Re: [RCU] [RCD] recurring problem at the level of authentication and total absence of log
On Wed, 2 Dec 2009 08:17:14 -0600, chasd chasd@silveroaks.com wrote:
Sorry about my last message, I made a mistake not to send it to the
list.here's nobody else who encounters the same problems with the
release 0.3.1 and mod_security. here is the problem for tests ordered by Charles, we
must stop roundcube and now I have three accounts running on production with
roundcube disables mod_securityIt bothers me to stop my webmail service for several hours
if anyone has a solution, an official patch
a good suggestion
I think the issue is that no one else on the list is running
mod_security. I think you are the first to run into the issue.If someone else is running RC and mod_security, please speak up.
I listen to any suggestions regarding my problem with mod_security I made some test on XP and VISTA successfully with mod_security disabled
thanks for all your feedbacks _______________________________________________ List info: http://lists.roundcube.net/users/
I have not run RoundCube under mod_security, but from what I know about mod_security, I am sure it can be done.
mod_security simply applies a [long] list of rules to the contents of each request (GET/POST/HEAD/etc) including the header.
Depending on your ruleset, you often have to add exceptions for certain applications, and/or disable entire rules server-wide. What I've done in the past is: tail -F error_log while you use the application. Then you add exceptions for the uri (e.g. "/roundcube") or hostname or disable certain rules inside the modsecurity*.conf files.
This is a sample error_log entry for a rule that matched against the uri:
[Wed Dec 02 08:05:20 2009] [error] [client 80.238.x.x] ModSecurity: Access denied with code 500 (phase 2). Pattern match "\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]| ..." at REQUEST_BASENAME. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "94"] [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [hostname "www.example.com"] [uri "/_vti_bin/owssvr.dll"] [unique_id "Cp2VIQpvGRgAAC1Cvk4AAAAM"]
Running mod_security is a great idea, but is kinda like running SE Linux; it takes a lot of time to set it up for all your apps.
Good luck.
-gnul _______________________________________________ List info: http://lists.roundcube.net/users/
On Wed, 2 Dec 2009 11:04:03 -0700, gnul nullchar@gmail.com wrote:
I have not run RoundCube under mod_security, but from what I know about mod_security, I am sure it can be done.
mod_security simply applies a [long] list of rules to the contents of each request (GET/POST/HEAD/etc) including the header.
Depending on your ruleset, you often have to add exceptions for certain applications, and/or disable entire rules server-wide. What I've done in the past is: tail -F error_log while you use the application. Then you add exceptions for the uri (e.g. "/roundcube") or hostname or disable certain rules inside the modsecurity*.conf files.
Thank you for your interest in my problem how easy to apply new rules to mod_security ?
This is a sample error_log entry for a rule that matched against the
uri:
[Wed Dec 02 08:05:20 2009] [error] [client 80.238.x.x] ModSecurity: Access denied with code 500 (phase 2). Pattern match
"\.(?:c(?:o(?:nf(?:ig)?|m)|s(?:proj|r)?|dx|er|fg|md)|p(?:rinter|ass|db|ol|wd)|v(?:b(?:proj|s)?|sdisco)|a(?:s(?:ax?|cx)|xd)|d(?:bf?|at|ll|os)|i(?:d[acq]|n[ci])|ba(?:[kt]|ckup)|res(?:ources|x)|s(?:h?tm|ql|ys)|l(?:icx|nk|og)|\w{0,5}~|webinfo|ht[rw]|xs[dx]|
..." at REQUEST_BASENAME. [file "/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf"] [line "94"] [id "960035"] [msg "URL file extension is restricted by policy"] [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [hostname "www.example.com"] [uri "/_vti_bin/owssvr.dll"] [unique_id "Cp2VIQpvGRgAAC1Cvk4AAAAM"]
Running mod_security is a great idea, but is kinda like running SE Linux; it takes a lot of time to set it up for all your apps.
I think mod_security is still the first defense against all kinds of attacks. I do not practice SE LINUX
Good luck.
thanks
-gnul
List info: http://lists.roundcube.net/users/
-
fakessh -
gnul