My website is hosted on a virtual server that runs Apache and Plesk. I would like to integrate a chat from livezilla.de on my website. The chat server runs on my server as well.
To secure my system, I have activated plesk_modsecurity. However, that particular module bans the IP address of each user of the chat because the chat pings the server quite frequently.
Is it possible to (a) allow requests from the chat to the chat server and vice versa with no restriction while (b) any other requests are still handled by the module with the appropriate restrictions?
Or would you recommend another solution?
The following list shows some of the errors raised by the modsecurity rules.
Message: Rule 7f7e7ac18c30 [id "340159"][file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"][line "114"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Rule 7f7e7abb2c60 [id "340157"][file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"][line "135"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client XX.XXX.XX.XXX] ModSecurity: Rule 7f7e7ac18c30 [id "340159"][file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"][line "114"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "mydomain.tld"] [uri "/livezilla/server.php"] [unique_id "WzIClVXWzdsAABSrkdgAAAAE"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client XX.XXX.XX.XXX] ModSecurity: Rule 7f7e7abb2c60 [id "340157"][file "/etc/apache2/modsecurity.d/rules/tortix/modsec/50_plesk_basic_asl_rules.conf"][line "135"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "mydomain.tld"] [uri "/livezilla/server.php"] [unique_id "WzIClVXWzdsAABSrkdgAAAAE"]
Apache-Handler: proxy:unix:///var/www/vhosts/system/mydomain.tld/php-fpm.sock|fcgi://127.0.0.1:9000
Stopwatch: 1530004117657831 96698593 (- - -)
Stopwatch2: 1530004117657831 96698593; combined=96528507, p1=2, p2=96528499, p3=2, p4=1, p5=3, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); 201806211447.
Server: Apache
Engine-Mode: "ENABLED"
Try LocationMatch directive for ModSecurity. Browse to Tools & Settings > Web Application Firewall (ModSecurity) > Settings > Custom and add the following directives:
<LocationMatch "/livezilla/">
SecRuleEngine Off
</LocationMatch>
It will disable ModSecurity for URIs like /livezilla/server.php
Related
I have my Virtual Machine with Ubuntu 20.04 installed. In it I'm using Apache2 web server as a WAF with ModSecurity 2.9.3 module that uses OWASP rules, it is listening to port 80 and 443.
Then I have installed XAMPP to use in it the DVWA application. Since the Apache web server in XAMPP can't listen to the same ports of Apache2 (there would be a conflict), Apache web server is listening to 8012 for HTTP and 4431 for HTTPS.
I got through the process to make the DVWA requests passing through the WAF and reach the application by using VirtualHosts. Everything is okay at the moment. The Project involves the testing of the WAF against malcious attacks, and it works fine for mosts of the attacks, ModSecurity detects and blocks SQL Injection, XSS , FLI, RFI, and so on, but when I test the DDoS attack, it detects it as a SCANNER attack and I don't know why (and then it blocks the attack).
I tested the DDoS attack with WFuzz and Hydra, trying to guess the password of the admin in a particular page of DVWA.
For WFuzz I used this command :
wfuzz -c -w ~/SecLists/Passwords/probable-v2-top207.txt -b 'security=low;
PHPSESSID=cookieSession' 'http://localhost/dvwa/vulnerabilities/brute/
?username=admin&password=FUZZ&Login=Login'
Wfuzz starts sending the requets which get immediately blocked (error 443) and in the log error file of Apache2, I get some messages referred to the attack of this type ( + other messages related to what ModSec does) :
[Thu Apr 07 09:50:33.960952 2022] [:error] [pid 3803:tid 140532596565760]
[client 127.0.0.1:47826] [client 127.0.0.1] ModSecurity: Warning. Match of "rx
^(?:urlgrabber/[0-9\\\\.]+ yum/[0-9\\\\.]+|mozilla/[0-9\\\\.]+ ecairn-grabber/[0-9\\\\.]+
\\\\(\\\\+http://ecairn.com/grabber\\\\))$" against "REQUEST_HEADERS:User-Agent"
required. [file "/usr/share/modsecurity-crs/rules/REQUEST-913-SCANNER-DETECTION.conf"]
[line "55"] [id "913100"] [msg "Found User-Agent associated with security scanner"]
