This is a *brief* follow up blog from my recent blog on mod_security.

Once you install mod_security you may notice error messages. This is, of course, because of mod_security.

The “problem” is that these messages are rather generic, such as :


GET to /login/index.php not supported.
501 error

To resolve these, you will need to review and customize your rule set to allow what you consider “normal traffic” on your web site(s). I am no expert on mod_security rules, but I hope I can get you pointed in the right direction.

Log Analysis

The default log is in /etc/apache2/logs/modsec_audit.log , although I link my logs to /var/log/apache2/mod_security/modsec_audit.log so adjust accordingly

Let us look at an error message in the logs with:

nano /var/log/apache2/mod_security/modsec_audit.log

Note: you may use tail or tail -F, but be warned some of the error messages are long

Each error message has a unique id number, such as (log clipped as it is quite long):


--cbfe862f-A--
[01/May/2009:00:01:11 +0000] Sfo7x38AAAEAADhbCucAAAAH 192.168.1.10 39684 192.168.1.14 8081
--cbfe862f-B--
GET /login/index.php?openid=ooo HTTP/1.1
User-Agent: curl/7.18.2 (x86_64-pc-linux-gnu) libcurl/7.18.2 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.10
Host: moodle:8081
Accept: */*


--cbfe862f-F--
HTTP/1.1 303 See Other
X-Powered-By: PHP/5.2.6-1+lenny2
Set-Cookie: MoodleSession=4c0588cddf112470aa7cfcd7908ebb8c; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: MoodleSessionTest=icP3lsMNhF; path=/
Location: http://bodhizazen.net:8081/auth/openid/login.php
Vary: Accept-Encoding
Content-Length: 224
Content-Type: text/html


--cbfe862f-H--
Message: Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_35_bad_robots.conf"] [line "29"] [id "990011"] [msg
< clip >
--cbfe862f-K--
SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,chain,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies',severity:2,id:960011,tag:PROTOCOL_VIOLATION/EVASION"
SecRule "&REQUEST_HEADERS:Content-Type" "@eq 0" "phase:2,pass,chain,t:none,log,auditlog,msg:'Request Containing Content, but Missing Content-Type header',id:960904,severity:4"
< clip >

The complete contents of the error message is not important now, notice the error id is "cbfe862f" and that there are several sections.

Edit Rules

1. Identify the offending rule.
   • Notice [file "/etc/apache2/conf.d/modsecurity/modsecurity_crs_35_bad_robots.conf"] [line "29"] [id "990011"].
   • This tells us the rule location, rule id, and line number.
2. Review the rule and make sure it needs to be modified (don't forget this step ! ).
3. You can then open /etc/apache2/conf.d/modsecurity/modsecurity_crs_35_bad_robots.conf , and either comment it out or edit the rule.
   • Comment out (remove) the rule(s) by adding a "#" at the very start of the line(s).
   • Or edit the rule - Editing rule sets is beyond this blog .
4. Restart Apache to re-load the rules (varies by host OS).

As an example of commenting out a rule (some text was clipped) :

#SecRule REQUEST_HEADERS:User-Agent ... < clipped >
#"chain,phase:2,t:none,t:lowercase,log,auditlog,msg: < clipped > id:'990011' < clipped >

Sorry to have edited out some of the content of the log and rules, but I hope you get the general idea.

Rules Reference

See the ModSecurity® Reference Manual for detailed information on mod security and a more detailed discussion of rules.