mod_security rules?

[panaman]

what mod_security rules are you guys using.
I am using gotroot.com's rules but sometimes I get errors with Horde

[Tue Sep 26 05:00:30 2006] [error] [client 208.102.26.238] mod_security: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "webmail.domaname.com"] [uri "/services/prefs.php?nocache=47zqr67v6o2s"]

 

[Hal9000]

i am having the same problem and would be interested in a solution as well...

 

[knocx]

gotroot has too many rules ,
when we had first implemented mod_security on a server with 900 domais server crashed in 1-2 minutes since mod_security wiped out all free mem and swap space,

%80 of the gotroot rules are extreemely redundant it is better to try to deploy your own rules instead

 

[Griffith]

You can make a exclude rule similar to this:

<LocationMatch "/imp/compose.php">
SecFilterRemove 300015
</LocationMatch>

I guess you understand the rest?

 

[Hal9000]

what i got is this:

<LocationMatch "/horde/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>

but since the recent plesk upgrade to horde 3.1.3, i get this error in the logs, which happens right after you login to the webmail:

[Fri Oct 27 09:27:45 2006] [error] [client 129.132.210.142] mod_security: Access denied with code 500. Pattern match "(ht|f)tps?:/" at QUERY_STRING [id "300018"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"] [hostname "webmail.domain.tld"] [uri "/index.php?url=http%3A%2F%2Fwebmail.domain.tld%2F"]

so i tried adding this

<LocationMatch "/index.php?url=http.*">
SecFilterRemove 300018
</LocationMatch>

but it doesnt seem to work...
any ideas?

 

[knocx]

place a .htaccess file root of IMP

it should include

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

by this you can skip mod_security control for webmail

 

[Hal9000]

thank you!
it works fine now

 

[knocx]

keep in mind that anyone in your server can bypass mod_sec rules by this simple .htaccess

 

[faris]

OK....what might I be doing wrong?

I'm having the same issue.

Putting

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

in a file called .htaccess in /usr/share/psa-horde/imp

then restarting the apache process still gives me the mod_sec-generated error page.

Incidentally if I click on the link on the error page (error 500 in my case because this is what we have it set to display) I get right in to webmail with no issue (same as without the .htaccess).

Faris.

 

[Hal9000]

/usr/share/psa-horde/.htaccess

 

[Griffith]

I've tried both:
/usr/share/psa-horde/.htaccess
/usr/share/psa-horde/imp/.htaccess

none of them worked..

 

[Xtreme-IT]

You should really look at the rules you have implemented and finetune them so you get a working set of mod_sec rules. Disabling mod_sec for parts like Horde/IMP is like disabling the newly installed airbags in your car.

Mod_sec is built to prevent attacks with common patterns. Especially for known php products like Horde, IMP, Joomla, several forum applications, and so on. Mod_sec is also very good in handling attacks on such products that haven't been updated yet.

Take a good look at your errors, take even a better look in modsec_audit.log, try to find the it matches to in your mod_sec config. Looking at the used url in modsec_audit.log you can arrange the modsec rules so it doesn't match the url. If you can't make the specific rule work, as a last resort you could remove only that rule. But atleast the other rules then still work.