store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu Apr 24, 2014 3:06 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 8 posts ] 
Author Message
 Post subject: mod_security causes default apache page to come up
Unread postPosted: Wed Mar 16, 2011 5:21 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
I installed mod_security via yum and installed the delayed rules.
but any access to the web server turns up a default apache page
adding my IP address to /etc/asl/whitelist allows me to access pages normally.


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Wed Mar 16, 2011 5:26 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
What do you see in your audit logs? Our modsecurity rules will log anything disruptive they do.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Wed Mar 16, 2011 5:33 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
found this in the error_log
Code:
[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]

from the audit_log
Code:
www.smallgod.net 76.14.57.52 - - [16/Mar/2011:14:30:12 --0700] "GET /favicon.ico HTTP/1.1" 403 957 "-" "-" P-yL2UgKIkkAAGxAYPMAAAAA "-" /20110316/20110316-1430/20110316-143012-P-yL2UgKIkkAAGxAYPMAAAAA 0 1667 md5:a20ed30954bd825b674e73fbacfc46f3
webmail.polygonfx.com 76.126.180.209 - - [16/Mar/2011:14:30:12 --0700] "GET /services/portal/sidebar.php?httpclient=1 HTTP/1.1" 403 300 "-" "-" P-6W6kgKIkkAAGxBausAAAAB "-" /20110316/20110316-1430/20110316-143012-P-6W6kgKIkkAAGxBausAAAAB 0 1726 md5:84a33b8e468b127f8d3a1d4915c90453
smallgod.net 206.176.237.2 - - [16/Mar/2011:14:30:20 --0700] "GET /secure/roundcube/?_task=mail&_remote=1&_action=check-recent&_t=1300311019978&_mbox=INBOX&_list=1&_quota=1&_=1300311019979&_unlock=0 HTTP/1.1" 403 957 "-" "-" QHf-0UgKIkkAAG4hdkAAAAAC "-" /20110316/20110316-1430/20110316-143020-QHf-0UgKIkkAAG4hdkAAAAAC 0 1873 md5:1587b42110e80bfc1ea42f745ef5da34
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:21 --0700] "GET / HTTP/1.1" 403 5043 "-" "-" QIg0okgKIkkAAGxAYPQAAAAA "-" /20110316/20110316-1430/20110316-143021-QIg0okgKIkkAAGxAYPQAAAAA 0 1386 md5:f0a27628bb36b3cf896700360742c21b
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/apache_pb.gif HTTP/1.1" 403 957 "-" "-" QJDxwkgKIkkAAGxBauwAAAAB "-" /20110316/20110316-1430/20110316-143022-QJDxwkgKIkkAAGxBauwAAAAB 0 1139 md5:6e5efb92e7f3458b531390310c103022
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:22 --0700] "GET /icons/powered_by_rh.png HTTP/1.1" 403 957 "-" "-" QJD0vUgKIkkAAG4hdkEAAAAC "-" /20110316/20110316-1430/20110316-143022-QJD0vUgKIkkAAG4hdkEAAAAC 0 1145 md5:ac0c4d717a7e764efb33826d1f671cc8
basictrainingsf.com 24.104.151.206 - - [16/Mar/2011:14:30:26 --0700] "GET /instructors/ HTTP/1.1" 403 957 "-" "-" QNl5zUgKIkkAAGxAYPUAAAAA "-" /20110316/20110316-1430/20110316-143026-QNl5zUgKIkkAAGxAYPUAAAAA 0 1473 md5:456d888b8d84772df9521e67f09c6849
www.dnaebeats.com 220.181.18.13 - - [16/Mar/2011:14:30:27 --0700] "GET /music/beat05.mp3 HTTP/1.0" 403 958 "-" "-" QNvvoEgKIkkAAGxBau0AAAAB "-" /20110316/20110316-1430/20110316-143027-QNvvoEgKIkkAAGxBau0AAAAB 0 934 md5:64e9022afcb4cfa833cede20e894ac89
www.kittyfeet.com 186.42.77.137 - - [16/Mar/2011:14:30:27 --0700] "GET /30music/storm.jpg HTTP/1.1" 403 958 "-" "-" QN7JqkgKIkkAAG4hdkIAAAAC "-" /20110316/20110316-1430/20110316-143027-QN7JqkgKIkkAAG4hdkIAAAAC 0 1264 md5:db512a0afdea2095263a3c64dd63c080
kittyfeet.com 220.181.27.12 - - [16/Mar/2011:14:30:29 --0700] "GET /smelly.mp3 HTTP/1.0" 403 958 "-" "-" QPprR0gKIkkAAGxAYPYAAAAA "-" /20110316/20110316-1430/20110316-143029-QPprR0gKIkkAAGxAYPYAAAAA 0 926 md5:e626d9c14b759579ae8df1d80a10c598


