Webalizer and Apache mod_security

Discussion in 'Server Operation' started by atjensen11, Mar 21, 2009.

  1. atjensen11

    atjensen11 New Member

    I have an Ubuntu 8.04 LTS server that was configured using the HowTo on this site. I also setup and configured Apache mod_security to further protect the webserver.

    As part of the HowTo, I installed Webalizer for site statistics. Furthermore, I use basic authentication on the webalizer stats directory.

    When users browse to the webalizer domain (http://stats.example.com), they are prompted with the authentication dialog box. The credentials appear to be accepted, but then a 404 error is returned.

    So it would appear that DNS is working correctly, the Apache virtual host is working correctly, and the htaccess file is working correctly.

    I checked the error logs and saw that mod_security is blocking access and generating the 404 error. The message from mod_security in the log is "Statistics Information Leakage". In this case though, I have provided what I feel is enough security on the directory and don't necessarily need mod_security provider further access.

    Does anyone have a suggestion on how to modify this mod_security rule to allow access to this directory while still protecting others?

    Thanks.
     
  2. falko

    falko Super Moderator ISPConfig Developer

    Can you post your mod_security rules?
     
  3. wladek

    wladek New Member

    If anyone have a similar problems...

    see the debug log of mod_security:
    "[/stats/index.html][1] Access denied with code 404 (phase 4). Pattern match "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by. ..." at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "19"] [id "970002"] [msg "Statistics Information Leakage"] [severity "WARNING"]"

    (or similar)

    Possible solution:

    Comment out the following lines in: /path/to/modsecurity_crs_50_outbound.conf

    #SecRule RESPONSE_BODY "\b(?:Th(?:is (?:summary was generated by.{0,100}?(?:w(?:ebcruncher|wwstat)|analog|Jware)|analysis was produced by.{0,100}?(?:calamaris|EasyStat|analog)|report was generated by WebLog)|ese statistics were produced by (?:getstats|PeLAB))|[gG]enerated by.{0,100}?[Ww]ebalizer)\b" \
    # "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:404,msg:'Statistics Information Leakage',id:'970002',severity:'4

    then reload Apache.

    (Sorry for my bad english... :))

    Regards:
    //:wladek
     

Share This Page