[data "Matched Data: Wfuzz found within REQUEST_HEADERS:User-Agent: Wfuzz/2.4.5"]
[severity "CRITICAL"] [ver "OWASP_CRS/3.4.0-dev"] [tag "application-multi"] [tag
"language-multi"] [tag "platform-multi"] [tag "attack-reputation-scanner"] [tag
"paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/224/541/310"] [tag
"PCI/6.5.10"] [hostname "localhost"] [uri "/dvwa/vulnerabilities/brute/"] [unique_id
"Yk6XyWgIm0NzeaCPwEBVrAAAAE0"]
At first I didn't know why the detection was related to a SCANNER attack. From
[msg "Found User-Agent associated with security scanner"][data "Matched Data: Wfuzz found within REQUEST_HEADERS:User-Agent: Wfuzz/2.4.5"]
I thought that the problem was related to the User-Agent: Wfuzz/2.4.5.So I tried a custom User-Agent :
wfuzz -c -w ~/SecLists/Passwords/probable-v2-top207.txt -b 'security=low;
PHPSESSID=cookieSession' -H 'User-Agent:Mozilla/5.0 (X11; Ubuntu; Linux
x86_64; rv:98.0) Gecko/20100101 Firefox/98.0' 'http://localhost/dvwa/vulnerabilities
/brute/?username=admin&password=FUZZ&Login=Login'
However this time, the requets were received by the DVWA (error 200), but even after like 100 requests ModSecurity was not detecting the DDoS attack (I was not getting 443 error), even though "I" was doin lots of requests in the application. Using Hydra I get basically the same result. Any suggestions/help is very appreciated, this is not a life problem because I can delete this part from the project but I would like to know what's not functioning. I've been trying looking at OWASP rules files but I was getting nowhere with them and basically everyone in the web say that no one should be messing/editing those rules.
My goal would be :
After ModSecurity detects 20 tries, it blocks the upcoming requests, sending
back to the attacker 443 error.
OWASP ModSecurity Core Rule Set Developer on Duty here. First thing to note, ModSecurity version 2.9.3 is quite old (2018!). The current v2 release is version 2.9.5, which features important security and bug fixes. You should seriously consider using the latest version for anything beyond a private sandbox.
Second thing to note, OWASP Core Rule Set (CRS) version 3.4 is our development branch. It's under heavy development and is being radically changed right now (this very week, even). You'll probably want to use our latest official release, which is version 3.3.2 (see https://github.com/coreruleset/coreruleset/releases/tag/v3.3.2).
Wfuzz is indeed listed as a scanner (you can find it listed in the file rules/scanners-user-agents.data). CRS rule 913100 inspects the User-Agent headers of requests and compares them against the contents of scanners-user-agents.data. That's why you're seeing log lines containing "Found User-Agent associated with security scanner": the presence of "Wfuzz" causes that rule to match. You can find the rule in the file rules/REQUEST-913-SCANNER-DETECTION.conf, if you're interested.
ModSecurity is not designed to prevent (D)DoS attacks. It can be made to do so, but it isn't good at it. In fact, just a few days ago, we removed the DoS capabilities from the CRS v3.4/dev branch (like I said, the dev branch is being radically changed as we speak!). For an explanation on this topic, see https://github.com/coreruleset/dos-protection-plugin-modsecurity-v2#plugin-expectations-suitability-and-scale.
If you really want to test DoS rules, take a look at the CRS 3.3.2 release, which still included our DoS rules as standard (in the file rules/REQUEST-912-DOS-PROTECTION.conf). Find the section "Anti-Automation / DoS Protection" in the main configuration file, crs-setup.conf, to configure the DoS rules for use. There are also blog posts and tutorials available online that walk through how to write your own DoS protection rules for ModSecurity, similar to what you described (e.g. "detect 20 requests, then block further requests"). It just requires leveraging ModSecurity's persistent collections mechanism, to store state information between requests (e.g. a running count of "how many requests has this IP address sent?").
But, to reiterate the point: neither ModSecurity or OWASP CRS will stop DoS attacks by default.
