Hello,
I am working on setting up better security for my Debian 6 server. I am
new to ModSecurity and OWASP Core Rules. The problem that I'm having is
that it is blocking legitimate traffic and I don't understand why or how
to fix it. Can somebody help me? Here is some pretty detailed
information about my environment and my problem.
Apache2 is my webserver and it is installed from the Debian package. The
version is 2.2.16-6+squeeze14. I'm using the Worker MPM.
I installed ModSecurity from the Debian package. The version is:
2.5.12-1+squeeze4
Per the recommendation of an article I found online, I installed OWASP
2.2.5-0. I had initially tried the most recent version of OWASP but this
gave me errors (due to my version of ModSecurity).
I'm using PHP compiled from source, version 5.4.24.
I'm using PHP-FPM FastCGI.
I'm using MySQL 5.1.73-1+deb6u1.
I'm using Memcached 2.1.0.
ZendOpcode Cache 7.0.3 is installed.
Website is built using the Drupal CMS, version 7.28.
All non-SSL traffic is redirected to SSL.
I had some troubles getting Apache2 to pass the configtest but I was
able to find the proper configuration changes needed via Google
searching. I enabled all of the rules as per the INSTALL instructions
included in OWASP CRS. I also enabled the experimental Brute Force, DOS,
and Slow DOS rules (these don't appear to be causing any issues.)
I set ModSecurity to "On" mode but quickly got complaints from our staff
being blocked by it. So now it is in "DetectionOnly" mode. I looked in
the AuditLog but didn't see anything helpful in there (just a bunch of
stuff about cookies -- perhaps because things in the 10 setup file are
set to nolog?). However, the Apache2 SSL Error log shows a lot of
information about the block attempts.
Our staff users are connecting from the IP address 63.227.218.204, so I
filtered the SSL Error Log to dump all entries with that IP address to a
separate file. All of the warnings/errors in this log are legitimate
traffic. So I need help tuning ModSecurity and OWASP to permit this
traffic. I've attached the log file to this post.
https://www.fosterclub.com/sites/default/files/file/output.log
I have also attached my modsecurity.conf file and my
modsecurity_crs_10_setup.conf file.
https://www.fosterclub.com/sites/default/files/file/modsecurity.conf
https://www.fosterclub.com/sites/default/files/file/modsecurity_crs_10_setup.conf
I would very much appreciate any help anyone can offer. Please let me
know if you need any additional information. Thanks!
--
Jacob Lear
Web Administrator
FosterClub, Inc.
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
