Jump to content
inittux

more apache/php

Recommended Posts

Been kind of busy this past week, and this week too. Going to continue with my webserver project en wil post and document here so others can use it and I'll post my questions here when I'm stuck on something and can't figure it out. I'm going to try install/configure suphp, mod_ssl, and maybe mod_security. And maybe others but just starting with these.

Share this post


Link to post
Share on other sites

mod_ssl is probably the easiest to handle first up - it's basically generating a certificate then configuring a Vhost with the SSL engine enabled. You may get the runaround with different dir locations, but CHECK THE LOGFILES, see what errors they report. That's usually the best way of determining what is going wrong.

 

Just watch out for the other two "interfering" with each other. suPHP will prevent content being served up if they have the wrong permissions or are in locations not whitelisted by the suPHP config file. Also note that suPHP can point to a different php.ini file - using the "phpinfo();" trick to report current configs is always a good bet, as well as checking logfiles - in particular the suPHP one, rather than the apache one.

 

As for mod_security... that was a whole new world of hurt for me, but I got them all working together successfully.

 

Only real advice I can give is: make ONE change at a time, check logs, see the effect. Making too many changes means it's difficult to work out which change "broke" things.

 

Good luck!

Share this post


Link to post
Share on other sites

Thanks for the tip with follow it up smile.png I reinstalled my server with CentOS 6 it's a bit different but got some trouble getting it to work but it's running again now. First time installed it I was able to install apache, php, and mysql. I was able to update root user but wasn't able to update TABLE feedmebits.user table. seemed like the user didn't even exist. I did another reinstall and my server hung up on installation. Contacted my host and they said partition table was corrupt so that might have explained my problem in MySQL. I was now able to update my mysql password. Then I setup my apache configuration and wasn't able to get it to work for two days. I finally deleted all my apache configuration and retypted everything and restarted apache and it works now again. Have Joomla installed and my virtual domains work smile.png Now I can continue with what I mentioned here in this post smile.png

 

******************

 

This was the error I got but I'm pretty sure it was because of my corrupt partition cuz I had it the every time after reinstalling the system twice. and after hosting fixed the partition I was able to do it without any problems:

 

 

mysql> USE databasename_db;

Database changed

mysql> UPDATE user SET Password=PASSWORD('password') WHERE user='testuser';

ERROR 1146 (42S02): Table 'databasename_db.user' doesn't exist

mysql>

Share this post


Link to post
Share on other sites

I did come across something. I decided to install a virtual version of my server on my local pc so I can try it out first before I actually do it on my dedicated server. I made the virtual machine and installed with no problem I was able install mysql and httpd. I was reset root user mysql password and I was able to make a mysql database and assign/make a user and give that user privilges. As soon as I try and reset the user password I get this same error again:

 

ERROR 1146 (42S02): Table 'feedmebits_db.user' doesn't exist

 

So it can't be because of a corrupt partition because I just installed the system. Been looking to find an answer on google but haven't found anything that could help met out yet. Any ideas?

Share this post


Link to post
Share on other sites

mysql> USE databasename_db;

Database changed

mysql> UPDATE user SET Password=PASSWORD('password') WHERE user='testuser';

ERROR 1146 (42S02): Table 'databasename_db.user' doesn't exist

mysql>

All users are stored in the mysql.users table, ie: the "users" table in the "mysql" database.

 

A safer method is to use the "set password" statement, rather than try to update the mysql.users table directly, i.e.:

set password for testuser = password('PA55W0RD!');

Share this post


Link to post
Share on other sites

mysql> USE databasename_db;

Database changed

mysql> UPDATE user SET Password=PASSWORD('password') WHERE user='testuser';

ERROR 1146 (42S02): Table 'databasename_db.user' doesn't exist

mysql>

All users are stored in the mysql.users table, ie: the "users" table in the "mysql" database.

