Author
| Hello, I have eth0's ruleset installed in mod_security. I notice some of my users are getting a Forbidden (404) error when trying to login to the website (I have also had it now and then). It doesn't always trigger, but once is more than enough for me. I am not greatly experienced with mod_security so I'd appreciate if you could help me here. Using latest version of JSMF, CB latest version (and CB login module), latest version of Joomla. The error in my mod_sec log is as follows: ==c77f7939============================== Request: www.****.net **.***.**.** - - [27/Sep/2006:13:20:35 +0100] "GET /index.php?option=com_smf&Itemid=155&PHPSESSID=c47f32118f53421e5a9053b1f43036c0;a$ Handler: server-parsed ---------------------------------------- GET /index.php?option=com_smf&Itemid=155&PHPSESSID=c47f32118f53421e5a9053b1f43036c0;action=login2;sa=check;member=62 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Encoding: gzip, deflate Accept-Language: en-gb Cache-Control: no-cache Connection: keep-alive Cookie: __utma=134262882.885386045.1159277676.1159277676.1159285579.2; __utmz=134262882.1159277676.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); PHPSES$ Host: www.********.net Referer: http://www.*********.com/ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) X-Forwarded-For: **.***.***.*** mod_security-message: Access denied with code 403. Pattern match "!^[0-9a-z]*$" at ARG("PHPSESSID") mod_security-action: 403 HTTP/1.1 403 Forbidden Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html --c77f7939-- The ruleset I have is: ----Ruleset---- <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature "Apache" # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:403" ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## # Require HTTP_USER_AGENT and HTTP_HOST in all requests # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" # Block various methods of downloading files to a server SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "curl " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " SecFilterSelective THE_REQUEST "/config.php?v=1&DIR " SecFilterSelective THE_REQUEST "&highlight=%2527%252E " SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php " SecFilterSelective THE_REQUEST "arta\.zip " SecFilterSelective THE_REQUEST "cmd=cd\x20/var " SecFilterSelective THE_REQUEST "HCL_path=http " SecFilterSelective THE_REQUEST "clamav-partial " SecFilterSelective THE_REQUEST "vi\.recover " SecFilterSelective THE_REQUEST "netenberg " SecFilterSelective THE_REQUEST "psybnc " SecFilterSelective THE_REQUEST "fantastico_de_luxe " SecFilter "bcc:" SecFilter "bcc\x3a" SecFilter "cc:" SecFilter "cc\x3a" SecFilter "bcc:|Bcc:|BCC:" chain SecFilter "[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}\,\x20[A-Z0-9._%-]+@[A-Z0-9._%-]+\.[A-Z]{2,4}" SecFilterSelective POST_PAYLOAD "Bcc:" SecFilterSelective POST_PAYLOAD "Bcc:\x20" SecFilterSelective POST_PAYLOAD "cc:" SecFilterSelective POST_PAYLOAD "cc:\x20" SecFilterSelective POST_PAYLOAD "bcc:" SecFilterSelective POST_PAYLOAD "bcc:\x20" SecFilterSelective POST_PAYLOAD "bcc: " SecFilterSelective THE_REQUEST "Bcc:" SecFilterSelective THE_REQUEST "Bcc:\x20" SecFilterSelective THE_REQUEST "cc:" SecFilterSelective THE_REQUEST "cc:\x20" SecFilterSelective THE_REQUEST "bcc:" SecFilterSelective THE_REQUEST "bcc:\x20" SecFilterSelective THE_REQUEST "bcc: " # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" </IfModule> ---/Ruleset--- Unsure which would be triggering this error - I will gladly remove it the rule if it can be found out which one is triggering this error. Cheers, Pete. |
|
Home
 Forum
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Logged
