I installed mod_security a little while ago and guess what: nothing works anymore.
I mean god, are you guys really that stupid not to test against the major scripts our there? wordpress, joomla !!!! gallery, phpbb, etc, nothing works.
Jesus Christ, what kind of a stupid shit is this? It reminds me of the days I tested various firewalls for window and got into core force.
I’m gonna google for a bit to see if there is any good resolution for this but if not, go screw you guys.
I mean I added like over 10 rules to th exception list according to various findings and nothing, I can’t even post a damn shit.
Related posts
Tags: security
maybe this will help somebody.
I tried to figure out the ids to exclude by checking the modsec_audit.log file. you have the request and ids that made it being rejected or whatever.
seems some new ids appeared, mainly phpids-xx added them too but I still get (in the H section)
Message: Operator GT matched 1 at TX:arg_name__ajax_nonce. [file “/etc/httpd/conf/mod_security/rules/base_rules/modsecurity_crs_40_generic_attacks.conf”] [line “28”] [msg “Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.”]
Message: Warning. Operator GE matched 5 at TX:anomaly_score. [file “/etc/httpd/conf/mod_security/rules/base_rules/modsecurity_crs_60_correlation.conf”] [line “41”] [msg “Transactional Anomaly Score (score 20): Possible HTTP Parameter Pollution Attack: Multiple Parameters with the same Name.”]
and (in the K section)
SecAction “phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}”
SecRule “REQUEST_METHOD” “@rx ^POST$” “phase:2,chain,t:none,block,nolog,auditlog,status:400,msg:’POST request must have a Content-Length header’,id:960012,ta
g:PROTOCOL_VIOLATION/EVASION,severity:4”
SecRule “REQUEST_HEADERS:Content-Type” “@rx ^application\\/x-www-form-urlencoded(?:;(?:\\s?charset\\s?=\\s?[\\w\\d\\-]{1,18})?)??$” “phase:2,chain,t:none,blo
ck,nolog,auditlog,status:400,msg:’URL Encoding Abuse Attack Attempt’,id:950108,tag:PROTOCOL_VIOLATION/EVASION,severity:5”
SecRule “REQUEST_METHOD” “!@rx ^(?:GET|HEAD|PROPFIND|OPTIONS)$” “phase:2,chain,t:none,block,nolog,auditlog,status:501,msg:’Request content type is not allowe
d by policy’,id:960010,tag:POLICY/ENCODING_NOT_ALLOWED,severity:4”
SecRule “ARGS_NAMES” “@rx .*” “phase:2,chain,t:none,nolog,auditlog,pass,capture,setvar:tx.arg_name_%{tx.0}=+1,msg:’Possible HTTP Parameter Pollution Attack:
Multiple Parameters with the same Name.'”
[…] the last one repeated like 100 times
SecRule “TX:/ARG_NAME_*/” “@gt 1” “t:none,setvar:tx.msg=%{rule.msg},setvar:tx.anomaly_score=+20,setvar:tx.web_attack_score=+1,setvar:tx.%{rule.id}-WEB_ATTACK
/COMMAND_INJECTION-%{matched_var_name}=%{matched_var}”
SecRule “REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer” “@pmFromFile modsecurity_40_generic_attacks.data” “phase:2,t:none,t:urlDec
odeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}”
SecRule “REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer” “@pmFromFile modsecurity_40_generic_attacks.data” “phase:2,t:none,t:urlDec
odeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}”
SecRule “REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer” “@pmFromFile modsecurity_40_generic_attacks.data” “phase:2,t:none,t:urlDec
odeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}”
SecRule “REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer” “@pmFromFile modsecurity_40_generic_attacks.data” “phase:2,t:none,t:urlDec
odeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}”
SecRule “REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer” “@pmFromFile modsecurity_40_generic_attacks.data” “phase:2,t:none,t:urlDec
odeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}”
SecRule “REQUEST_URI|REQUEST_BODY|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer” “@pmFromFile modsecurity_40_generic_attacks.data” “phase:2,t:none,t:urlDec
odeUni,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,nolog,pass,setvar:tx.pm_score=+1,setvar:tx.pm_data_%{matched_var_name}=%{matched_var}”
SecRule “&TX:/SQL_INJECTION/” “@eq 0” “phase:2,t:none,nolog,skipAfter:END_SQL_INJECTION_WEAK”
SecRule “RESPONSE_BODY” “!@pmFromFile modsecurity_50_outbound.data” “phase:4,t:none,t:urlDecodeUni,t:htmlEntityDecode,nolog,allow”
SecRule “TX:ANOMALY_SCORE” “@ge 5” “phase:5,t:none,log,noauditlog,pass,msg:’Transactional Anomaly Score (score %{TX.ANOMALY_SCORE}): %{tx.msg}'”
I grepped the ruleset for 300015, 300016, 300017 they are not there. the rest appear to be there, plus the ones I added with phpids, but I don’t know if they suffice since it’s still not working right as some GET’s are still killed (one of them’s log entries are the ones up there)
The stupid thing is that in order to get mod_security working right I should watch each request and note the IDs that fail and for those specific files add the exclusion. considering that I am running like 13 sites on my server all with different scripts and some running different scripts internally (my main domain for example is written in html+C as CGI and SSI, also having a bugzilla (perl) and a hidden forum (ipb-php) not to mention half of the site rewritten in joomla (php again)) and that mod_security should be configured for all of them separately, this looks like a very painful job.
in the end I am just not going to use mod_security at all. this was a rather negative experience for me.
This might be an old post, but mod_security2 is actually worse. I created an advanced system that is a CMS for travel, and i tell you this much mod security sucks! its no use for it…. just use SSL, or sanitize your site! I will create a script to by pass this because its no need.