 

A safer method is to use the "set password" statement, rather than try to update the mysql.users table directly, i.e.:

set password for testuser = password('PA55W0RD!');

 

I tried that and I still get an error that user doesn't exist: mysql> set password for testuser = password('password');

ERROR 1133 (42000): Can't find any matching row in the user table

 

This is what I used to create table and make a user:

 

 

Creating new MySQL User:

mysql > create database test_db;

mysql >GRANT ALL PRIVILEGES ON test_db.* TO 'testuser'@'localhost' IDENTIFIED BY 'testuser' WITH GRANT OPTION;

mysql> UPDATE user SET Password=PASSWORD('newpassword') WHERE user='testuser';

 

 

 

howtoforge

Share this post


Link to post
Share on other sites

mysql> USE databasename_db;

Database changed

mysql> UPDATE user SET Password=PASSWORD('password') WHERE user='testuser';

ERROR 1146 (42S02): Table 'databasename_db.user' doesn't exist

mysql>

All users are stored in the mysql.users table, ie: the "users" table in the "mysql" database.

 

A safer method is to use the "set password" statement, rather than try to update the mysql.users table directly, i.e.:

set password for testuser = password('PA55W0RD!');

 

I tried that and I still get an error that user doesn't exist: mysql> set password for testuser = password('password');

ERROR 1133 (42000): Can't find any matching row in the user table

 

This is what I used to create table and make a user:

 

 

Creating new MySQL User:

mysql > create database test_db;

mysql >GRANT ALL PRIVILEGES ON test_db.* TO 'testuser'@'localhost' IDENTIFIED BY 'testuser' WITH GRANT OPTION;

mysql> UPDATE user SET Password=PASSWORD('newpassword') WHERE user='testuser';

 

 

The last bit is wrong - don't use "update user" to change the password directly.

[(none)] mysql> create database test_db;
Query OK, 1 row affected (0.02 sec)
[(none)] mysql> GRANT ALL PRIVILEGES
ON test_db.*
TO 'testuser'@'localhost'
IDENTIFIED BY 'testuser'
WITH GRANT OPTION;
Query OK, 0 rows affected (0.04 sec)

[(none)] mysql> set password for 'testuser'@'localhost' = password('PA55W0RD!');
Query OK, 0 rows affected (0.00 sec)

To test:

user@neptune:~$ mysql -u testuser --password=PA55W0RD!
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 451
Server version: 5.1.49-1ubuntu8.1 (Ubuntu)

[(none)] mysql> show databases;
+--------------------+
| Database   		|
+--------------------+
| information_schema |
| test_db        	|
+--------------------+
2 rows in set (0.00 sec)

[(none)] mysql> use test_db;
Database changed
[test_db] mysql> status
--------------
mysql  Ver 14.14 Distrib 5.1.49, for debian-linux-gnu (x86_64) using readline 6.1

Connection id:      	451
Current database:   	test_db
Current user:   		testuser@localhost
SSL:                	Not in use
Current pager:      	stdout
Using outfile:      	''
Using delimiter:    	;
Server version: 		5.1.49-1ubuntu8.1 (Ubuntu)

 

The alternative is to set the pass during the user creation/grant:

[(none)] mysql> GRANT ALL PRIVILEGES
ON test_db.*
TO 'testuser'@'localhost'
IDENTIFIED BY 'PA55W0RD!'
WITH GRANT OPTION;
Query OK, 0 rows affected (0.04 sec)

Share this post


Link to post
Share on other sites

strange it worked what you said: [(none)] mysql> set password for 'testuser'@'localhost' = password('PA55W0RD!');Query OK, 0 rows affected (0.00 sec)

 

Thanks :D

Just find it strange the first time I tried it it didn't work. I'll make an adjustment to my documentation smile.png

Learning something new every day :)

Share this post


Link to post
Share on other sites

Mysql is odd with its permissions structure - sometimes it takes the username, other times it takes username/hostname.

 

I think if you specify just username it assumes username@% (ie: any host) rather than a specific host.

 

I've always learned (for security reasons) to bind accounts to localhost unless remote access is required - and even then I'm cautious about locking down to an originating IP and restricting the amount of databases that account can access.

