Any luck, Gary? Suggestions: - Try the debug log - do this step by step. Step #1: Try the match the encoded Header value (the one with the username:password in base64)
Ahoj, Christian On Thu, Mar 31, 2016 at 04:33:09PM +0000, Chaim Sanders wrote: > Hey Gary, > While I'm not sure what's going wrong with your rule I suggest you check out > the debug log... it will usually contain valuable information to help you > debug your issues :). Maybe someone else will be able to spot the issue. > > -----Original Message----- > From: Mansell, Gary [mailto:gary.mans...@ricardo.com] > Sent: Thursday, March 31, 2016 12:31 PM > To: Chaim Sanders <csand...@trustwave.com>; > owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > modsecurity rules to prevent logins by specific user accounts? > > Is there no one who can help me further on this, as it seems exactly the sort > of thing that modsecurity should be able to do (but I am struggling with)? > > All of my Web Application admin accounts end in the string "admin", and I > would like to be able to use a modsecurity rule on the reverse proxy server > in the DMZ to prevent any admin logins (as admins should only ever login > directly via the internal apache server rather than the reverse proxy)? > > It is my understanding that even though this is a https request, as this > application uses basic authentication, every request via the reverse apache > server includes a base64 encoded username and password in the authorisation > header - I can't understand why I can't block this with a simple modsecurity > rule. > > The rule suggestion that I was sent by Chaim seems to make sense to me, but I > just can't get it to work - it seems to be looking to deny any request with > authorization Header containing the string "admin:" > > SecRule REQUEST_HEADERS:Authorization "@contains admin:" > "id:1,t:base64Decode,deny,status:403" > > Can anyone help me on this - is there just a simple typo in the rule perhaps? > Do I have to choose a unique ID value other than 1 (as I had the Owasp core > rule set configured too)? > > Rgds > > Gary > > > > > I have had a good crack at trying to get this to work, but to no avail, > unfortunately. > > SecRule REQUEST_HEADERS:Authorization "@contains admin:" > "id:1,t:base64Decode,deny,status:403" > > I tried changing the contains string to various things that may be relevant, > but still no joy. > > Is it perhaps because both the reverse proxy and the internal apache server > are configured for https? > > How do I tell whether my system is using base64 to encode the username in the > header? > > I have to say I am completely lost with this now, it seems like something > that modsecurity should be able to do, but I don't know where to start with > debugging, or testing this to get it to work? > > Any ideas anyone? > > Rgds > > Gary > > > -----Original Message----- > From: Chaim Sanders [mailto:csand...@trustwave.com] > Sent: 14 March 2016 15:58 > To: Mansell, Gary <gary.mans...@ricardo.com>; > owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > modsecurity rules to prevent logins by specific user accounts? > > Hey Gary, > This Is actually a great question and should be very easily possible. > Typically Basic Authentication uses base64. So you could do something similar > to the following (untested) SecRule REQUEST_HEADERS:Authorization "@contains > admin:" "id:1, t:base64Decode,deny,status:403' > > -----Original Message----- > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of > Mansell, Gary > Sent: Monday, March 14, 2016 11:13 AM > To: owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity > rules to prevent logins by specific user accounts? > > Hi, > > I have an internal Web application that uses Apache Basic Authentication, > checking user account logins against an internal LDAP Server for > authentication. > > I am now looking to present this Web Application to whitelisted IP's on the > Internet, by means of a Reverse Proxy Apache Server in a DMZ with modsecurity > enabled and one of the free rulesets to protect the application being abused. > Both the Reverse Proxy and the Internal Apache server are configured for > https only. > > It occurs to me that Administrative users should never be able to login to > the Web Application from the via the Reverse Proxy Apache server - I hence > wonder if it is possible to use modsecurity on the Reverse Apache server to > prevent specific Admin user accounts from logging in to the Web Application? > > If so, please can someone point me in the direction of how I might achieve > this? > > Thanks > > Gary > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > This e-mail and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this e-mail in error please notify the sender immediately > and delete this e-mail from your system. > Please note that any views or opinions presented in this e-mail are solely > those of the author and do not necessarily represent those of Ricardo (save > for reports and other documentation formally approved and signed for release > to the intended recipient). Only Directors are authorised to enter into > legally binding obligations on behalf of Ricardo. Ricardo may monitor > outgoing and incoming e-mails and other telecommunications systems. By > replying to this e-mail you give consent to such monitoring. The recipient > should check e-mail and any attachments for the presence of viruses. Ricardo > accepts no liability for any damage caused by any virus transmitted by this > e-mail. > "Ricardo" means Ricardo plc and its subsidiary companies. > Ricardo plc is a public limited company registered in England with registered > number 00222915. > The registered office of Ricardo plc is Shoreham Technical Centre, > Shoreham-by Sea, West Sussex, BN43 5FG. > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > This e-mail and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this e-mail in error please notify the sender immediately > and delete this e-mail from your system. > Please note that any views or opinions presented in this e-mail are solely > those of the author and do not necessarily represent those of Ricardo (save > for reports and other documentation formally approved and signed for release > to the intended recipient). Only Directors are authorised to enter into > legally binding obligations on behalf of Ricardo. Ricardo may monitor > outgoing and incoming e-mails and other telecommunications systems. By > replying to this e-mail you give consent to such monitoring. The recipient > should check e-mail and any attachments for the presence of viruses. Ricardo > accepts no liability for any damage caused by any virus transmitted by this > e-mail. > "Ricardo" means Ricardo plc and its subsidiary companies. > Ricardo plc is a public limited company registered in England with registered > number 00222915. > The registered office of Ricardo plc is Shoreham Technical Centre, > Shoreham-by Sea, West Sussex, BN43 5FG. > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > This e-mail and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this e-mail in error please notify the sender immediately > and delete this e-mail from your system. > Please note that any views or opinions presented in this e-mail are solely > those of the author and do not necessarily represent those of Ricardo (save > for reports and other documentation formally approved and signed for release > to the intended recipient). Only Directors are authorised to enter into > legally binding obligations on behalf of Ricardo. Ricardo may monitor > outgoing and incoming e-mails and other telecommunications systems. By > replying to this e-mail you give consent to such monitoring. The recipient > should check e-mail and any attachments for the presence of viruses. Ricardo > accepts no liability for any damage caused by any virus transmitted by this > e-mail. > "Ricardo" means Ricardo plc and its subsidiary companies. > Ricardo plc is a public limited company registered in England with registered > number 00222915. > The registered office of Ricardo plc is Shoreham Technical Centre, > Shoreham-by Sea, West Sussex, BN43 5FG. > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
