When I use the feature "Enable service monitoring and restart on failure" from Server Config -> Rescue I notice ModSecurity logs this as follows: Code: --2bcda46f-A-- [17/Nov/2013:23:57:01 +0200] Uok7rcCoAWQAAA3ZoEUAAAAL ::1 60286 ::1 80 --2bcda46f-B-- GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (ISPConfig monitor) Accept: application/xml,application/xhtml+xml,text/html Connection: Close --2bcda46f-F-- HTTP/1.1 200 OK Last-Modified: Fri, 15 Nov 2013 22:58:56 GMT ETag: "1040ed5-b1-4eb3f249f4283" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html --2bcda46f-E-- <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html> actually, I see an additional warning which I am not sure if it is by the same ispconfig request: Code: --2bcda46f-H-- Message: Warning. Match of "rx (?i:(<meta.*?(content|value)=\"text/html;\\s?charset=|<\\?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms"] Message: Warning. Match of "rx (<meta.*?(content|value)=\"text/html;\\s?charset=utf-8|<\\?xml.*?encoding=\"utf-8\")" against "RESPONSE_BODY" required. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8"] Stopwatch: 1384725421645250 5000 (- - -) Stopwatch2: 1384725421645250 5000; combined=3825, p1=319, p2=2124, p3=48, p4=242, p5=908, sr=121, sw=184, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache --2bcda46f-Z-- As I am trying to keep the modsec_audit.log clean from false positives, ..well, on the one hand I like this feature to be enabled, on the other hand I would like to stop this from being logged. So if anyone knows a way I would appreciate. I think though that whitelisting "Mozilla/5.0 (ISPConfig monitor)" useragent is not the right approach. And, by the way, is an http request the only way to find out if http is working ? Cheers. UPDATE: I disabled the feature and the same thing comes up: Code: --63429d0b-A-- [18/Nov/2013:01:40:02 +0200] UolT0cCoAWQAAAsBTFgAAAAB ::1 42129 ::1 80 --63429d0b-B-- GET / HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (ISPConfig monitor) Accept: application/xml,application/xhtml+xml,text/html Connection: Close --63429d0b-F-- HTTP/1.1 200 OK Last-Modified: Fri, 15 Nov 2013 22:58:56 GMT ETag: "1040ed5-b1-4eb3f249f4283" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html --63429d0b-E-- <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, yet.</p> </body></html> --63429d0b-H-- Message: Warning. Match of "rx (?i:(<meta.*?(content|value)=\"text/html;\\s?charset=|<\\?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms"] Message: Warning. Match of "rx (<meta.*?(content|value)=\"text/html;\\s?charset=utf-8|<\\?xml.*?encoding=\"utf-8\")" against "RESPONSE_BODY" required. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8"] Message: Warning. Pattern match "^(?i:0|allow)$" at RESPONSE_HEADERS. [file "/etc/apache2/mod-security/activated_rules/modsecurity_crs_55_application_defects.conf"] [line "151"] [id "981405"] [msg "AppDefect: X-FRAME-OPTIONS Response Header is Missing or not set to Deny."] [data "X-FRAME-OPTIONS: "] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#http-header-x-frame-options"] Stopwatch: 1384731601858958 585855 (- - -) Stopwatch2: 1384731601858958 585855; combined=582305, p1=577122, p2=2237, p3=59, p4=326, p5=1861, sr=48, sw=700, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/); OWASP_CRS/2.2.5. Server: Apache --63429d0b-Z--
One solution will be to add a charset header in the default apache html file of the linux distribution.
Good morning till, Yes, but on an apache update this will be wiped. Is there a way to override the default apache "It Works!" page without editing the original ? By the way I am working on a rule for ModSecurity on this, but I want to make sure that the localhost and user-agent are not spoofed, by an external visit. So I am trying to get the remote IP and I can't. So far the rule is like this and works but I don't like it: Code: SecRule REQUEST_HEADERS:Host "localhost" "chain,t:none,pass" SecRule REQUEST_HEADERS:User-Agent "@contains ISPConfig" "ctl:ruleRemoveById=981220,ctl:ruleRemoveById=981222,ctl:ruleRemoveById=981405" .. because I am not sure if ModSecurity will check against the HOST (if it is spoofed) of this rule. If I replace the 1st line with either this: Code: SecRule REMOTE_ADDR "@ipMatch 127.0.0.1" "chain,t:none,pass" or this: Code: SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "chain,t:none,pass" it doesn't work
ok so I re-enabled the "Enable service monitoring and restart on failure" which doesn't seem to be relevant to those requests by ispconfig, but feels like it is sending more (not sure anyway) and the best rule I came up with for now (and works good) is this: Code: SecRule REMOTE_ADDR "::1" "chain,t:none,pass,nolog" SecRule REQUEST_URI "^/" "chain" SecRule REQUEST_HEADERS:Host "localhost" "chain" SecRule REQUEST_HEADERS:User-Agent "@contains ISPConfig" "ctl:ruleRemoveById=981220,ctl:ruleRemoveById=981222,ctl:ruleRemoveById=981405" The above because I use "deny" for SecDefaultAction in modsecurity_crs_10_setup.conf which gives a 403 forbidden on all requests by IP and more. Otherwise the "pass" may not be needed in the first line of the SecRule. To test it is working and not blocking I repalced the 1st line with: Code: SecRule REMOTE_ADDR "::1" "chain,t:none,pass,log,msg:'Works'" which will just log a "Warning" for the request that was indeed not blocked. So now the access.log can be happy being flood by these: Code: ::1 - - [18/Nov/2013:14:24:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:25:02 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:25:02 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:26:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:27:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:28:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:29:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:30:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:30:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:31:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:32:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:33:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:34:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:35:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:35:02 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:36:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:37:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:38:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:39:02 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:40:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:40:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)" ::1 - - [18/Nov/2013:14:41:01 +0200] "GET / HTTP/1.1" 200 439 "-" "Mozilla/5.0 (ISPConfig monitor)"