Share this post


Link to post
Share on other sites

ah ok :) thanks. Just a question. I was just looking through my documention and I remember I should have a look at setting up IDS too. Would it be smarter for me just to look a bit more into a apache first as in mod_ssl, etc or just set up IDS for security reasons and then continue looking into apache?

Share this post


Link to post
Share on other sites

Yes to the former.

 

I'd get mod_ssl working and have https:// sites showing up first.

 

IDS are "outside" of Apache, and unless you have a "working apache" first it will be difficult for the IDS to detect attempted intrusions. Furthermore, if mod_ssl works yet breaks once you configure your IDS, you know it's your IDS at fault.

Share this post


Link to post
Share on other sites

Yes to the former.

 

I'd get mod_ssl working and have https:// sites showing up first.

 

IDS are "outside" of Apache, and unless you have a "working apache" first it will be difficult for the IDS to detect attempted intrusions. Furthermore, if mod_ssl works yet breaks once you configure your IDS, you know it's your IDS at fault.

 

I got https:// sites working using this guide Will add it to my documentation: https://feedmebits.nl

 

I did this last part too but didn't check if it worked without doing it. That should be safe to open up right cuz 443 is the ssl port you are opening up on the server?:

 

iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/service iptables save iptables -L -v

Share this post


Link to post
Share on other sites

I took a look at mod_security. I'll think I'll try installing that first and see how it goes. And then maybe try installing a IDS.

I tried installing suPHP a while ago and you have to install it from source and then configure it.. And when I did that

I was not even able to reach my site again because it messed up my php. the whole website looked strange and I wasn't

able to undo it. I'll just get mod_security working first and then decide from there.

Share this post


Link to post
Share on other sites

I tried installing suPHP a while ago and you have to install it from source and then configure it..

It's in the RPMForge repos. I just added it to CentOS 6 with a quick "yum".

 

And when I did that I was not even able to reach my site again because it messed up my php.

No, it didn't.

 

suPHP parses the PHP and runs it within a user context according to the config file, rather than runs it in Apache's context - it does nothing to "mess up" the php.

 

What you WILL have found is that suPHP - by default - does not take kindly to relaxed permissions, which Apache tolerated. A common complaint about suPHP is that when first installed, all sites "break" - when it simply means that all the website content previously owned by "apache" or "httpd" now needs to be owned by "marten" and all files set to permissions 644.

 

The suPHP config file also contains a directive for suPHP logging - the contents of this logfile often reveals why suPHP won't parse your website code. Generally it boils down to one of several things:

  • wrong parser (mod_php is still active; php files should now be handled by mod_suphp)
  • wrong file/dir owner
  • wrong file/dir permissions
  • wrong file/dir location (suPHP doesn't like traversal outside of webroot)
  • deprecated code (some older and insecure PHP code is actively blocked by newer versions of suPHP

 

However, this comes at a price: the overhead of parsing your code is longer and more processor-intensive, so many people drop suPHP in favour of standard mod_php.

 

If you are the only user of that box then it's not too much trouble to not bother using it. For my server, I have several users and each has an issue when they upload files and they're owned by "admin1:site1" so "www-user" can't write content into them. Using suPHP fixed that issue for me (and prevented an exploited site overspilling into another one)

Share this post


Link to post
Share on other sites

That makes it more understandable for me :) Will have a go at mod_security and mod_suphp then and then work on IDS and after I have that setup I'm going to work on a backup plan. Will post how installing/configuring of mod_security goes.

Share this post


Link to post
Share on other sites

I have mod_security installed now using this guide . I'll have to take a look at the documentation for a more customized configuration, although I did take a glance at it and seems a bit confusing. Will have more time for that later. But seems that the default configuration should be active smile.png

Share this post


Link to post
Share on other sites

The info is surprisingly simple, just that there's a lot of it. It helps to draw out a diagram of how the files relate and which you should be looking at.

