Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [mod-security]

ModSecurity supplies an array of request and response filtering rules and other security features to the Apache HTTP Server. ModSecurity is an open source web application layer firewall.

344 questions
3
votes
1 answer

Mod Security ctl:ruleEngine=Off Whitelist Fails in Phase 1

mod_security with custom rules and whitelists in separate .conf files - Apache 2.2, modsec 2.8 Whitelist rule: SecRule REMOTE_ADDR "^10\.10\.10\.10" phase:1,nolog,allow,ctl:ruleEngine=Off,id:104008 If a request is sent to the server that includes…
Santrix
  • 263
  • 3
  • 10
3
votes
1 answer

ModSecurity on IIS: Single threaded?

I installed ModSecurity on a web server running IIS 8.5, and noticed the response time has increased 15 times (0.15 ms/request vs. 2.2 ms/request), even with SecEngine set to off. It seems that IIS is running on single-threaded mode when ModSecurity…
Jim
  • 631
  • 2
  • 7
  • 21
3
votes
0 answers

How to filter POST data with mod_security when type is text/xml?

I'm trying to craft a rule which would match certain regex in POST requests. Rule I have so far looks like; SecRule REQUEST_FILENAME "form.php" \ "id:'12345',chain,deny,status:406,log,msg:'foobar detected'" SecRule REQUEST_METHOD "POST"…
Hrvoje Špoljar
  • 5,245
  • 26
  • 42
3
votes
2 answers

mod_security 960015 blocks Google and other good bots

mod_security rule 960015 keeps catching Google and other good bots. I have the following in the vhost to prevent good bots from being caught: SecRule REQUEST_HEADERS:User-Agent "Mail.ru" log,allow SecRule HTTP_USER_AGENT "Mail.RU_Bot"…
Vlad
  • 61
  • 2
  • 8
3
votes
1 answer

ModSecurity: What do MULTIPART_DATA_BEFORE and MULTIPART_DATA_AFTER mean?

I'm getting the following ModSecurity error when posting form data to a LiquidWeb server: Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 1, DA 1, HF 0, LF 0, SM 0, IQ 0, IP 0, IH 0, FL 0 As you can see DB and DA have been set…
bradt
  • 131
  • 3
3
votes
2 answers

Blocking repeated http requests in Apache behind a load balancer

I have a number of EC2 servers on AWS running apache behind a load balancer (ELB). Every now and then some IP address abuses the API hosted on the EC2 servers and causes a denial of service. I have no access to the load balancer so I need to block…
hillel
  • 131
  • 1
  • 4
3
votes
2 answers

Mod_security Logging

Im trying to run mod_security as standalone service with nginx as reverse proxy everything works fine except logging. Mod_security logs reverse proxys ip addres instead of clients ip address. I would appreciate if someone can help. The following is…
Hex
  • 1,949
  • 11
  • 17
3
votes
1 answer

Modifying Apache configuration via a Web Interface

I would like to create a website on my server, which runs Apache2, to allow a user to fill in a form containing a desired subdomain name to be created on the server. For example, a user could go to the site on the server at example.com, fill out the…
dgh
  • 478
  • 1
  • 3
  • 11
3
votes
1 answer

What do the audit log records for ModSecurity actually mean?

We have ModSecurity setup to log to modsec_audit.log for Apache2. Today we have had 2259 entries created in this log with a referrer of: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) Do these entries mean that bingbot has…
Linnay
  • 33
  • 1
  • 5
3
votes
1 answer

Where I can find ModSecurity Rules for Specific Applications

Where I can find ModSecurity Rules for Specific Applications specially joomla, wordpress, mambo ?
Libyano
  • 141
  • 2
  • 2
  • 8
3
votes
2 answers

mod_unique_id: unable to find IPv4 address of FQDN despite setting etc/hosts and Apache ServerName

I'm trying to get mod_security and hit the very common hostname error of [alert] (EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address of "computername.domain.com" This normally means an entry is required in the hosts file.…
KCD
  • 958
  • 3
  • 12
  • 24
3
votes
1 answer

Looking for a good web penetration testing client

I'm implementing mod_security on an apache server. In order to test the effectiveness of the protection, I am looking for a client that can generate a set of predefined malicious HTTP requests. I will test the requests with and without mod_security…
Max
  • 3,523
  • 16
  • 53
  • 71
3
votes
1 answer

what is the impact of increasing the SecResponseBodyLimit from default value (512k) to (5M)?

I installed the mod_security version 2.5.13 with apache2 and I'm facing problem with SecResponseBodyLimit: ( ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified)) and my question is: what is the impact of…
user79483
  • 411
  • 1
  • 7
  • 9
3
votes
2 answers

mod_security IP collection key not being set correctly

I'm using an IP collection in a load balanced setup, I therefor want mod_security to act on the x-forwarded for header instead of the REMOTE_ADDR. Here is my rule: SecAction…
Caseus
  • 73
  • 5
3
votes
3 answers

modsecurity inbound_anomaly_score

I get this error from web server - is this known issue. There is plenty of questions on google -- but not clear solution. [error] [client ] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file…
webminal.org
  • 273
  • 1
  • 5
  • 19
1 2
3
22 23