2011-12-14, 10:06 PM
Quote:<blockquote data-ipsquote="" class="ipsQuote" data-ipsquote-contentcommentid="15628" data-ipsquote-username="Dungeon-Dave" data-cite="Dungeon-Dave" data-ipsquote-timestamp="1322579643" data-ipsquote-contentapp="forums" data-ipsquote-contenttype="forums" data-ipsquote-contentid="4150" data-ipsquote-contentclass="forums_Topic"><div>
When I've been debugging mod_sec, I find that a tail of that logfile when a site breaks on me shows what's tripping it (rule name, ID, etc).
Note that - in terms of vulnerabilities - disclosure of information is not insecure in itself. How that information is used to enumerate and select an exploit is.
Concealing the fact you're using a version of PHP does not make that version secure, it just means a cracker will take longer to choose an appropriate attack vector.
Seems like my mod_security is working :)
# tail /home/www/feedmebits.nl/logs/error.log
[Thu Dec 01 15:42:56 2011] [error] [client 145.117.85.40] File does not exist: /home/www/feedmebits.nl/htdocs/login
[sat Dec 03 16:58:54 2011] [error] [client 94.24.41.240] ModSecurity: [file "/etc/httpd/modsecurity.d/asl/modsec/00_asl_rbl.conf"] [line "48"] [id "350000"] [rev "2"] [msg "Global RBL Match: IP is on the xbl.spamhaus.org Blacklist (Report False Positives to www.spamhaus.org)"] [severity "ERROR"] Access denied with code 403 (phase 1). RBL lookup of 240.41.24.94.xbl.spamhaus.org succeeded at REMOTE_ADDR (Illegal 3rd party exploits). [hostname "62.212.66.15"] [uri "/admin/cdr/counter.txt"] [unique_id "TtpHPj7UQg8AAC-4NEcAAAAF"]
Still working on my fail2ban. But looking at this seems like mod_security is giving me some protection :)
Look also at your modsec_audit_log and modsec_debug_log - they should have more detailed info.
</div></blockquote>