 

The rulesets are somewhat more complex, but in general you either download a new ruleset from a website or find that a workaround is published on the vendor's website when their web application (think phpwiki, xoops, phpBB, etc) breaks - which amounts to instructions on how to disable a specific ruleset (or add a file to bypass it).

 

It's rare I've had to create a new rule... I think I just disabled/enabled the ones provided.

Share this post


Link to post
Share on other sites

The info is surprisingly simple, just that there's a lot of it. It helps to draw out a diagram of how the files relate and which you should be looking at.

 

The rulesets are somewhat more complex, but in general you either download a new ruleset from a website or find that a workaround is published on the vendor's website when their web application (think phpwiki, xoops, phpBB, etc) breaks - which amounts to instructions on how to disable a specific ruleset (or add a file to bypass it).

 

It's rare I've had to create a new rule... I think I just disabled/enabled the ones provided.

 

Well I'll just leave it at default then and if I have any problems check it out on google :)

Ran into something strange again. I was trying to remove an application through yum,

then I cancelled and when I ran it again it said it was still in use by another program yum.

So I killed all the yum process and then I wasn't able to use yum anymore. So I'd thought

I'd reboot my server and somehow port 22 wasn't reachable from outside but my hosting provider

could ping it. So I do a reinstall cuz I couldn't do anything. Got mysql, php, en apache installed

then I configured as I had and restarted apache. It said it failed because apache couldn't

find my FQDN. I have servername set in my virtual domains, so that can't be it. I tried

editing /etc/hosts and /etc/sysconfig/network, then restarting networking services.

Didn't work, I then rebooted to see if my FQDN would change and it's changed

name. set to webserver.feedmebits.nl. I tried to start apache, but this time I just

get failed to start with no error message. I checked my /var/log/httpd/error.log. Nothing,

interesting, just this No such file or directory: httpd: could not open error log file /var/log/httpd/websites/feedmebits.nl/error.log

I'm kind of confused and have checked all apache settings and network settings. And strange thing is before I didn't have a FQDN

either and apache would mention it but I was able to start apache. I'll keep trying/looking but about tried everything I came across

on google.

Share this post


Link to post
Share on other sites

I figured out the problem. I made a very tiny typing error I over looked every time. and my FQDN is set now. strange thing is. I got all the permissions set right now

and my template installed. But now I have like a pink bar going across my template which I didn't have before. Don't quite get that.

Share this post


Link to post
Share on other sites

The info is surprisingly simple, just that there's a lot of it. It helps to draw out a diagram of how the files relate and which you should be looking at.

 

The rulesets are somewhat more complex, but in general you either download a new ruleset from a website or find that a workaround is published on the vendor's website when their web application (think phpwiki, xoops, phpBB, etc) breaks - which amounts to instructions on how to disable a specific ruleset (or add a file to bypass it).

 

It's rare I've had to create a new rule... I think I just disabled/enabled the ones provided.

Well I'll just leave it at default then and if I have any problems check it out on google smile.png

Ran into something strange again. I was trying to remove an application through yum,

then I cancelled and when I ran it again it said it was still in use by another program yum.

So I killed all the yum process and then I wasn't able to use yum anymore. So I'd thought

I'd reboot my server and somehow port 22 wasn't reachable from outside but my hosting provider

could ping it. So I do a reinstall cuz I couldn't do anything. Got mysql, php, en apache installed

then I configured as I had and restarted apache. It said it failed because apache couldn't

find my FQDN. I have servername set in my virtual domains, so that can't be it. I tried

editing /etc/hosts and /etc/sysconfig/network, then restarting networking services.

Didn't work, I then rebooted to see if my FQDN would change and it's changed

name. set to webserver.feedmebits.nl. I tried to start apache, but this time I just

get failed to start with no error message. I checked my /var/log/httpd/error.log. Nothing,

interesting, just this No such file or directory: httpd: could not open error log file /var/log/httpd/websites/feedmebits.nl/error.log

I'm kind of confused and have checked all apache settings and network settings. And strange thing is before I didn't have a FQDN

either and apache would mention it but I was able to start apache. I'll keep trying/looking but about tried everything I came across

on google.

