Webalizer and Apache mod_security [Archive] - HowtoForge Forums

View Full Version : Webalizer and Apache mod_security

atjensen11

21st March 2009, 17:46

I have an Ubuntu 8.04 LTS server that was configured using the HowTo on this site. I also setup and configured Apache mod_security to further protect the webserver.

As part of the HowTo, I installed Webalizer for site statistics. Furthermore, I use basic authentication on the webalizer stats directory.

When users browse to the webalizer domain (http://stats.example.com), they are prompted with the authentication dialog box. The credentials appear to be accepted, but then a 404 error is returned.

So it would appear that DNS is working correctly, the Apache virtual host is working correctly, and the htaccess file is working correctly.

I checked the error logs and saw that mod_security is blocking access and generating the 404 error. The message from mod_security in the log is "Statistics Information Leakage". In this case though, I have provided what I feel is enough security on the directory and don't necessarily need mod_security provider further access.

Does anyone have a suggestion on how to modify this mod_security rule to allow access to this directory while still protecting others?

Thanks.

falko

22nd March 2009, 15:59

Can you post your mod_security rules?

wladek

24th May 2009, 04:32

see the debug log of mod_security:
"[/stats/index.html][1] Access denied with code 404 (phase 4). Pattern match "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware) |analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by. ..." at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "19"] [id "970002"] [msg "Statistics Information Leakage"] [severity "WARNING"]"

(or similar)

Possible solution:

Comment out the following lines in: /path/to/modsecurity_crs_50_outbound.conf

#SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware) |analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \
# "phase:4,t:none,ctl:auditLogParts=+E,deny,log,audit log,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4

then reload Apache.

(Sorry for my bad english... :))

Regards:
//:wladek (http://wladek.hu)