Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
lostaussie Posted May 10, 2016 Posted May 10, 2016 I run two boards on two different hosts, one has mod security enabled and works fine, the other is on a self managed VPS and if I have mod security enabled there all I get is Too many redirects errors. Does anyone know what mod security rules to change to allow use of this on the VPS.
Daniel F Posted May 10, 2016 Posted May 10, 2016 You should take a look at your logs. http://resources.infosecinstitute.com/analyzing-mod-security-logs/
lostaussie Posted May 11, 2016 Author Posted May 11, 2016 On 5/10/2016 at 2:05 PM, Daniel F said: You should take a look at your logs. http://resources.infosecinstitute.com/analyzing-mod-security-logs/ Thanks but that is far too technical for me.
IveLeft... Posted May 11, 2016 Posted May 11, 2016 What rules have you got ? Plenty of rules on the internet http://bfy.tw/5i82 I use atomics ruleset - however if you dont know how to look at the server logs then its doubtful youll be able to install the ruleset
lostaussie Posted May 12, 2016 Author Posted May 12, 2016 OK I worked out what rule was causing the problem and disabled it. I have no idea if it's a bad thing to do or not but by disabling it fixed the issue. This is the rule below? OWASP 981243 Detects classic SQL injection probings 2/2 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`]\d)|(?:\^[\"'`])|(?:^[\w\s\"'`-]+(?<;=and\s)(?<;=or|xor|div|like|between|and\s)(?<;=xor\s)(?<;=nand\s)(?<;=not\s)(?<;=\|\|)(?<;=\&;\&;)\w+\()|(?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])|(?:[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`])|(?:[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`].*?\*\s*?\d)|(?:[\"'`]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<;>;%+-][\w-]+[^\w\s]+[\"'`][^,]))" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects classic SQL injection probings 2/2', id:'981243', tag:'application-multi', tag:'language-mutli', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'"
tnn Posted May 12, 2016 Posted May 12, 2016 2 hours ago, lostaussie said: OK I have no idea if it's a bad thing to do or not but by disabling it fixed the issue. OWASP 981243 Detects classic SQL injection probings 2/2 SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* "(?i:(?:[\"'`]\s*?\*.+(?:x?or|div|like|between|and|id)\W*?[\"'`]\d)|(?:\^[\"'`])|(?:^[\w\s\"'`-]+(?<;=and\s)(?<;=or|xor|div|like|between|and\s)(?<;=xor\s)(?<;=nand\s)(?<;=not\s)(?<;=\|\|)(?<;=\&;\&;)\w+\()|(?:[\"'`][\s\d]*?[^\w\s]+\W*?\d\W*?.*?[\"'`\d])|(?:[\"'`]\s*?[^\w\s?]+\s*?[^\w\s]+\s*?[\"'`])|(?:[\"'`]\s*?[^\w\s]+\s*?[\W\d].*?(?:#|--))|(?:[\"'`].*?\*\s*?\d)|(?:[\"'`]\s*?(x?or|div|like|between|and)\s[^\d]+[\w-]+.*?\d)|(?:[()\*<;>;%+-][\w-]+[^\w\s]+[\"'`][^,]))" "phase:request, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'9', accuracy:'8', capture, t:none,t:urlDecodeUni, block, msg:'Detects classic SQL injection probings 2/2', id:'981243', tag:'application-multi', tag:'language-mutli', tag:'platform-multi', tag:'attack-sqli', tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION', logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}', severity:'CRITICAL', setvar:'tx.msg=%{rule.msg}', setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:'tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQLI-%{matched_var_name}=%{tx.0}'" Yes, that's what I do. I disabled the ones causing me issues.
lostaussie Posted May 12, 2016 Author Posted May 12, 2016 4 minutes ago, tnn said: Yes, that's what I do. I disabled the ones causing me issues. I probably should have said I hope it is not a bad thing to disable as I have about 20 wordpress sites on the same server.
tnn Posted May 12, 2016 Posted May 12, 2016 6 minutes ago, lostaussie said: I probably should have said I hope it is not a bad thing to disable as I have about 20 wordpress sites on the same server. For wordpress I use wordfence, a firewall. It includes sql injection protection and more. I use the free version.
lostaussie Posted May 12, 2016 Author Posted May 12, 2016 3 minutes ago, tnn said: For wordpress I use wordfence, a firewall. It includes sql injection protection and more. I use the free version. Yes I use that too so I hope there's enough protection between them all now.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.