User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Mod Security Issue


Mod Security Issue




Posted by Earthblaze, 04-10-2014, 05:03 PM
Hi guys, After spending the day hunting down links and a lot of reading I successfully managed to install mod security and OWASP rule set via ssh. I also tweaked some apache settings as I have a small server with PHPBB running. Everything looked good until I tried to access the admin panel after logging in. I got a "You don't have permission to access /adm/index.php on this server" A search on both Google and PHPBB forums highlighted the problem (it seems to happen with wordpress and joomla as well). All I can seem to find is the recommendations to disable mod-security which I don't want to do. The issue was highlighted as being a problem with mod security not liking cp in the http address. I have checked and I cannot find a cp (https://---------/adm/index.php?sid=...a62a9316467727) I also found a patch but its from 2008 and surely it must have been fixed by now. Link to patch https://www.phpbb.com/community/view...1455&p=4597015 My directory and file permissions are unchanged so this is definitely a mod security problem. I'm wondering if a .htacess file would correct the problem. Any help or links would be much appreciated. Thanks, Earthblaze
Posted by Genius Guard, 04-10-2014, 05:09 PM
try blank (remove) rules from modsecurity config file and check again. if your site work, it is modsecurity issue, then put rules and check again and in apache errorlog or modsecurity log search for blocked message and rules id and you can find what rules cause this and then remove or change the rules, you dont need to disable modsecurity completely.
Posted by vectro, 04-10-2014, 06:28 PM
The first step in solving your problem is finding the rule ID that is causing the blockage. The ModSecurity log will show you this. Using SSH, tail the log with the -f option, then open the admin panel in a browser to generate the error again while tail is open. You should see an error similar to this in the SSH window: Press ctrl+c to exit tail after it generates the error you expect to see or else more errors might show up and the one you want will scroll away. This is the part you want to look for in the error message: You will now need to make an exception for that rule. If you're using Apache, the code to exclude it looks like this:
Posted by Earthblaze, 04-11-2014, 10:32 AM
Thanks for taking the time to offer advice .. really appreciated. I will follow your advice and hopefully track down the offending rule.
Posted by Earthblaze, 04-11-2014, 01:20 PM
Hi Genius Guard and vectro. I tried to log in and checked the apache log file in webmin. It gave this - [Fri Apr 11 03:58:02 2014] [error] [client 146.115.36.59] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/httpd/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "29"] [id "960008"] [rev "2"] [msg "Request Missing a Host Header"] [severity "WARNING"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "---------.co.uk"] [uri "/"] [unique_id "U0doSgUs6j0AACq2Qg0AAAAG"] I did as vectro suggested and added the following to my httpd.conf file I restarted apache but the error/forbidden access is still there. While installing mod security and rule sets I added this to my httpd.conf file after virtual host. Any ideas? Cheers Earthblaze
Posted by vanmorrison, 04-11-2014, 01:34 PM
repeat the steps, there may be more than one rule blocking you
Posted by Truman, 04-11-2014, 02:23 PM
Please tail the apache error logs again to see if any other mod_security rules are playing.
Posted by zacharooni, 04-11-2014, 02:58 PM
You probably have it in deny mode instead of collaborative detection mode. The difference being it will deny access on every rule hit, instead of anomalous ones. Adjust modsecurity_crs_10_setup.conf to your liking, and read through the detection mode options.
Posted by vectro, 04-11-2014, 06:13 PM
Sometimes the exception works without declaring the module name as long it is placed in httpd.conf AFTER the line where ModSecurity was initially invoked. For example, this might suffice by itself without if place in the right location: Another possibility is your module is not named mod_security2.c. It might have a different name. In my case, I have a cPanel server and use the account-specific includes files to make exceptions for particular web sites. When doing that, I use
Posted by Earthblaze, 04-11-2014, 07:03 PM
I repeated the process and added four more rule IDs. This has solved the problem, Thanks guys. zacharooni, I will do what you suggested tomorrow. Many thanks, Earthblaze


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Need urgent help. The httpd died after I restarted it with SSL (Views: 632)
Packetloss & Slowness @ FDC (Views: 679)
Is this a good partition table? (Views: 631)
Database indexing (Views: 629)
Domainmonster.com down? (Views: 713)

Language:

Our Services

Client Menu

Legal

+1 512-782-9732

Find any answers
you need...



  • PCI Secure
  • Verefied by VISA
  • MasterCard SecureCode

    • Terms of Service | Privacy Policy | FAQs | Affiliates | Email
    Copyright © 2015 BraginHos / CHS Gateway inc. - All Rights Reserved.
    Our address: CHS GATEWAY INC c/o Regus Offices, 2598 E. Sunrise Blvd Ste 2104, Fort Lauderdale, Florida 33304, contact phone number: (+1) 512-782-9732, email: support@chsgatewayinc.com