modsecurity+fail2ban

Free Modsecurity rules - Comodo Web Application Fi
1

Hello,

I am testing modsecurity with fail2ban.

I have commented this line in /etc/httpd/conf.d/modsecurity.conf as instructed here HOWTO fail2ban with ModSecurity2.5 - Fail2ban

#SecAuditLogRelevantStatus "^(?:5|4(?!04))"

However when I login to a wordpress site I get blocked by fail2ban, I checked the modsec_audit.log and I see it logged the all the html code from the site.

How can I prevent this from happening?

A part form being blocked I noticed that when a user is logged in to wordpress everything in logged to modsec_audit.log, by everything I mean the html/php code from wordpress site which makes the log huge.

I am new to mod_security, help please :wink:

2

Hi

Please provide us your mod_security configuration.
Are you using CWAF rules or other ruleset?
What version of mod_security do you have?
What web-server installed (Apache, LiteSpeed, Nginx)?
Do you have any web hosting panel on your server (cPanel, Plesk etc) ?
If you using CWAF rules are you using CWAF plugin or vendor?

Thank you in advance.

Best regards, Oleg

3

Hello,

I am using webmin and comodo waf plugin with comodo rules.
I have modesecurity latest version, 2.9.
The web server is apache 2.2 with centos 6.7
I also have google mod_pagespeed and zend opcache

I have installed the client using cwaf_client_install.sh.

I haven´t changed anything apart from placing I few country blocks in custom rules which by the way work great.

I am new to modsecurity so I don´t know if it is normal to see full web pages with html, php, etc in the modsec_audit.log

Here is what I see in mosec_audit.log just before a full webpage is loaded in the log:

--b7f0880d-A--
[06/Oct/2015:05:24:00 +0100] VhNM3i5lEToAABNXRnEAAAAA xxx.xx.xxx.xx 23074 xx.xx.xx.xx 80
--b7f0880d-B--
GET / HTTP/1.1
Host: www.domain.com
Connection: Keep-Alive
Accept-Encoding: gzip
CF-IPCountry: XX
X-Forwarded-For: 10.240.136.12,185.10.107.69
CF-RAY: 230e98119d8409b8-ORD
X-Forwarded-Proto: http
CF-Visitor: {"scheme":"http"}
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Accept: */*
Via: 1.1 ld02-web32.ld02.baidu.com (squid/3.0.STABLE26)
Cache-Control: max-age=259200
CF-Connecting-IP: 185.10.107.69
CF-Unbuffered-Upload: 0

--b7f0880d-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.16
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-CF-Powered-By: WP 1.3.18
X-Pingback: http://www.domain.com/xmlrpc.php
Vary: Accept-Encoding,Cookie
Set-Cookie: _icl_current_language=en; expires=Wed, 07-Oct-2015 04:23:58 GMT; path=/
Set-Cookie: PHPSESSID=9599blpiaml15auq2mpd7p28q4; path=/
X-Mod-Pagespeed: 1.9.32.4-7251
Content-Encoding: gzip
Cache-Control: max-age=0, no-cache
Content-Length: 17201
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Thanks

4

Hi

Thank you for information provided.

Seems you installed mod_security and some ruleset as dependency ( core rule set? ).
With CWAF enabled you don’t need configuration file ( /etc/httpd/conf.d/modsecurity.conf ) from this ruleset.
Please rename it to some other name so it’s directives will not interfere with CWAF modsecurity directives:

# mv /etc/httpd/conf.d/modsecurity.conf /etc/httpd/conf.d/modsecurity.conf.backup

Now in your Apache conf.d directory will be only CWAF modsecurity related config (zzzz_cwaf_security2.conf)
Please try to restart Apache and check it mosec_audit.log issue fixed.

If it not fixed please check this topic on modsecurity bug tracker:
Why binary data is in my modsec_audit.log? · Issue #818 · SpiderLabs/ModSecurity · GitHub

With best regards, Oleg

5

I was suspicious about that.

Thanks a lot, I think now I have modsecurity working with comodo rules exclusively :wink:

6

Hi,

I have realized that even after remaining modsecurity.conf the problem persisted so I desabled the rule “214560: Potential Obfuscated Javascript in Output - Excessive fromCharCode” and now it seems the problem is solved.

Now when I login to a wordpress site no more html code is loaded into modsec log.

I hope this does not indicate some misconfiguration ???

7

Hi

I see no misconfiguration here.
And disabling rules is absolutely legal :slight_smile:

Regards, Oleg