Quote:When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).
Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.
Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.
Seems like my mod_security is working :)
# tail /home/www/feedmebits.nl/logs/error.log
[Thu Dec 01 15:42:56 2011] [error] [client 145.117.85.40] File does not exist: /home/www/feedmebits.nl/htdocs/login
[sat Dec 03 16:58:54 2011] [error] [client 94.24.41.240] ModSecurity: [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to
www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 240.41.24.94.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [hostname "62.212.66.15"] [uri "/admin/cdr/counter.txt"] [unique_id "TtpHPj7UQg8AAC-4NEcAAAAF"]
Still working on my fail2ban. But looking at this seems like mod_security is giving me some protection :)
Quote:<blockquote data-ipsquote="" class="ipsQuote" data-ipsquote-contentcommentid="15628" data-ipsquote-username="Dungeon-Dave" data-cite="Dungeon-Dave" data-ipsquote-timestamp="1322579643" data-ipsquote-contentapp="forums" data-ipsquote-contenttype="forums" data-ipsquote-contentid="4150" data-ipsquote-contentclass="forums_Topic"><div>
When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).
Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.
Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.
Seems like my mod_security is working :)
# tail /home/www/feedmebits.nl/logs/error.log
[Thu Dec 01 15:42:56 2011] [error] [client 145.117.85.40] File does not exist: /home/www/feedmebits.nl/htdocs/login
[sat Dec 03 16:58:54 2011] [error] [client 94.24.41.240] ModSecurity: [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to
www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 240.41.24.94.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [hostname "62.212.66.15"] [uri "/admin/cdr/counter.txt"] [unique_id "TtpHPj7UQg8AAC-4NEcAAAAF"]
Still working on my fail2ban. But looking at this seems like mod_security is giving me some protection :)
Look also at your modsec_audit_log and modsec_debug_log - they should have more detailed info.
</div></blockquote>
Code:
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111211/20111211-0519/20111211-051943-TuQvXz7UQg8AABLQSoYAAAAE] (null)
[modsecurity] [client 75.146.88.220] [domain feedmebits.nl] [400] [/20111211/20111211-0829/20111211-082944-TuRb6D7UQg8AABLTUYoAAAAH] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111211/20111211-1244/20111211-124434-TuSXoj7UQg8AABPsRtgAAAAP] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111211/20111211-1527/20111211-152723-TuS9yz7UQg8AABLMQSgAAAAA] (null)
[modsecurity] [client 212.68.63.135] [domain feedmebits.nl] [400] [/20111211/20111211-1842/20111211-184226-TuTrgj7UQg8AABLQSo4AAAAE] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111211/20111211-2035/20111211-203545-TuUGET7UQg8AABLNQ4IAAAAB] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111212/20111212-0226/20111212-022601-TuVYKT7UQg8AABLMQSoAAAAA] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111212/20111212-0400/20111212-040025-TuVuST7UQg8AABLTUZMAAAAH] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111212/20111212-1125/20111212-112536-TuXWoD7UQg8AABPsRuAAAAAP] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111212/20111212-1322/20111212-132252-TuXyHD7UQg8AABLMQTMAAAAA] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111212/20111212-1852/20111212-185229-TuY-XT7UQg8AABLST0gAAAAG] (null)
[modsecurity] [client 188.32.174.67] [domain feedmebits.nl] [400] [/20111212/20111212-1958/20111212-195833-TuZO2T7UQg8AABPlKsUAAAAI] (null)
[modsecurity] [client 109.73.175.3] [domain www.donniepinkston.net] [301] [/20111212/20111212-2317/20111212-231745-TuZ9iT7UQg8AABPtSrgAAAAQ] [file "/etc/httpd/modsecurity.d/asl/modsec/10_asl_rules.conf"] [line "58"] [id "340361"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied"] [data "connect"] [severity "CRITICAL"] Access denied with code 403 (phase 1). Pattern match "connect" at REQUEST_METHOD.