Did you check that /var/log/httpd/websites/feedmebits.nl/error.log is a valid path?

Share this post


Link to post
Share on other sites

These small overlooks and mistakes I make are annoying but they do help me learn more and look more carefully :P

Share this post


Link to post
Share on other sites

I was able to install modsecurity again and got it working now cuz when I want to install templates with joomla I get the error that the file is too large. So I'll probably have to look through the config file to change a few

settings but I'll have to take a look at joomla documentation. But have it turned off for now. Now will try and see how far I get with suphp.

Share this post


Link to post
Share on other sites

I'm still having some trouble with mod_security and joomla not working together. I found a set of rules on a joomla forum but it was posted in 2008 so I don't know how effect these rules are. In the same post it is advised to use another set of rules from gotroot . I was looking at Individual Ruleset downloads for modsec 2.x but don't know how safe it is to use a set of rules from a site like this. Need some advice on this.

Share this post


Link to post
Share on other sites

I'm going to suggest the gotroot ones, given that the ones I used from the xoops site appeared on gotroot soon after.

 

You'll find that most web applications which choke on mod_security will have a custom rule posted on their website somewhere as a workaround but then finds itself included in the newer gotroot downloads, so I'd go for the latter being more recent.

 

The other option is to disable it for your joomla site to see if joomla works without it. If so, then you know it's the mod_sec filtering that's causing the issue. I've had someone blame mod_sec until disabling it showed that a site misconfiguration was to blame, however mod_sec blocked the error message so it wasn't fully clear.

Share this post


Link to post
Share on other sites

I'm going to suggest the gotroot ones, given that the ones I used from the xoops site appeared on gotroot soon after.

 

You'll find that most web applications which choke on mod_security will have a custom rule posted on their website somewhere as a workaround but then finds itself included in the newer gotroot downloads, so I'd go for the latter being more recent.

 

The other option is to disable it for your joomla site to see if joomla works without it. If so, then you know it's the mod_sec filtering that's causing the issue. I've had someone blame mod_sec until disabling it showed that a site misconfiguration was to blame, however mod_sec blocked the error message so it wasn't fully clear.

 

I've already tried smile.png With mod_security on. I can't adjust some options in joomla, and when I upload/install a new template, it won't work and when I check the mod_security logs it sees it as and sql injection and other things like that and with it off everything works fine. Will try out the goroot rules then. thanks.

Share this post


Link to post
Share on other sites

I was able to install the mod_security via their provided rpm and via adding their repo I added. The strange things is if I install them they are installed but are the directories mentioned in their wiki aren't automatically created. As far as I understand that if I install it from their rpm or from their repo. It should create those directories and config files automatically and then I can install an updater so that it will install those rules. Or am I understanding it wrong here? Cuz under : setting up mod_security it specifically mentions to add those directories if you didn't use their repo or rpm.

 

http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

Share this post


Link to post
Share on other sites

Try the "-ql" options to rpm on the package to see what dirs it created as part of the install.

Share this post


Link to post
Share on other sites

Try the "-ql" options to rpm on the package to see what dirs it created as part of the install.

It installed these directories, not the ones mentioned in the wiki:

 

 

 

/etc/httpd/conf.d/00_mod_security.conf

/etc/httpd/modsecurity.d

/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

/usr/lib64/httpd/modules/mod_security2.so

/usr/share/doc/mod_security-2.6.1

/usr/share/doc/mod_security-2.6.1/CHANGES

/usr/share/doc/mod_security-2.6.1/LICENSE

/usr/share/doc/mod_security-2.6.1/README.TXT

/usr/share/doc/mod_security-2.6.1/doc

/usr/share/doc/mod_security-2.6.1/doc/Reference_Manual.html

/usr/share/doc/mod_security-2.6.1/modsecurity.conf-recommended

 

when I install the one from EPEL it installs alot more. I'm just going to try and follow the wiki and see what happens.

