Hey Gary, While I'm not sure what's going wrong with your rule I suggest you check out the debug log... it will usually contain valuable information to help you debug your issues :). Maybe someone else will be able to spot the issue.
-----Original Message----- From: Mansell, Gary [mailto:gary.mans...@ricardo.com] Sent: Thursday, March 31, 2016 12:31 PM To: Chaim Sanders <csand...@trustwave.com>; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? Is there no one who can help me further on this, as it seems exactly the sort of thing that modsecurity should be able to do (but I am struggling with)? All of my Web Application admin accounts end in the string "admin", and I would like to be able to use a modsecurity rule on the reverse proxy server in the DMZ to prevent any admin logins (as admins should only ever login directly via the internal apache server rather than the reverse proxy)? It is my understanding that even though this is a https request, as this application uses basic authentication, every request via the reverse apache server includes a base64 encoded username and password in the authorisation header - I can't understand why I can't block this with a simple modsecurity rule. The rule suggestion that I was sent by Chaim seems to make sense to me, but I just can't get it to work - it seems to be looking to deny any request with authorization Header containing the string "admin:" SecRule REQUEST_HEADERS:Authorization "@contains admin:" "id:1,t:base64Decode,deny,status:403" Can anyone help me on this - is there just a simple typo in the rule perhaps? Do I have to choose a unique ID value other than 1 (as I had the Owasp core rule set configured too)? Rgds Gary I have had a good crack at trying to get this to work, but to no avail, unfortunately. SecRule REQUEST_HEADERS:Authorization "@contains admin:" "id:1,t:base64Decode,deny,status:403" I tried changing the contains string to various things that may be relevant, but still no joy. Is it perhaps because both the reverse proxy and the internal apache server are configured for https? How do I tell whether my system is using base64 to encode the username in the header? I have to say I am completely lost with this now, it seems like something that modsecurity should be able to do, but I don't know where to start with debugging, or testing this to get it to work? Any ideas anyone? Rgds Gary -----Original Message----- From: Chaim Sanders [mailto:csand...@trustwave.com] Sent: 14 March 2016 15:58 To: Mansell, Gary <gary.mans...@ricardo.com>; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? Hey Gary, This Is actually a great question and should be very easily possible. Typically Basic Authentication uses base64. So you could do something similar to the following (untested) SecRule REQUEST_HEADERS:Authorization "@contains admin:" "id:1, t:base64Decode,deny,status:403' -----Original Message----- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Mansell, Gary Sent: Monday, March 14, 2016 11:13 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? Hi, I have an internal Web application that uses Apache Basic Authentication, checking user account logins against an internal LDAP Server for authentication. I am now looking to present this Web Application to whitelisted IP's on the Internet, by means of a Reverse Proxy Apache Server in a DMZ with modsecurity enabled and one of the free rulesets to protect the application being abused. Both the Reverse Proxy and the Internal Apache server are configured for https only. It occurs to me that Administrative users should never be able to login to the Web Application from the via the Reverse Proxy Apache server - I hence wonder if it is possible to use modsecurity on the Reverse Apache server to prevent specific Admin user accounts from logging in to the Web Application? If so, please can someone point me in the direction of how I might achieve this? Thanks Gary -------------------------------------------------------------------------------------------------------------------------------------------------------------- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. -------------------------------------------------------------------------------------------------------------------------------------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. -------------------------------------------------------------------------------------------------------------------------------------------------------------- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. -------------------------------------------------------------------------------------------------------------------------------------------------------------- _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set -------------------------------------------------------------------------------------------------------------------------------------------------------------- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. -------------------------------------------------------------------------------------------------------------------------------------------------------------- ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
