Sorry i am new her, i have too many problems with the mod_securtiy2
After problems to load the extension i have a problem to "enable" the module. My configfile like this:
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
# Turn the filtering engine On or Off
SecFilterEngine On
</IfModule>
If i try to restart the Apache (x64) i became the error that the apache cant start (The request operation failed...).
If i remove al lines between the IfModule the server starts.
I use Windows Server 2008R2 Datacenter (x64) and Apache 2.4.9 (VC9), mod_security2 (2.7.6)
what make i wrong ?
can any one help me pleas ?
sorry for the late response,
What does the error.log say about this? If there is nothing there, then what does the windows Event Log say about this?
I try the example filter of the file readme.1st.txt:
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
# Debug log
SecDebugLog logs/modsec_debug.log
SecDebugLogLevel 0
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog logs/modsec_audit.log
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,id:'000001',t:none,log,deny,msg:'Failed to parse request body.',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,id:'000002',t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}'"
# Did we see anything that might be a boundary?
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,id:'000003',t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# Test mod_security
# below rule should flag http://www.xxxx.com/?abc=../../
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,log,deny,msg:'Drive Access'"
# WEB-CGI websendmail access
# below rule should flag http://localhost/websendmail
SecRule REQUEST_URI "/websendmail" "id:'000004'"
I become this error in the logfile:
Quote[Fri Apr 04 21:30:31.418175 2014] [mpm_winnt:notice] [pid 160252:tid 520] AH00424: Parent: Received restart signal -- Restarting the server.
AH00526: Syntax error on line 48 of C:/server/websites/modsecurity.conf:
Error parsing actions: Invalid quoted pair at position 160: phase:2,id:'000002',t:none,log,deny,msg:'Multipart request body \t\tfailed strict validation: \t\tPE %{REQBODY_PROCESSOR_ERROR}, \t\tBQ %{MULTIPART_BOUNDARY_QUOTED}, \\
[Fri Apr 04 21:30:33.426175 2014] [mpm_winnt:notice] [pid 147708:tid 460] AH00364: Child: All worker threads have exited.
My target is the URL http://www.xxxx.com/?abc=../../ views as to prevent, so as to increase the security
try this in httpd.conf
QuoteAcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off
Odd, I do not see an invalid quoted pair here
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,id:'000001',t:none,log,deny,msg:'Failed to parse request body.',severity:2"
but just to be sure, add a blank space after the \ in the first line and see.