Share this post


Link to post
Share on other sites

I ended up installing mod_security 2.5 from epel.repo and I followed the whole wiki and tested my config and restarted apache. It's working biggrin.png

Before when I had mod_security installed I wasn't able to install a template while mod_security was activated now I can and I can change other

settings on the admin site without getting an error that I don't have permission. Is there a way to check for sure that my mod_security rules

are working? Now I'll have a look at IDS because it seems like someone is trying to break in and it has kind of got me worried.

 

*******************

 

I found a way to test it like it said in the wiki but I get an error:

 

 

[root@localhost ~]# wget https://localhost/fo...//feedmebits.nl --no-check-certificate

--2011-09-22 21:50:52-- https://localhost/fo...//feedmebits.nl

Resolving localhost... ::1, 127.0.0.1

Connecting to localhost|::1|:443... connected.

WARNING: cannot verify localhost’s certificate, issued by “/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=webserver.feedmebits.nl/emailAddress=root@webserver.feedmebits.nl”:

Self-signed certificate encountered.

WARNING: certificate common name “webserver.feedmebits.nl” doesn’t match requested host name “localhost”.

HTTP request sent, awaiting response... 404 Not Found

2011-09-22 21:50:52 ERROR 404: Not Found.

 

Looks like the certificate is still seeing my old fqdn. cuz I changed it to localhost.localdomein a while ago? I tried remaking my certificate my that doesn't make a difference.

got this from my ssl error log:

 

 

[Thu Sep 22 20:46:45 2011] [warn] RSA server certificate CommonName (CN) `webserver.feedmebits.nl' does NOT match server name!?

Share this post


Link to post
Share on other sites

Just to note something that will be useful for those reading this. When your apache won't restart because not knowing the servername. You'll get this error:

 

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.domain for ServerName

[FAILED]

 

edit:

 

vi /etc/sysconfig/network

-edit the hostname and the domain

-reboot

 

then edit your hosts file: vi /etc/hosts

 

at the end of the file add your ip/hostname:

ie:

 

192.168.1.1 webserver.example.com

 

restart apache: /etc/init.d/httpd restart

 

It should work now smile.png

 

Now back to mod_security and then looking at IDS biggrin.png

Share this post


Link to post
Share on other sites

Just to note something that will be useful for those reading this. When your apache won't restart because not knowing the servername. You'll get this error:

 

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.domain for ServerName

[FAILED]

You also get this if you haven't set your ServerName in the main httpd.conf - by default, it's commented out. Apache attempts to make a guess by using name resolution and in many cases fails - your editing there is improving Apache's chances of guessing right, but that's only because it was never formally told via the ServerName directive.

 

Note that this ServerName can be set to anything you like - it generally only gets reported in error pages, as well as becoming a name for unmatched VHOSTS.

 

Usually all other server config settings will override/hide this value and it rarely gets exposed in any webpages.

Share this post


Link to post
Share on other sites

I see it now smile.png How I resolved it without using this, is that fine too? or is it better to change that back and then use the ServerName in httpd.conf ?

Share this post


Link to post
Share on other sites

Essentially you fixed it by leaving enough clues for Apache to guess, but that relies on Apache having to expend additional effort hunting for the correct information. Using ServerName specifies it explicitly and allows Apache to start quicker.

 

Note that many hosting providers rely on ServerName to hide the real hostname or to separate out the identity of the Apache server from the host name - so that Apache can be moved between different platforms and still retain its identity without being tied to the underlying operating system. That's really the reason why many services (pure-ftpd, postfix, squid, etc) have a feature to establish their own identity separate from the OS.

Share this post


Link to post
Share on other sites

I finally got my mod_security figured out it's even too much protection if I use these rules so I have them deactivated.

I have enough protection from just the standard mod_security rules because with them activated I can't install

plugins, modules, and templates. Only need to figure out a way to whitelist my own ip from mod_security which is

possible. Now ready to start on IDS and then figure out a way to backup/restore incase I run into problems.

