I have a cPanel server with apache 2.4 and Maldetect, ClamAV. I want to have realtime malware scanner on server to block hackers from uploading malicious files on server. What i meant is when someone uploads a file, apache will invoke the scanner using mod-security 2.9 and scan the uploaded file.
If it's found as malware - should get rejected.
If it's found good file - should upload to correct destination.
I have tried to do this with following settings as described in https://www.rfxn.com/appdocs/README.maldetect
To enable upload scanning with mod_security2 you must set enable the public_scan option
in conf.maldet (public_scan=1) then add the following rules to your mod_security2
configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers
or at the top of the appropraite rules file for your setup.
/usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file):
SecRequestBodyAccess On
SecRule FILES_TMPNAMES "#inspectFile /usr/local/maldetect/hookscan.sh" \
"id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"
If using ModSecurity >=2.9, you should set 'SecTmpSaveUploadedFiles On' before the
'SecRule FILES_TMPNAMES' line.
A restart of the Apache service is required following these changes.
But the problem is all the files are getting rejected by doing this, even good files. Is there anything wrong with the above setup?
# cat /usr/local/apache/conf/modsec2.user.conf
### UPLOAD PARAMETERS BEGIN ####
SecUploadDir /tmp
SecTmpDir /tmp/
SecDataDir /tmp/
SecUploadKeepFiles RelevantOnly
### UPLOAD PARAMETERS END ####
SecRequestBodyAccess On
SecTmpSaveUploadedFiles On
SecRule FILES_TMPNAMES "#inspectFile /usr/local/maldetect/hookscan.sh" \
"id:'999999',log,auditlog,deny,severity:2,phase:2,t:none"
Following is the error in logs
[Sun Mar 05 21:11:35.936553 2017] [:error] [pid 9800] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170305-211135-WLxNz#kP#rKcABIc7ZF3lAAAAAM-file-SfujtQ" rejected by the approver script "/usr/local/maldetect/hookscan.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "999999"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "/test.php"] [unique_id "WLxNz#kP#rKcABIc7ZF3lAAAAAM"]
[Sun Mar 05 21:11:44.511418 2017] [:error] [pid 9526] [client x.x.x.x] ModSecurity: Access denied with code 406 (phase 2). File "/tmp/20170305-211144-WLxN2EJsvK1FL3paCDmxrgAAAAE-file-iQx2zR" rejected by the approver script "/usr/local/maldetect/hookscan.sh": Linux Malware Detect v1.5 [file "/usr/local/apache/conf/modsec2.user.conf"] [line "13"] [id "999999"] [severity "CRITICAL"] [hostname "x.x.x.x"] [uri "/test.php"] [unique_id "WLxN2EJsvK1FL3paCDmxrgAAAAE"]
I had this issue too. Problem is this line:
SecTmpSaveUploadedFiles On
Try to remove it from the rule.
Related
I'm configuring a httpd to perform as a reverse proxy which should allow file uploads as well. Average file size is around 20MB. With basic configurations I could only upload files of max size 128KB.
After referring some materials, I installed modsecurity plugin to enable uploading files with max allowance of 30 MB.
In the mod_security.conf file, I have:
SecRuleEngine On
SecRequestBodyAccess On
SecRequestBodyLimit 31457280
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 1048576
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!#eq 0" "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
But if I try to upload even 1MB file, I get the below error:
[:error] [pid 7877] [client 10.192.10.186:47406] [client 10.192.10.186] ModSecurity: Multipart parsing error (init): Multipart: Invalid boundary in C-T (malformed). [hostname "<host>"] [uri "<uri>"] [unique_id "YmE-3e7SizASbXjV8cTWfQAAAAQ"]
[proxy:error] [pid 7877] (32)Broken pipe: [client 10.192.10.186:47406] AH01084: pass request body failed to 10.192.21.143:443
[proxy_http:error] [pid 7877] [client 10.192.10.186:47406] AH01097: pass request body failed to 10.192.21.143:443 () from 10.192.10.186 ()
The questions I have are:
Am I using the correct plugging?
What is the error in the above configuration?
OWASP ModSecurity Core Rule Set dev-on-duty here. Your error is the first alert message: "Multipart parsing error (init): Multipart: Invalid boundary in C-T (malformed)." The rest is Apache reacting to the ModSecurity parsing abort.
Based on my experience with ModSecurity I am confident we're facing a malformed multipart request. Try to submit a multipart request with curl to see if it works out. If it does, as I suspect, you need to look at your client. Probably by taking a very close look at the request body and the Content-Type header.
The mod_security configuration in Apache, on the CWP7.admin, generates a 403 access denied error when running Grav CMS:
[Thu Mar 21 15:40:47.967502 2019] [:error] [pid 21727:tid 140715786946304] [client 186.67.206.59:57900] [client 186.67.206.59] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\#\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){8,}" at REQUEST_COOKIES:grav-tabs-state. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: \x22 found within REQUEST_COOKIES:grav-tabs-state: {\x22tab-content.options.advanced\x22:\x22data.content\x22,\x22tab-content.options\x22:\x22data.content\x22,\x22tab-content.options.advanced.blog\x22:\x22data.options\x22}"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "xxxxxxxx.com"] [uri "/favicon.ico"] [unique_id "XJOwf0cQATwA6mgjE8O7AwAAANc"], referer: http://xxxxxxxx.com/
This error only happens when visiting the website a second time, making it very hard to solve.
