I have had a good crack at trying to get this to work, but to no avail, unfortunately.
SecRule REQUEST_HEADERS:Authorization "@contains admin:" "id:1,t:base64Decode,deny,status:403" I tried changing the contains string to various things that may be relevant, but still no joy. Is it perhaps because both the reverse proxy and the internal apache server are configured for https? How do I tell whether my system is using base64 to encode the username in the header? I have to say I am completely lost with this now, it seems like something that modsecurity should be able to do, but I don't know where to start with debugging, or testing this to get it to work? Any ideas anyone? Rgds Gary -----Original Message----- From: Chaim Sanders [mailto:csand...@trustwave.com] Sent: 14 March 2016 15:58 To: Mansell, Gary <gary.mans...@ricardo.com>; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? Hey Gary, This Is actually a great question and should be very easily possible. Typically Basic Authentication uses base64. So you could do something similar to the following (untested) SecRule REQUEST_HEADERS:Authorization "@contains admin:" "id:1, t:base64Decode,deny,status:403' -----Original Message----- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Mansell, Gary Sent: Monday, March 14, 2016 11:13 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? Hi, I have an internal Web application that uses Apache Basic Authentication, checking user account logins against an internal LDAP Server for authentication. I am now looking to present this Web Application to whitelisted IP's on the Internet, by means of a Reverse Proxy Apache Server in a DMZ with modsecurity enabled and one of the free rulesets to protect the application being abused. Both the Reverse Proxy and the Internal Apache server are configured for https only. It occurs to me that Administrative users should never be able to login to the Web Application from the via the Reverse Proxy Apache server - I hence wonder if it is possible to use modsecurity on the Reverse Apache server to prevent specific Admin user accounts from logging in to the Web Application? If so, please can someone point me in the direction of how I might achieve this? Thanks Gary -------------------------------------------------------------------------------------------------------------------------------------------------------------- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. -------------------------------------------------------------------------------------------------------------------------------------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org http://scanmail.trustwave.com/?c=4062&d=qNrm1jzohWd6Hhew-EByzVy5SyFDlULBnh2eUagXVg&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -------------------------------------------------------------------------------------------------------------------------------------------------------------- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. -------------------------------------------------------------------------------------------------------------------------------------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