Share this post


Link to post
Share on other sites

It *is* possible to add a rule to whitelist an IP - I did it once - but it then defeated my testing, since my rule meant everything worked for me but *only* me.

 

If you find that mod_security is breaking some sites, the logfiles should give you an indication of what it's blocking - it does tend to be somewhat paranoid about code, and in some ways has raised awareness of "defensive programming/secure coding" amongst plenty of developers unaware of just how exploitable their code was.

 

For all of my sites, I first flicked mod_security off to ensure it all worked fine without any filtering, then flicked it on and kept checking the logfiles to see what it stamped down upon. Sometimes, the changes I had to make were fairly simple (wrong permissions, owner, etc), but in other cases required upgrading web-based applications to the newer one which was mod_sec compliant.[1]

 

[1] a few websites give workarounds showing how to disable and/or whitelist specific modsec functionality for their apps whilst they worked upon the next version that included more robust code which wouldn't trigger modsec false positives.

 

It's still a learning curve, ultimately. I wouldn't get too bogged down upon what the rulesets actually are (nor about trying to write them), it is safer to check that website code (drupal, etc) works with mod_sec and investigate the reasons why not. Usually the reasons are something of concern and DO needs to be addressed.

Share this post


Link to post
Share on other sites

Yeah that's true, but I was more thinking as in that I won't have to look into any of the rules to make it work for my own ip. I could always unwhitelist my ip to test. But I might as well do it right while I'm learning :P I have the modsecurity standaard rules activated and I have the asl (from goroot) deactivated. When I have the ones from asl activated my whole website is not accessible anymore. So I have it deactivated for now going to figure out the standaard mod_security rules problem first. When I have the standard modsecurity rules activated my website works fine, but when I got to my backend and change for example a template setting I get an error permission denied. I check my logfile en gives me this error message:

 

 

 

[12/Oct/2011:14:46:25 +0200] TpWMIV5L6qcAAAYaFTEAAAAB 145.117.9.54 37936 94.75.234.167 443

--2c67c23e-B--

POST /administrator/index.php?option=com_templates&layout=edit&id=9 HTTP/1.1

Host: feedmebits.nl

Connection: keep-alive

Content-Length: 1363

Cache-Control: max-age=0

Origin: https://feedmebits.nl

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1

Content-Type: application/x-www-form-urlencoded

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Referer: https://feedmebits.nl/administrator/index.php?option=com_templates&view=style&layout=edit&id=9

Accept-Encoding: gzip,deflate,sdch

Accept-Language: nl-NL,nl;q=0.8,en-US;q=0.6,en;q=0.4

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Cookie: f842f640e32e90667fe9655ea38a3626=cd709e8cc010452c9aa1497fedbca249; jpanesliders_panel-sliders=0; jpanesliders_template-sliders-9=0

 

--2c67c23e-C--

jform%5Btitle%5D=Joomlage0038-Transition+-+Default&jform%5Btemplate%5D=joomlage0038-transition&jform%5Bclient_id%5D=0&jform%5Bhome%5D=1&task=style.apply&10070264a26c5b6cc2f35b5afab22885=1&jform%5Bparams%5D%5Bgraphics_colorStyle%5D=style3&jform%5Bparams%5D%5Bfont_size%5D=12px&jform%5Bparams%5D%5Bsite_font_color%5D=%23000000&jform%5Bparams%5D%5Bleft_font_color%5D=%23FFFFFF&jform%5Bparams%5D%5Bsmall_headings_font_color%5D=%23000000&jform%5Bparams%5D%5Bcolor_link_content%5D=%23EDEDED&jform%5Bparams%5D%5Bcolor_link_content_hover%5D=%23333333&jform%5Bparams%5D%5Bleftside_link_color%5D=%23F7F7F7&jform%5Bparams%5D%5Bleftside_link_hover_color%5D=%23F0F0F0&jform%5Bparams%5D%5BlogoType%5D=text&jform%5Bparams%5D%5BlogoText%5D=My+Learning+Project&jform%5Bparams%5D%5BsloganText%5D=Doing+is+learning&jform%5Bparams%5D%5Bcopyright%5D=Copyright+%C2%A9+feedmebits.nl+2011&jform%5Bparams%5D%5Bnav_home_sw%5D=0&jform%5Bparams%5D%5Bnav_home%5D=&jform%5Bparams%5D%5Bnav_rssfeed_sw%5D=0&jform%5Bparams%5D%5Bnav_rssfeed%5D=&jform%5Bparams%5D%5Bnav_twitter_sw%5D=0&jform%5Bparams%5D%5Bnav_twitter%5D=https%3A%2F%2Ftwitter.com%2F%23%21%2Ffeedmebits&jform%5Bparams%5D%5Bnav_facebook_sw%5D=0&jform%5Bparams%5D%5Bnav_facebook%5D=&jform%5Bparams%5D%5Bnav_myspace_sw%5D=0&jform%5Bparams%5D%5Bnav_myspace%5D=&jform%5Bparams%5D%5Bnav_blogger_sw%5D=0&jform%5Bparams%5D%5Bnav_blogger%5D=