Upon inspecting the logs, I found the same pattern of errors for Grav CMS based sites generated by mod_security. This answer by Barry Pollard guided my solution
The error noted the mod_security rule blocking my request:
/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
the corresponding line
[line "157"]
And its ID
[id "981172"]
Using the advice from Barry , I added the following line after the rule:
SecRuleUpdateTargetById 981172 !REQUEST_COOKIES:grav-tabs-state
In this case I'm asking mod_security to omit REQUEST_COOKIES:grav-tabs-state from the rule 981172. This solved the issue.
Thanks from the bottom of my heart to #barrypollard
my server return 405, Method Not Allowed when request to https with http_method DELETE, but request to http is ok. Can anyone please help ?
Server Environment
Apache 2.4.29
DirectAdmin 1.52.1
OS: centOS release 6.9 (Final)
Thanks
Add Error log
[Wed Jan 03 11:57:38.331926 2018] [allowmethods:error] [pid 8569] [client 171.97.62.152:59633] AH01623: client method denied by server configuration: 'DELETE' to /home/------/domains/------.com/private_html/
The sure way to fix this is to learn why Apache denies the requests in your particular case. You can learn this from its error logs.
In my case, tail -f /usr/local/apache/logs/error_log
gave this:
[Tue 2 08:39:52.570672 2018] [:error] [pid 32076:tid 140086307448576]
[client 93.125.93.77] ModSecurity: Access denied with code 501 (phase 2).
Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD"
required. [file "/usr/local/apache/conf/modsec-imh/01_base_rules.conf"] [line
"32"] [id "960032"] [msg "Method is not allowed by policy"] [severity
"CRITICAL"] [tag "POLICY/METHOD_NOT_ALLOWED"] [hostname "104.244.122.237"]
[uri "/products/order/items/45"] [unique_id "V96LGGj0eu0AAH1MR8sAAACB"]
It mentions a security rule and the file it's coming from:
/usr/local/apache/conf/modsec-imh/01_base_rules.conf. Editing that file solved my problem smoothly.
I am gettign this error code on submititng the form.
That form have rich text editors and I am assuming that is the problem.
So from erorr log I found out this message:
[Sat Sep 13 18:45:11 2014] [error] [client xx.xx.xx.xx] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "1023"] [id "350147"] [rev "147"] [msg "Atomicorp.com WAF Rules: Potentially Untrusted Web Content Detected"] [data "10862"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Match of "rx ((?:submit(?:\\\\+| )?(request)?(?:\\\\+| )?>+|<<(?:\\\\+| )remove|(?:sign ?in|log ?(?:in|out)|next|modifier|envoyer|add|continue|weiter|account|results|select)(?:\\\\+| )?>+)$|^< ?\\\\??(?: |\\\\+)?xml|^<samlp|^>> ?$)" against "REQUEST_URI" required. [hostname "example.com"] [uri "/add-product/"] [unique_id "VBTzJkJVoVIAAGGuSEgAAAAT"]
So what is this error and can anyone tell me how to fix this?
After this error being displayd every access to the server is blocked from 10 to 15 minutes?
The client have full access to server so that is not the problem.
It is standard LAMP environment.
Thanks!
Since a few days, my Apache 2 error log is showing a lot messages like the following (IP addresses and URIs redacted):
[Thu Dec 12 13:46:42 2013] [error] [client 111.222.333.444] 0
[Thu Dec 12 13:52:27 2013] [error] [client 222.333.444.555] 0, referer: http://www.mydomain.com/
[Thu Dec 12 13:52:27 2013] [error] [client 222.333.444.555] 0, referer: http://www.mydomain.com/
[Thu Dec 12 13:53:54 2013] [error] [client 333.444.555.666] 0, referer: http://www.mydomain.com/subdirectory/
[Thu Dec 12 13:46:42 2013] [error] [client 444.555.666.777] 0
[Thu Dec 12 13:54:07 2013] [error] [client aaaa:1111:2222:ffff::] 0, referer: http://www.otherdomain.com/subdirectory/
What is this 0? There are no other messages shown (besides sometimes some other, normal messages, but very rarely).
The IP addresses are both IPv4 and IPv6. I checked the access log for the same date/time and IP addresses. Most of the times, there was an access for the exact same moment from this IP for different URIs on my webpage. But sometimes, there wasn't an access according to the access log.
It's a shared hosting environment, so I can't access the Apache settings (but I have ssh access to my home directory if this helps). I already googled and searched the Apache documentation, but didn't found anything (it's hard to search for "0"...)
/edit: I also asked the webhoster, they said they don't know what it's causing. I cross checked it with the Apache access log, these are requests to PHP scripts (mostly Joomla), but also requests to images as well as JS and CSS files. So I assume it's not a PHP script which is causing this.
If your error_log directive is unset errors will be written in your Apache log file for current VirtualHost.
So double check your PHP configuration (php.ini) or write a simple page with phpinfo()
If this is true, you should look inside your code (may be even into index.php).
Pay attention to this: usually there are two separate php.ini files for Apache /etc/php5/apache2/php.ini and CLI configuration /etc/php5/cli/php.ini.
Please also consider that, if you want change your PHP configuration, you can use ini_set function.
ini_set('error_log', '/var/log/php/error_new.log');
Remember: the destination directory must exist and your web server (or php engine) must have all permission to write into.
error_log format is not customizable, I suspect that it can be set to some higher level: debug or trace, where it can produce additional information.
Also please take into account, that error_log contains debug info from CGI/PHP/Perl scripts, so that 'zero' can be produced by some script that executed through apache as its module.