Posts Tagged ‘mod_security’

mod_security & mod_deflate

By Mark Davidson on February 24th, 2010

Recently with having mod_security running on this server I noticed some errors in the mod_security logs in relation to content encoding

[22/Feb/2010:20:41:06 +0000] [www.pablumfication.co.uk/sid#7f5543997918][rid#7f5543ef1228][/wp-admin/load-styles.php][2] Warning. Operator EQ matched 0 at GLOBAL. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "120"] [id "960903"] [msg "ModSecurity does not support content encodings"] [severity "WARNING"]

I did a bit of research into the error and found a good post on Klaubert’s Blog – modsecurity vs content compression he suggests a mod_deflate config. He also mentions gmane Mail Archive Rule 960903 – content encodings post where the orignal config is from.

The config file seems to work perfectly but I just thought I would make this post to add a bit of a step by step to making this configuration file work under a standard Ubuntu 9.04 install running mod_security as it is likely that all the required modules will not be enabled by default.

First enable the following modules

sudo a2enmod ext_filter
sudo a2enmod headers
sudo a2enmod filter

Next using your favourite editor start editing /etc/apache2/mods-enabled/deflate.conf and comment out the existing content then add the following.

<IfModule mod_deflate.c>
 ExtFilterDefine nodeflate mode=output cmd=/bin/true \
 enableenv=SomeVarThatWillNeverBeSet

 SetOutputFilter DEFLATE

 # Netscape 4.x has some problems¦
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 # Netscape 4.06-4.08 have some more problems
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 # IE is ok, but looked like Netscape, so we reset it
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

 SetEnvIfNoCase Accept-Encoding gzip force-gzip
 SetEnvIfNoCase TE gzip force-gzip

 RequestHeader unset Accept-Encoding
 RequestHeader unset TE

 # Skip images based on extension
 SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|zip|exe|swf|mp?eg|mp3|tgz|tar.gz|avi|ico|gz)$ no-gzip dont-vary

 # Make sure caching still works
 Header append Vary User-Agent env=!dont-vary

 <IfModule mod_security2.c>
 FilterDeclare modsec CONTENT_SET
 FilterProvider modsec modsecurity_out env=modsec-ignore !=1
 </IfModule>

 FilterDeclare compress CONTENT_SET
 FilterProvider compress deflate env=force-gzip =1
 #FilterProvider compress inflate Content-Type $image/jpeg
 #FilterProvider compress inflate Content-Type $image/gif
 #FilterProvider compress inflate Content-Type $image/png

 FilterProtocol compress "change=yes"
 <IfModule mod_security2.c>
 FilterChain modsec compress
 </IfModule>

 <IfModule !mod_security2.c>
 FilterChain compress
 </IfModule>
</IfModule>

Lastly restart apache

sudo apache2ctl graceful

and thats it done this should allow for mod_security & mod_deflate to run on the server together without erroring.

WordPress & Apache mod_security: Part 01

By Mark Davidson on February 5th, 2010

After my initial post about wordpress and mod_security, I decided to have a bit more of a look around to find what rules other people had needed to disable to get it working.

I found a really good post over at Gray.me.uk – Mod security and wordpress the final config which had a few additional rules mentioned, but did not solve the problems I was having initially. So I thought I would draw on what they had posted and what I have learnt to produce a fully working list of rules that need to be disabled in order for WordPress 2.9.1 and mod_security Core Rules 2.0.3 to work together.

Below follows an example vhost file the important elements of it being the LocationMatch tags containing the SecRuleRemovedById.

<VirtualHost *:80>
    ServerName pablumfication.co.uk
    ServerAlias www.pablumfication.co.uk

    DocumentRoot /var/www/pablumfication.co.uk
    <Directory />
        Options +FollowSymLinks
        AllowOverride FileInfo
    </Directory>

    <LocationMatch "/>
        SecRuleRemoveById 910006 # Google robot activity - Useful in someways but noisy for sites where you want them crawled
        SecRuleRemoveById 960015 # Request Missing an Accept Header -  Allow for Google Reader
    </LocationMatch>

    <LocationMatch "/wp-includes/">
        SecRuleRemoveById 960010 # Request content type is not allowed by policy - Allows for amongst other things spell check to work on admin area
        SecRuleRemoveById 960012 # Require Content-Length to be provided with every POST request - Same as above
    </LocationMatch>