--2c67c23e-F--

HTTP/1.1 403 Forbidden

Content-Length: 289

Connection: close

Content-Type: text/html; charset=iso-8859-1

 

 

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][leftside_link_hover_color]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][l"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][logoType]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][l"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][logoText]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][l"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][sloganText]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][s"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][copyright]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][c"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_home_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_home]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_rssfeed_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_rssfeed]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_twitter_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_twitter]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_facebook_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_facebook]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_myspace_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_myspace]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_blogger_sw]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Pattern match "(?:=\s*\w+\s*\+\s*")|(?:\+=\s*\(\s")|(?:!+\s*[\d.,]+\w?\d*\s*\?)|(?:=\s*\[s*\])|(?:"\s*\+\s*")|(?:[^\s]\[\s*\d+\s*\]\s*[;+])|(?:"\s*[&|]+\s*")|(?:\/\s*\?\s*")|(?:\/\s*\)\s*\[)|(?:\d\?.+:\d)|(?:]\s*\[\W*\w)|(?:[^\s]\s*=\s*\/)" at ARGS_NAMES:jform[params][nav_blogger]. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf"] [line "201"] [id "900030"] [msg "Detects common XSS concatenation patterns 1/2"] [data "][n"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag "WEB_ATTACK/CSRF"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/RFE"]

Message: Access denied with code 403 (phase 2). [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 100): 900030-Detects common XSS concatenation patterns 1/2"]

Action: Intercepted (phase 2)

Apache-Handler: php5-script

Stopwatch: 1318423585315934 61972 (800* 61480 -)

Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.5; 200911012341; core ruleset/2.0.5; 200911012341.

Server: Apache/2.2.15 (CentOS)

 

--2c67c23e-Z--

Share this post


Link to post
Share on other sites

Firstly.. don't suppose you have referrer-blocking on, have you?

 

Secondly, consider setting up a test site using Vhosting and having mod_security running on that one but off on your second. Then you can compare what differences they are between each when mod_sec trips and blocks content.

Share this post


Link to post
Share on other sites

Firstly.. don't suppose you have referrer-blocking on, have you?

 

Secondly, consider setting up a test site using Vhosting and having mod_security running on that one but off on your second. Then you can compare what differences they are between each when mod_sec trips and blocks content.

 

Don't even know what is, but looked it up and no I don't have rewrite engine on

Good idea about making a test site, hadn't thought of that yet :P

Share this post


Link to post
Share on other sites

Firstly.. don't suppose you have referrer-blocking on, have you?

 

Secondly, consider setting up a test site using Vhosting and having mod_security running on that one but off on your second. Then you can compare what differences they are between each when mod_sec trips and blocks content.

 

Don't even know what is, but looked it up and no I don't have rewrite engine on

Good idea about making a test site, hadn't thought of that yet tongue.png.

 

I was thinking more refcontrol or so - I have it installed and it's triggered mod_sec at times.

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...