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Wed Mar 16, 2011 5:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
Quote:
[Wed Mar 16 14:30:12 2011] [error] [client 76.126.180.209] ModSecurity: Access denied with code 403 (phase 2). RBL lookup of 209.180.126.76.xbl.spamhaus.org succeeded at REMOTE_ADDR. [file "/etc/httpd/modsecurity.d/00_asl_rbl.conf"] [line "42"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist"] [severity "ERROR"] [hostname "webmail.polygonfx.com"] [uri "/services/portal/sidebar.php"] [unique_id "P-6W6kgKIkkAAGxBausAAAAB"]


That means you have the RBL rules activated, and that IP is on the spamhaus blacklist. You may want to contact spamhaus to let them know if you believe thats in error.

Or disable the RBL rules.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Wed Mar 16, 2011 9:45 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 83
Thanks. I disabled the RBL rules. Is it me or they a little harsh? (RBL rules)


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Thu Mar 17, 2011 8:43 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2007
By default, with the delayed rules, I think everything is enabled by default. The idea is that you then disable anything you don't want. The XBL rules are very aggressive and do cause problems and personally I don't use them. They are not enabled by default in the standard rules.

Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?

Also this issue with the apache default page instead of a "denied" page coming up when *certain* rules trigger - that can be very confusing for new customers and old hands alike. Maybe it would be sensible to change this so that all triggered rules result in a "denied"?

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Thu Mar 17, 2011 9:57 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3548
Location: Chantilly, VA
Quote:
Scott/Mike - maybe it would be sensible not to have those particular rules enabled by default in the delayed rules?


Thanks for the suggestion Faris, we don't enable or disable anything with the free/unsupported/delayed rules. Thats all up to the user. Unlike with ASL, users of the free/unsupported/delayed rules just download whatever conf files they want and configure Apache themselves, we dont enable, configure or install anything, the user does. So if its enabled, they enabled it, which is why we provide instructions about the optimal configuration of our rules (which includes not enabling the RBL rules). So, if the RBL rules are enabled, its because the user enabled them, per the wiki:

https://www.atomicorp.com/wiki/index.ph ... rity_2.5.x

Quote:
The recommended ruleset to load is:

Include /full/path/to/your/rules/modsecurity.d/05_asl_exclude.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_antimalware.conf
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf
Include /full/path/to/your/rules/modsecurity.d/20_asl_useragents.conf
Include /full/path/to/your/rules/modsecurity.d/30_asl_antispam.conf
Include /full/path/to/your/rules/modsecurity.d/50_asl_rootkits.conf
Include /full/path/to/your/rules/modsecurity.d/60_asl_recons.conf
Include /full/path/to/your/rules/modsecurity.d/61_asl_recons_dlp.conf
Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.conf


So, if you have the RBL rules enabled, go back and make sure you followed our instructions about setting up modsecurity and not someone elses.

For ASL users, this is moot since the RBL rules are disabled by default, plus you can control that from the GUI. In ASL 3.0 this all changes, as RBLs will be something the user defines and it will be generated.

For users that dont use ASL, they will have to do what they do now, manually configure things for their needs and read the documentation online.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: mod_security causes default apache page to come up
Unread postPosted: Fri Mar 18, 2011 7:10 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2007
Ah. Right. Didn't know that. Thanks.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group