mod_security causes default apache page to come up

jpkelly · **Joined:** Sat Jan 20, 2007 6:57 pm **Posts:** 82

I installed mod_security via yum and installed the delayed rules.
but any access to the web server turns up a default apache page
adding my IP address to /etc/asl/whitelist allows me to access pages normally.

mikeshinn · **Posted:** Wed Mar 16, 2011 5:26 pm

What do you see in your audit logs? Our modsecurity rules will log anything disruptive they do.

jpkelly · **Joined:** Sat Jan 20, 2007 6:57 pm **Posts:** 82

found this in the error_log

Code:

[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]

from the audit_log

Code:

www.smallgod.net 76.14.57.52 - - [16/Mar/2011:14:30:12 --0700] "GET /favicon.ico HTTP/1.1" 403 957 "-" "-" P-yL2UgKIkkAAGxAYPMAAAAA "-" /20110316/20110316-1430/20110316-143012-P-yL2UgKIkkAAGxAYPMAAAAA 0 1667 md5:a20ed30954bd825b674e73fbacfc46f3 
webmail.polygonfx.com 76.126.180.209 - - [16/Mar/2011:14:30:12 --0700] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 300 "-" "-" P-6W6kgKIkkAAGxBausAAAAB "-" /20110316/20110316-1430/20110316-143012-P-6W6kgKIkkAAGxBausAAAAB 0 1726 md5:84a33b8e468b127f8d3a1d4915c90453 
smallgod.net 206.176.237.2 - - [16/Mar/2011:14:30:20 --0700] "GET /secure/roundcube/?_task=mail&_remote=1&_action=check-recent&_t=1300311019978&_mbox=INBOX&_list=1&_quota=1&_=1300311019979&_unlock=0 HTTP/1.1" 403 957 "-" "-" QHf-0UgKIkkAAG4hdkAAAAAC "-" /20110316/20110316-1430/20110316-143020-QHf-0UgKIkkAAG4hdkAAAAAC 0 1873 md5:1587b42110e80bfc1ea42f745ef5da34 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:21 --0700] "GET / HTTP/1.1" 403 5043 "-" "-" QIg0okgKIkkAAGxAYPQAAAAA "-" /20110316/20110316-1430/20110316-143021-QIg0okgKIkkAAGxAYPQAAAAA 0 1386 md5:f0a27628bb36b3cf896700360742c21b 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/apache_pb.gif HTTP/1.1" 403 957 "-" "-" QJDxwkgKIkkAAGxBauwAAAAB "-" /20110316/20110316-1430/20110316-143022-QJDxwkgKIkkAAGxBauwAAAAB 0 1139 md5:6e5efb92e7f3458b531390310c103022 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/powered_by_rh.png HTTP/1.1" 403 957 "-" "-" QJD0vUgKIkkAAG4hdkEAAAAC "-" /20110316/20110316-1430/20110316-143022-QJD0vUgKIkkAAG4hdkEAAAAC 0 1145 md5:ac0c4d717a7e764efb33826d1f671cc8 
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:26 --0700] "GET /instructors/ HTTP/1.1" 403 957 "-" "-" QNl5zUgKIkkAAGxAYPUAAAAA "-" /20110316/20110316-1430/20110316-143026-QNl5zUgKIkkAAGxAYPUAAAAA 0 1473 md5:456d888b8d84772df9521e67f09c6849 
www.dnaebeats.com 220.181.18.13 - - [16/Mar/2011:14:30:27 --0700] "GET /music/beat05.mp3 HTTP/1.0" 403 958 "-" "-" QNvvoEgKIkkAAGxBau0AAAAB "-" /20110316/20110316-1430/20110316-143027-QNvvoEgKIkkAAGxBau0AAAAB 0 934 md5:64e9022afcb4cfa833cede20e894ac89 
www.kittyfeet.com 186.42.77.137 - - [16/Mar/2011:14:30:27 --0700] "GET /30music/storm.jpg HTTP/1.1" 403 958 "-" "-" QN7JqkgKIkkAAG4hdkIAAAAC "-" /20110316/20110316-1430/20110316-143027-QN7JqkgKIkkAAG4hdkIAAAAC 0 1264 md5:db512a0afdea2095263a3c64dd63c080 
kittyfeet.com 220.181.27.12 - - [16/Mar/2011:14:30:29 --0700] "GET /smelly.mp3 HTTP/1.0" 403 958 "-" "-" QPprR0gKIkkAAGxAYPYAAAAA "-" /20110316/20110316-1430/20110316-143029-QPprR0gKIkkAAGxAYPYAAAAA 0 926 md5:e626d9c14b759579ae8df1d80a10c598 

mikeshinn · **Posted:** Wed Mar 16, 2011 5:50 pm

Quote:

[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]

That means you have the RBL rules activated, and that IP is on the spamhaus blacklist. You may want to contact spamhaus to let them know if you believe thats in error.

Or disable the RBL rules.

jpkelly · **Joined:** Sat Jan 20, 2007 6:57 pm **Posts:** 82

Thanks. I disabled the RBL rules. Is it me or they a little harsh? (RBL rules)

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1844

By default, with the delayed rules, I think everything is enabled by default. The idea is that you then disable anything you don't want. The XBL rules are very aggressive and do cause problems and personally I don't use them. They are not enabled by default in the standard rules.

Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?

Also this issue with the apache default page instead of a "denied" page coming up when *certain* rules trigger - that can be very confusing for new customers and old hands alike. Maybe it would be sensible to change this so that all triggered rules result in a "denied"?

Faris.

mikeshinn · **Posted:** Thu Mar 17, 2011 9:57 am

Quote:

Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?

Thanks for the suggestion Faris, we don't enable or disable anything with the free/unsupported/delayed rules. Thats all up to the user. Unlike with ASL, users of the free/unsupported/delayed rules just download whatever conf files they want and configure Apache themselves, we dont enable, configure or install anything, the user does. So if its enabled, they enabled it, which is why we provide instructions about the optimal configuration of our rules (which includes not enabling the RBL rules). So, if the RBL rules are enabled, its because the user enabled them, per the wiki:

https://www.atomicorp.com/wiki/index.ph ... rity_2.5.x

Quote:

The recommended ruleset to load is:

Include /full/path/to/your/rules/modsecurity.d/05_asl_exclude.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf

So, if you have the RBL rules enabled, go back and make sure you followed our instructions about setting up modsecurity and not someone elses.

For ASL users, this is moot since the RBL rules are disabled by default, plus you can control that from the GUI. In ASL 3.0 this all changes, as RBLs will be something the user defines and it will be generated.

For users that dont use ASL, they will have to do what they do now, manually configure things for their needs and read the documentation online.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1844

Ah. Right. Didn't know that. Thanks.

mod_security causes default apache page to come up

Who is online