4 Replies
View Related
Mar 29, 2007
how many people are actually using mod_security 2 instead of 1?
And why did you choose the version you did?
View 4 Replies
View Related
Jun 5, 2007
I installed modsecurity from Addone module in Cpanel
When I try to apply phpshell woork good without a mistakes and I can do anything despite of the presence of protection modsecurity and disable_functions in php.ini.
Is there a particular settings add to the httpd.conf to prevent application phpshell or prevent upload it to the site?
View 14 Replies
View Related
May 11, 2009
I tried using mod_security and mod_filter together. However, when I try to filter js files, I noticed that certain pages stop working, especially those using ajax.
View 2 Replies
View Related
Jul 24, 2009
I installed Mod_Security on my Cent OS server today and having some problem in configurating it.
Problem -
I have added this module in 'httpd.conf' file
Code:
<IfModule mod_security.c>
SecFilterEngine On
SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
</IfModule>
But my website is multi forum hosting and requires 'index.php' file to pass parameter to make it work.
Example -
[url]
[url]
[url]
So i had to delete below mention code from above module.
Code:
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
View 0 Replies
View Related
May 25, 2009
Is it possible to disable a particular mod_security rule for particular directory or the rules are global?
View 4 Replies
View Related
Aug 15, 2008
I just installed mod_security via WHM, and want to know what rule should I enter to prevent some URLs from being opened.
For example, if URL contains word "abc" (like domain.com/some_folder/abc/file.php), it should not be opened.
View 4 Replies
View Related
May 20, 2009
I have installed a new server with debian lenny 5, ISPConfig 3.0.1.1 and the newest mod_security and implemented the default rules.
I deactivated the rule detecting IP in pageheaders.
Then I got another problem. Some actions of ISPConfig are detected as "remote file access attempt", severity "critical", tag "web attack/file injection" data "/etc/"
detected by rule file crs_40 line 114, id 950005
question: how do I authorize ISPConfig and only ISPConfig to perform such requests on the server?
View 4 Replies
View Related
Jun 4, 2008
how to set the rules of MOD_Security.
Another question for professionals:
Q: What are the best rules to secure my server? I'd appreciate if you managed to attach these rules to your replies. // FYI, I host VBulletin portals.
View 3 Replies
View Related
Dec 24, 2008
Trying to use an RBL with ModSecurity but this matches everything whether listed or not.
SecRule REMOTE_ADDR "@rbl bb.barracudacentral.org" "log,deny,msg:'POST RBL Comment Spammer'"
What I would like to do is do an RBL lookup and any POST operations.
View 2 Replies
View Related