Good luck with your project!
i ve a strange problem
i install prestashop library on symfony (iq2i/prestashop-webservice-bundle)
i can connect to two internet websites (one is http the other https)
but on the third i got the error:
{"message":"This call to PrestaShop Web Services returned an unexpected HTTP status of:403"}
i ve this website install localy too on my computer with the same files as the remote one, and i can connect with symfony to my local website, but nope on the internet one...
i check rights, .htaccess ...
so i enable the debug and i got:
You don't have permission to access /api/products
an idea please ?
if you have got the error:
[Fri Jun 15 16:28:52 2018] [error] [client 157.108.59.137] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "65"] [id "960009"] [rev "2.1.1"] [msg "Request Missing a User Agent Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_UA"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"]
with OVH provider
on the root folder, you ve got a filename .ovhconfig
you have to add the following line:
modsecurity == WAF === http.firewall=security
I just integrated Apache Httpd 2.4.25 with mod_security 2.9.1. And now i got this error messages:
/*
--ba380000-H--
Message: Error reading request body: Partial results are valid but processing is incomplete
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Apache-Handler: jakarta-servlet
Stopwatch: 1489655290393010 8470749 (- - -)
Stopwatch2: 1489655290393010 8470749; combined=0, p1=0, p2=0, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/).
Server: Apache/2.4.25 (Win64) OpenSSL/1.0.2k mod_jk/1.2.40 mod_watch/4.3P mod_security2/2.9.1
Engine-Mode: "ENABLED"
--ba380000-Z--
*/
I don't know what's problem. please help me.
Thanks.
Sounds like you are sending large request body amounts and are hitting this bug: https://github.com/SpiderLabs/ModSecurity/issues/918
Are you sending very large requests? Can you increase SecRequestBodyLimit and SecRequestBodyNoFilesLimit to sizes that will incorporate your largest request size? Though to be honest the defaults for those are quite large (128Mb) so unless you've explicitly set those values to lower or have truely tremendous request body sizes I'm not sure how you'd hit this limit...
I am gettign this error code on submititng the form.
That form have rich text editors and I am assuming that is the problem.
So from erorr log I found out this message:
[Sat Sep 13 18:45:11 2014] [error] [client xx.xx.xx.xx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1023"] [id "350147"] [rev "147"] [msg "Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected"] [data "10862"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<<(?:\\\\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)(?:\\\\+| )?>+)$|^< ?\\\\??(?: |\\\\+)?xml|^<samlp|^>> ?$)" against "REQUEST_URI" required. [hostname "example.com"] [uri "/add-product/"] [unique_id "VBTzJkJVoVIAAGGuSEgAAAAT"]
So what is this error and can anyone tell me how to fix this?
After this error being displayd every access to the server is blocked from 10 to 15 minutes?
The client have full access to server so that is not the problem.
It is standard LAMP environment.
Thanks!
I installed mod_security with an apache server, and now it's blocking only ie7/8/9 browser. (I can browse the web with firefox/chromium/etc)
The logs say:
Message: String match within "Proxy-Connection Lock-Token Content-Range Translate via if" at REQUEST_HEADERS_NAMES:Connection. [file "/etc/apache2/mod_security/modsecurity_crs_30_http_policy.conf"] [line "99"] [id "960038"] [msg "HTTP header is restricted by policy"] [data "Connection"] [severity "WARNING"] [tag "POLICY/HEADER_RESTRICTED"] [tag "POLICY/FILES_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). [file "/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 20): Common SPAM/Email Harvester crawler"]
Action: Intercepted (phase 2)
Stopwatch: 1337888078594451 2694 (918 2353 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.6.
Server: Apache
And the rule id "960038" is:
SecRule REQUEST_HEADERS_NAMES "#within %{tx.restricted_headers}""phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"
I have one main question and two other derived from the first:
How do I know what this rule makes?
Is it safe to ignore this rule?
Is there any way to modify the rule in order to allow ie to navigate the web?
Answering Your First Question Mod-Security provide us a very
detailed documentation about the syntax of its Rule Language and
following is the link to its documentation. ModSecurity Rule Language
TX is for user defined variable tx.restricted_headers it defines
your HTTP policy like
SecAction "phase:1,t:none,nolog,pass,setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'"
for more detailed information refer this HTTP Policy
The Rule you have mentioned above is not blocking but it is
incrementing a numerial value maintained against suspicious header
name as mentioned in the HTTP policy i explained above.
The Rule that is blocking IE as seen from the logs mentioned
Message: Access denied with code 403 (phase 2). [file "/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 20): Common SPAM/Email Harvester crawler"]
You can modify the anomaly score threshold or can change your HTTP policy.The Rule you have mentioned is correct and don't need to be commented.I hope you get my point