Hi to all, I have maybe stupid question, but I'm a little bit confused and would like to hear your suggestions. I've installed mod_security following HowTo http://www.howtoforge.com/apache_mod_security, and the entries I choose are here: Code: <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/log/apache2/audit_log # Debug level set to a minimum SecFilterDebugLog /var/log/apache2/modsec_debug_log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # Reject requests with status 403 SecFilterDefaultAction "deny,log,status:403" #To prevent more SQL injection attacks, we can add a few other rules SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" SecFilter "drop[[:space:]]table" #The following directives help to prevent cross-site scripting attacks: SecFilter "<script" SecFilter "<.+>" #This one is for preventing path traversal attacks: SecFilter "../" SecFilter /bin/sh #This rule requires HTTP_USER_AGENT and HTTP_HOST headers in every request: SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" #mod_security also allows your Apache to pretend it's another web server SecServerSignature "Microsoft-IIS/5.0" SecUploadDir /tmp SecUploadKeepFiles Off # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Type \ "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" # Do not accept GET or HEAD requests with bodies SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain SecFilterSelective HTTP_Content-Length "!^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle SecFilterSelective HTTP_Transfer-Encoding "!^$" </IfModule> And now all the URL's without explicit link to some file (for example www.domain.com) end with Error 403, as this is default action I've selected. But which rule does trigger this action? I'm suspicious at : SecFilter "../"?? And if yes, what is the alternative? Thanks for your toughts!
Yes, I've commented this rule out and now everything is OK. Any suggestions about correcting this rule?
Log from /var/www/web5/log/ Code: ... mod_security: Access denied with code 403. Pattern match "../" at THE_REQUEST [hostname "www.domain.net"] [uri "/test/phpinfo.php"] ... apache2 log or modsec_debug_log - nothing smart !
Did you specify a DirectoryIndex ( http://httpd.apache.org/docs/2.0/mod/mod_dir.html#directoryindex ) for that vhost, and is there an index file (e.g. index.html, index.php,...) in the web site's root directory?
For the both questions the answer is = Yes. The Vhost for this site is listed in my other post about PHP/suPHP problem here http://www.howtoforge.com/forums/showpost.php?p=49623&postcount=7 .. I can't see which mods are activated and if the mod_dir is one of them in PHP_Info because of above mentioned problem with PHP resulting in Error 500.
Yes, thanks, now I know! And this problem with wrong triggering of pattern "../" is still on, but I've just commented it out and now everything works fine.
