[RCU] [RCD] recurring problem at the level of authentication and total absence of log

fakessh fakessh at fakessh.eu
Wed Dec 2 20:11:34 CET 2009


On Wed, 2 Dec 2009 11:04:03 -0700, gnul <nullchar at gmail.com> wrote:
> I have not run RoundCube under mod_security, but from what I know
> about mod_security, I am sure it can be done.
> 
> mod_security simply applies a [long] list of rules to the contents of
> each request (GET/POST/HEAD/etc) including the header.
> 
> Depending on your ruleset, you often have to add exceptions for
> certain applications, and/or disable entire rules server-wide.  What
> I've done in the past is:  tail -F error_log   while you use the
> application.  Then you add exceptions for the uri (e.g. "/roundcube")
> or hostname or disable certain rules inside the modsecurity*.conf
> files.
> 

Thank you for your interest in my problem
how easy to apply new rules to mod_security ?

> This is a sample error_log entry for a rule that matched against the
uri:
> 
> [Wed Dec 02 08:05:20 2009] [error] [client 80.238.x.x] ModSecurity:
> Access denied with code 500 (phase 2). Pattern match
>
"\\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\\w{0,5}~|webinfo|ht[rw]|xs[dx]|
> ..." at REQUEST_BASENAME. [file
> "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line
> "94"] [id "960035"] [msg "URL file extension is restricted by policy"]
> [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [hostname
> "www.example.com"] [uri "/_vti_bin/owssvr.dll"] [unique_id
> "Cp2VIQpvGRgAAC1Cvk4AAAAM"]
> 
> Running mod_security is a great idea, but is kinda like running SE
> Linux; it takes a lot of time to set it up for all your apps.
> 


I think mod_security is still the first defense against all kinds of
attacks. 
I do not practice SE LINUX

> Good luck.
> 

thanks 

>  -gnul
_______________________________________________
List info: http://lists.roundcube.net/users/



More information about the users mailing list