    <LocationMatch "(/wp-admin/|/wp-login.php)">    
        SecRuleRemoveById 950005 # Remote File Access Attempt - This rule probably doesn't need to be disabled by everyone but it stops me putting /etc/ in posts and other such linux paths.
        SecRuleRemoveById 950117 # Remote File Inclusion Attack - Disable to allow http:// to be passed in args
    </LocationMatch>

    <LocationMatch "(/wp-admin/post.php|/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-includes/)">
        SecRuleRemoveById 950006 # System Command Injection - Another rule that probably doesn't need to be disabled by everyone it stops .exe and various other extensions being passed in args.
    </LocationMatch>
</VirtualHost>

WordPress & Apache mod_security

By Mark Davidson on February 5th, 2010

Hi all this my first post of for this new blog and I suppose appropriately about the blog its self.

If your concerned about security or paranoid like me your most likely running Apache mod_security on your server. If your not running mod_security it is what is referred to as a web application firewall, it applies filters and rules to data being submitted to and coming from the web server, using pattern matching it can detect attacks such as SQL injection attacks and either blocks or logs them. I plan to cover this in more detail in my next blog post but that is a very brief explanation for a more indepth explanation see the modsecurity website.

When it came to setting up this blog with wordpress I found that I was unable to use the admin area of the site due to wordpress triggering one of the mod_security rules.

After clicking login and the form being submitted I was greated with a page saying

Method Not Implemented
POST to /wp-login.php not supported.

Checking the mod_security logs /var/log/apache2/mod_security/modsec_debug.log I found this entry

[05/Feb/2010:10:57:21 +0000] [www.pablumfication.co.uk/sid#7f1a39164270][rid#7f1a393ed888][/wp-login.php][1] Access denied with code 501 (phase 2). Pattern match “^(?:ht|f)tp:/” at ARGS:redirect_to. [file “/etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_42_tight_security.conf”] [line “32”] [id “950117”] [msg “Remote File Inclusion Attack”] [severity “CRITICAL”]

the reason this occures is because of the field redirect_to that wordpress is posting from the login page

<input name="redirect_to"type="hidden" value="http://www.pablumfication.co.uk/wp-admin/" />

and the rule that is being triggered is

SecRule ARGS "^(?:ht|f)tp:/" \ "phase:2, t:none, t:htmlEntityDecode, t:lowercase, capture, ctl:auditLogParts=+E, deny, log, auditlog, status:501, msg:'Remote File Inclusion Attack', id:'950117', severity:'2'"

which is matching the http:// part of the argument that is being passed.

So how do we fix this?

Well you could just disable the rule by commenting it out with a # or by using SecRuleRemoveById to disable it globally but this kind of defeats the point. After a bit of playing around I decided the best way to get around it is to add a Location based rule into the virtual host as follows.

<LocationMatch "(/wp-admin/|/wp-login.php)">
    SecRuleRemoveById 950117 # Disable Remote File Inclusion Rule
    SecRuleRemoveById 950005 #Had to add this rule in addition when writing this article as the article contains /etc/ which triggers the "Remote File Access Attempt" rule.
</LocationMatch>

this disables the Remote File Inclusion Attack rule for the /wp-admin/ directory and the /wp-admin.php page.

A full example of how a full vhost file should look would be

<VirtualHost *:80>
    ServerName pablumfication.co.uk
    ServerAlias www.pablumfication.co.uk

    DocumentRoot /var/www/pablumfication.co.uk
    <Directory />
        Options +FollowSymLinks
        AllowOverride FileInfo
    </Directory>

    <LocationMatch "(/wp-admin/|/wp-login.php)">
        SecRuleRemoveById 950117
        SecRuleRemoveById 950005
    </LocationMatch>
</VirtualHost>

Thats all for now short and sweet. Any questions or comments I would love to hear what you think and would be happy to answer any questions. I plan to be posting at least twice a week for a while. My next article will be on setting up mod_security under Gentoo & Ubuntu 9.04 so if your not running mod_security yet please check out the post in the next few days hopefully I’ll convince you its worth your time to use it.