mod_security rules make all request end in "Access forbiden 403" error

Discussion in 'Server Operation' started by Berry, Nov 23, 2006.

  1. Berry

    Berry New Member

    Hi to all,

    I have maybe stupid question, but I'm a little bit confused and would like to hear your suggestions. I've installed mod_security following HowTo http://www.howtoforge.com/apache_mod_security, and the entries I choose are here:
    Code:
    <IfModule mod_security.c>
        # Turn the filtering engine On or Off
        SecFilterEngine On
    
        # Make sure that URL encoding is valid
        SecFilterCheckURLEncoding On
    
        # Unicode encoding check
        SecFilterCheckUnicodeEncoding Off
    
        # Only allow bytes from this range
        SecFilterForceByteRange 0 255
    
        # Only log suspicious requests
        SecAuditEngine RelevantOnly
    
        # The name of the audit log file
        SecAuditLog /var/log/apache2/audit_log
        # Debug level set to a minimum
        SecFilterDebugLog /var/log/apache2/modsec_debug_log
        SecFilterDebugLevel 0
    
        # Should mod_security inspect POST payloads
        SecFilterScanPOST On
    
        # Reject requests with status 403
        SecFilterDefaultAction "deny,log,status:403"
    
        #To prevent more SQL injection attacks, we can add a few other rules
        SecFilter "delete[[:space:]]+from"
        SecFilter "insert[[:space:]]+into"
        SecFilter "select.+from"
        SecFilter "drop[[:space:]]table"
    
        #The following directives help to prevent cross-site scripting attacks:
        SecFilter "<script"
        SecFilter "<.+>"
    
        #This one is for preventing path traversal attacks:
        SecFilter "../"
        SecFilter /bin/sh
    
        #This rule requires HTTP_USER_AGENT and HTTP_HOST headers in every request:
        SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
    
        #mod_security also allows your Apache to pretend it's another web server
        SecServerSignature "Microsoft-IIS/5.0"
    
        SecUploadDir /tmp
        SecUploadKeepFiles Off
    
        # Only accept request encodings we know how to handle
        # we exclude GET requests from this because some (automated)
        # clients supply "text/html" as Content-Type
        SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
        SecFilterSelective HTTP_Content-Type \
        "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
        
        # Do not accept GET or HEAD requests with bodies
        SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
        SecFilterSelective HTTP_Content-Length "!^$"
    
        # Require Content-Length to be provided with
        # every POST request
        SecFilterSelective REQUEST_METHOD "^POST$" chain
        SecFilterSelective HTTP_Content-Length "^$"
    
        # Don't accept transfer encodings we know we don't handle
        SecFilterSelective HTTP_Transfer-Encoding "!^$"
    </IfModule>
    
    And now all the URL's without explicit link to some file (for example www.domain.com) end with Error 403, as this is default action I've selected. But which rule does trigger this action? I'm suspicious at :
    SecFilter "../"?? And if yes, what is the alternative?

    Thanks for your toughts!
     
    Last edited: Nov 23, 2006
  2. Berry

    Berry New Member

    Yes, I've commented this rule out and now everything is OK. Any suggestions about correcting this rule?
     
  3. falko

    falko Super Moderator ISPConfig Developer

    Do you find any errors in /var/log/apache2/modsec_debug_log and Apache's error log?
     
  4. Berry

    Berry New Member

    Log from /var/www/web5/log/
    Code:
    ...
    mod_security: Access denied with code 403. Pattern match "../" at THE_REQUEST [hostname "www.domain.net"] [uri "/test/phpinfo.php"]
    ...
    apache2 log or modsec_debug_log - nothing smart !
     
  5. falko

    falko Super Moderator ISPConfig Developer

  6. Berry

    Berry New Member

    For the both questions the answer is = Yes.

    The Vhost for this site is listed in my other post about PHP/suPHP problem here http://www.howtoforge.com/forums/showpost.php?p=49623&postcount=7 ..

    I can't see which mods are activated and if the mod_dir is one of them in PHP_Info because of above mentioned problem with PHP resulting in Error 500.
     
    Last edited: Nov 27, 2006
  7. falko

    falko Super Moderator ISPConfig Developer

    You can see it in your Apache configuration.
     
  8. Berry

    Berry New Member

    Yes, thanks, now I know! :)

    And this problem with wrong triggering of pattern "../" is still on, but I've just commented it out and now everything works fine.
     

Share This Page