1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

modifying mod_security

Discussion in 'Plesk for Linux - 8.x and Older' started by shoggy24, Apr 19, 2007.

  1. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    I recently implemented mod_security on my server and ever since i have been having problem with horde mail calendar.
    Whenever a user try to make an entry in calender the page generates an error message and i was able to trace the error to the audit_log file and this line is always generated;
    mod_security-message: Access denied with code 500. Pattern match "!/imp/login\\.php" at HEADER("Referer") [id "300018"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"]

    I am guessing i have to define some exclusions in mod_security conf files but i dont know which.

    I also noticed this entry in my audit_log seems like an attemp to use my server as open proxy;
    Request: umsky.com 58.62.26.19 - - [19/Apr/2007:18:00:44 --0700] "GET http://umsky.com/sproxy.php HTTP/1.0" 500 603 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" - "-"
    Handler: php5-script
    ----------------------------------------
    GET http://umsky.com/sproxy.php HTTP/1.0
    Accept: */*
    Accept-Language: en-us
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: umsky.com
    Connection: Keep-Alive
    mod_security-action: 500
    mod_security-message: Access denied with code 500. Pattern match "^GET (http|https|ftp)\\:/" at THE_REQUEST [severity "EMERGENCY"]

    I saw that access was denied but is there something i need to do.

    Hope some can help me out
     
  2. DerFalk

    DerFalk Guest

    0
     
    What rulez do you uses?
     
  3. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    Thx Derfalk, for taking the time. pasted below is my mode_security rule set. I sometimes wonder if i really need all those rules.

    <IfModule mod_security.c>

    # Only inspect dynamic requests
    # (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
    #SecFilterEngine DynamicOnly

    SecFilterEngine On

    # Reject requests with status 500
    SecFilterDefaultAction "deny,log,status:500"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckCookieFormat On
    SecFilterCheckUnicodeEncoding Off
    SecFilterNormalizeCookies On
    # enable version 1 (RFC 2965) cookies
    SecFilterCookieFormat 1

    SecServerResponseToken Off

    #If you want to scan the output, uncomment these
    #SecFilterScanOutput On
    #SecFilterOutputMimeTypes "(null) text/html text/plain"

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    #fake server banner - NOYB used - no one needs to know what we are
    using
    SecServerSignature "NOYB"

    SecUploadDir /tmp
    SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/modsecurity/audit_log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog /var/log/modsecurity/modsec_debug_log


    #And now, the rules
    #Remove any of these Include lines you do not use or have rules for.

    #First, add in your exclusion rules:
    #These MUST come first!
    Include /etc/modsecurity/exclude.conf

    #Application protection rules
    Include /etc/modsecurity/rules.conf

    #Comment spam rules
    Include /etc/modsecurity/blacklist.conf

    #Bad hosts, bad proxies and other bad players
    Include /etc/modsecurity/blacklist2.conf

    #Bad clients, known bogus useragents and other signs of malware
    Include /etc/modsecurity/useragents.conf

    #Known bad software, rootkits and other malware
    Include /etc/modsecurity/rootkits.conf

    #Signatures to prevent proxying through your server
    #only rule these rules if your server is NOT a proxy
    Include /etc/modsecurity/proxy.conf

    #Additional rules for Apache 2.x ONLY! Do not add this line if you
    use Apache 1.x
    Include /etc/modsecurity/apache2-rules.conf
    </IfModule>
     
  4. DerFalk

    DerFalk Guest

    0
     
    Are these rulesets the latest from gotroot.com?
    The exclude.conf must be from N-20060928-01.

    If there are older Versions you must be update them frist!
     
  5. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    The rules are the latest from gotroot.com; 20061013
     
  6. DerFalk

    DerFalk Guest

    0
     
    ok, add this to you exclude.conf:

    #Squirrel mail and Horde postings
    <LocationMatch "/imp/compose.php">
    SecFilterRemove 300013
    SecFilterRemove 300015
    SecFilterRemove 300016
    </LocationMatch>
    </LocationMatch>
    <LocationMatch "/index.php?url=http://webmail.*">
    SecFilterRemove 300018
    </LocationMatch>
    <LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
    SecFilterRemove 300018
    </LocationMatch>

    and restart your apache
     
  7. pdreissen

    pdreissen Guest

    0
     
    This will fail, watch the double </LocationMatch>, remove one!

    so:

