ModSecurity supplies an array of request and response filtering rules and other security features to the Apache HTTP Server. ModSecurity is an open source web application layer firewall.
Questions tagged [mod-security]
344 questions
1
vote
1 answer
ModSecurity not writing to new rotated log files?
I've the following logs rotation set up in the OS for nginx's and modsec's logs, and it works for nginx's logs but not for modsec's. The result for modsec is that, it made a copy for the log file but it keeps on writing to the old one as…
skwokie
- 165
- 2
- 9
1
vote
1 answer
Apache too many child process - mpm_event caught SIGTERM shutting down
My Apache with ModSecurity, mod_evasive20 enabled occasionally geting crashed:
These are glimpse of error log:
[core:warn]**: child process 24709 still did not exit, sending a SIGTERM
[core:error]**: child process 24709 still did not exit, sending a…
TheMonkeyKing
- 113
- 1
- 1
- 5
1
vote
1 answer
mod_security default_SESSION.pag file huge size
default_SESSION.pag file showing 575G though df -h showing less.
/dev/xvda1 40G 19G 19G 51% /
What for this default_SESSION.pag file actually used? It is updated when there is entries coming in error log.
Mutex ssl-stapling-refresh:…
Valsaraj Viswanathan
- 133
- 1
- 1
- 8
0
votes
1 answer
Can mod_security be configured to create log only?
I've installed mod_security on openSUSE and want to make it log only.
I want absolutely no blocking or filtering of any kind.
I've created a config file as:
SecAuditEngine On
SecAuditLog /siteA/user/logs/mod.log
SecAuditLogParts ABIZ
This is…
Rocket
- 103
- 6
0
votes
1 answer
Modsecurity only allow access from two particular REFERER HEADERs
I have a Modsecurity rule which blocks all requests where the browser Referer Header is different from this: sub1.example.com.
So basically the rule only allows requests when the Header Referer is sub1.example.com:
SecRule REQUEST_HEADERS:REFERER…
user3132858
- 143
- 2
- 7
0
votes
1 answer
ModSecurity dependency not found?
1. yum groupinstall 'Development tools'
2. yum install -y geoip-devel libcurl-devel libxml2-devel libxslt-devel libgb-devel lmdb-devel openssl-devel pcre-devel perl-ExtUtils-Embed yajl-devel zlib-devel
3. cd /opt
4. git clone --depth 1 -b v3/master…
Isaac
- 115
- 6
0
votes
1 answer
Drop and Nolog HTTP CONNECT request with modsecurity
In my virtualhost I have this modsecurity setup
SecRuleEngine On
SecRule REQUEST_METHOD "@streq CONNECT" "id:1,nolog,drop,phase:1"
Despite the 'nolog' instruction I got in apache access log the CONNECT request with 403 forbidden error, why?
I need…
Giuseppe
- 1
- 1
0
votes
1 answer
mod security blocking basic authentication
I have a vps with centos 7, apache with mod_security and mod_evasive. I have a form in php with basic authentication. When I try to authenticate through the application (before activating mod security worked) appears in the logs that entered the…
Mylon
- 1
0
votes
1 answer
mod_security X-Forwarded-For not being blocked
I made some changes to my config as per this suggestion:
SecAction \
"id:901321,\
phase:1,\
pass,\
t:none,\
nolog,\
initcol:global=global,\
initcol:ip=%{x-forwarded-for}_%{tx.ua_hash},\
…
Yes Barry
- 170
- 1
- 17
0
votes
0 answers
Logging POST request body in modsecurity
Hello I'm using libmodsecurity (4e6e4243|v3.0.3) on nginx(1.15.12) with the connector being the current master (d7101e13685) and OWASP CRS on (ab24a20faf28156f0|v3.1.0).
I am trying to log the POST request body (C part in modsecurity) on a specific…
ateam
- 1
- 2
0
votes
1 answer
ModSecurity CRS 3 - Disable SQLi Rule For URI Pattern
I am trying to disable rule 942100 (an SQLi rule) when certain values are present in the URI, but apache won't start so something is wrong.
My attempt (in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf):
SecRule ARGS "@rx…
Yes Barry
- 170
- 1
- 17
0
votes
1 answer
ModSecurity, expirevar wont work
I've enabled modsecurity in my nginx k8s ingress using this guide, then I've added the following custom rules to block potential brute force attack
# Block by ip
# Retrieve the username
SecAction "phase:2,log,pass,initcol:ip=%{REMOTE_ADDR}"
#…
Gigitsu
- 103
- 1
- 3
0
votes
2 answers
Can Modsecurity detect and block infected client computers that connect to a server?
I have the latest version of Modsecurity (as of March 25th 2019) installed on my server. I am using OWASP rulesets along with fail2ban on Linux.
I know it is designed to block hacking attempts. Should I assume that people who are not attempting…
User6655
- 11
- 1
- 5
0
votes
1 answer
Updating ModSecurity when using OWASP rule sets
I am somewhat new to Modsecurity and still have a long way to go so bear with me. Ubuntu 18.04
I'm currently running Modsecurity 2.9.2-1 and OWASP rules 3.0.2
I would like to update the rules to what's currently available on github, which is…
User6655
- 11
- 1
- 5
0
votes
0 answers
My nginx log not read the web activity in real time
I am confused, my nginx log does not read the web activity in real time. The log will tell what happens after several time (it is hours ).
Do you know why?
Thanks
Abdul
- 1
- 1