On Wed, 2 Dec 2009 11:04:03 -0700, gnul nullchar@gmail.com wrote:
I have not run RoundCube under mod_security, but from what I know about mod_security, I am sure it can be done.
mod_security simply applies a [long] list of rules to the contents of each request (GET/POST/HEAD/etc) including the header.
Depending on your ruleset, you often have to add exceptions for certain applications, and/or disable entire rules server-wide. What I've done in the past is: tail -F error_log while you use the application. Then you add exceptions for the uri (e.g. "/roundcube") or hostname or disable certain rules inside the modsecurity*.conf files.
Thank you for your interest in my problem how easy to apply new rules to mod_security ?
This is a sample error_log entry for a rule that matched against the
uri:
[Wed Dec 02 08:05:20 2009] [error] [client 80.238.x.x] ModSecurity: Access denied with code 500 (phase 2). Pattern match
"\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|
..." at REQUEST_BASENAME. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "94"] [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [hostname "www.example.com"] [uri "/_vti_bin/owssvr.dll"] [unique_id "Cp2VIQpvGRgAAC1Cvk4AAAAM"]
Running mod_security is a great idea, but is kinda like running SE Linux; it takes a lot of time to set it up for all your apps.
I think mod_security is still the first defense against all kinds of attacks. I do not practice SE LINUX
Good luck.
thanks
-gnul
List info: http://lists.roundcube.net/users/