    #Squirrel mail and Horde postings
    <LocationMatch "/imp/compose.php">
    SecFilterRemove 300013
    SecFilterRemove 300015
    SecFilterRemove 300016
    </LocationMatch>
    <LocationMatch "/index.php?url=http://webmail.*">
    SecFilterRemove 300018
    </LocationMatch>
    <LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
    SecFilterRemove 300018
    </LocationMatch>
     
  8. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    This is what i had in my exclude .conf;

    #Squirrel mail and Horde postings
    <LocationMatch "/imp/compose.php">
    SecFilterRemove 300013
    SecFilterRemove 300015
    SecFilterRemove 300016
    SecFilterRemove 300018
    </LocationMatch>

    I went ahead and added the last two of your exclusions;
    <LocationMatch "/index.php?url=http://webmail.*">
    SecFilterRemove 300018
    </LocationMatch>
    <LocationMatch "/index.php?url=http%3A%2F%2Fwebmail.*">
    SecFilterRemove 300018
    </LocationMatch>

    and restarted apache but i still get the same error when i click an entry in the calendar, i did notice that i can create a new calendar entry from the menu but cannot create by clicking on the date in a calendar and i still cannot read entries in the calendar by clicking on it.
     
  9. pdreissen

    pdreissen Guest

    0
     
    Check your error_log and make the corresponding entry in the exclude.conf or post the log here, so we can help!
     
  10. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    [Sun Apr 22 14:44:05 2007] [error] [client 10.*.*.*] mod_security: Access denied with code 500. Pattern match "!/imp/login\\\\.php" at HEADER("Referer") [id "300018"] [rev "3"] [msg "Generic PHP code injection protection via ARGS"] [severity "CRITICAL"] [hostname "webmail.domain.com"] [uri "/kronolith/addevent.php?timestamp=1176033600&url=http%3A%2F%2Fwebmail.domain.com%2Fkronolith%2Findex.php"]

    That is the error.log for apache. Hope this gives you an idea of what i need to exclude.

    Thanks
     
  11. pdreissen

    pdreissen Guest

    0
     
    Try to add this:

    <LocationMatch "/kronolith/addevent.php?timestamp=*">
    SecFilterRemove 300018
    </LocationMatch>

    Into your exclude.conf

    Please restart apache after adding it!
     
  12. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    I added it but it didnt fix it. tempted but I dont want to comment out my rules.conf as i would rather live with a buggy horde calendar than an exploitable server
     
  13. pdreissen

    pdreissen Guest

    0
     
    I think there is something seriously wrong with your mod_sec install. This should work, as should all the above rules work.

    Please make sure that the exclude config is in the modsecurity config (include httpd.conf) and that the exclude.conf is loaded first in the modsec hierach. (this is important)!
     
  14. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Yep order matters! Id also avoid the generic rules distributed by breach. AFIAK, those are not horde or squirrelmail friendly.

    Once we finish up some interface work on ASL 2.0 we'll probably stick out a new batch of rules in line with mod_sec 2.1.0.
     
  15. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    I posted my mod-security config ealier in this thread and as you can see exclude.conf preceeds all other rules. I know that when i remove the filter rules below from my rules.conf it works just fine;

    #really broad furl_fopen attack sig
    #tune this for your system
    SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
    SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
    SecFilterSelective ARGS "(ht|f)tps?:/" chain
    SecFilterSelective HTTP_Referer "!/imp/login\.php"
    SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
    SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" chain
    SecFilterSelective HTTP_Referer "!/imp/login\.php"



    but i dont want to remove it because i am too paranoid it will open my server to exploits.
    I am also using mod_sec 1.9 from gotroot.com, do you think i should use mod_sec 2.

    Thank you guys for your help.
     
  16. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Not yet, theres nothing in 2.1.0 that you'd really use right now anyway. The rule format changed, so it doesn't perform anything like 1.9 or 1.8.
     
  17. shoggy24

    shoggy24 Regular Pleskian

    25
    57%
    Joined:
    Apr 5, 2007
    Messages:
    198
    Likes Received:
    0
    just in case anyone have this problem, i was able to resolve it by adding this lines to my exclude.conf;

    <Directory /usr/share/psa-horde>
    SecFilterRemove 300013
    SecFilterRemove 300015
    SecFilterRemove 300016
    SecFilterRemove 300018
    SecFilterRemove 300040
    </Directory>
     
Loading...