[modsecurity] [client 109.73.175.3] [domain www.pr0.net] [301] [/20111212/20111212-2329/20111212-232907-TuaAMz7UQg8AABLNQ5IAAAAB] [file "/etc/httpd/modsecurity.d/asl/modsec/10_asl_rules.conf"] [line "58"] [id "340361"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied"] [data "connect"] [severity "CRITICAL"] Access denied with code 403 (phase 1). Pattern match "connect" at REQUEST_METHOD.
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111213/20111213-0022/20111213-002247-TuaMxz7UQg8AABPoNbEAAAAL] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111213/20111213-0216/20111213-021646-Tuanfj7UQg8AABPlKs0AAAAI] (null)
[modsecurity] [client 109.73.175.3] [domain www.donniepinkston.net] [301] [/20111213/20111213-0221/20111213-022141-TuaopT7UQg8AABLRTPwAAAAF] [file "/etc/httpd/modsecurity.d/asl/modsec/10_asl_rules.conf"] [line "58"] [id "340361"] [rev "2"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: CONNECT method denied"] [data "connect"] [severity "CRITICAL"] Access denied with code 403 (phase 1). Pattern match "connect" at REQUEST_METHOD.
[modsecurity] [client 62.149.171.68] [domain feedmebits.nl] [400] [/20111213/20111213-0409/20111213-040910-TubB1j7UQg8AABLST1EAAAAG] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111213/20111213-0941/20111213-094136-TucPwD7UQg8AABLMQT4AAAAA] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111213/20111213-1113/20111213-111334-TuclTj7UQg8AABPtSsAAAAAQ] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111213/20111213-1704/20111213-170452-Tud3pD7UQg8AABPqPeQAAAAN] (null)
[modsecurity] [client 109.230.213.134] [domain feedmebits.nl] [400] [/20111213/20111213-2122/20111213-212236-Tue0DD7UQg8AABLORfcAAAAC] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111213/20111213-2209/20111213-220943-Tue-Fz7UQg8AABPrRJwAAAAO] (null)
[modsecurity] [client 109.230.213.134] [domain feedmebits.nl] [400] [/20111213/20111213-2236/20111213-223608-TufFSD7UQg8AABPrRJ8AAAAO] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-0028/20111214-002848-TuffsD7UQg8AABPqPesAAAAN] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-0751/20111214-075142-TuhHfj7UQg8AABLQSrAAAAAE] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111214/20111214-0859/20111214-085931-TuhXYz7UQg8AABLMQUoAAAAA] (null)
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114138-Tuh9YT7UQg8AABLQSrIAAAAE] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114145-Tuh9aT7UQg8AABLNQ6QAAAAB] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114151-Tuh9bj7UQg8AABPoNcIAAAAL] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 145.117.87.13] [domain feedmebits.nl] [200] [/20111214/20111214-1141/20111214-114156-Tuh9cz7UQg8AABLPSFQAAAAD] Pattern match "joomla.*administration login.*username and password do not match" at RESPONSE_BODY. [file "/etc/httpd/modsecurity.d/asl/modsec/12_asl_brute.conf"] [line "83"] [id "377304"] [rev "1"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules - Brute Force Attack Protection: Joomla Administration system Login Attempt Failure (Not Blocked)"] [severity "ERROR"]
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-1515/20111214-151521-TuiveT7UQg8AABLRTQwAAAAF] (null)
[modsecurity] [client 88.46.75.27] [domain feedmebits.nl] [400] [/20111214/20111214-1953/20111214-195325-TujwpT7UQg8AABPuTdYAAAAR] (null)
[modsecurity] [client 80.190.226.155] [domain feedmebits.nl] [400] [/20111214/20111214-2239/20111214-223911-TukXfz7UQg8AABLRTQ0AAAAF] (null)
Looks like it is working from those logs :)
fail2ban is still a challenge. But it's fun working on various projects at the same time. After I"m done with these small projects. I want to start my next big project.
Just ensure that you whitelist your own IP in F2B - it's possible to lock yourself out!
(I did it once when connecting remotely from an airport before flying out. I had to connect back to my home machine then connect through that to the remote server to remove the block)
F2B is dead cool, but requires a bit of reading and planning prior to implementation. Once I get my linux blog sorted, I'll post my experiences on that.