Indeed, I missed this. Probably clicked it away. Thank you Barry.
Ahoj, Christian On Tue, Apr 05, 2016 at 09:46:58AM +0100, Barry Pollard wrote: > Christian not sure if you missed this as Gary had replied? > > Gary, the key issue is this: > > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Executing operator "contains" with param "admin:" against > > REQUEST_HEADERS:Authorization. > <snip> > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Rule returned 0. > > So your rule is not matching for some reason. I would suggest you turn the > audit engine on to capture all request: > > SecAuditEngine On > > And then see if this Authorization header is included, with a value > containing admin, by looking in the audit log. > > Alternatively write another rule that matches always: > > SecRule "REQUEST_URI" "." "phase:2,id:2,t:base64Decode,log,auditlog,allow" > > And again check audit log to see if the Authorization header is included, > with a value containing admin. > > By the way phase 2 (REQUEST_BODY) also includes phase 1 (REQUEST_HEADER) > details. You could move your rule to phase 1 and it will execute earlier > which might save you needlessly attempting other phase 2 rules if it fails, > but this is not the reason for your failure here. > > Hope that helps. > > Thanks, > Barry > > > > > ---------------------------------------- > > From: gary.mans...@ricardo.com > > To: csand...@trustwave.com; owasp-modsecurity-core-rule-set@lists.owasp.org > > Date: Mon, 4 Apr 2016 14:28:26 +0000 > > Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > > modsecurity rules to prevent logins by specific user accounts? > > > > I have got some debug logs, but am not certain how what they are telling me > > - I wonder if anyone can advise me on this? > > > > I have just the one rule in my config now: > > > > SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" > > "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" > > > > I started a fresh apache session with empty debug log, and accessed the web > > application from a fresh browser session (15:18:06) and was prompted to > > enter username and password. I entered the username grmawcadmin and the > > password and this shows at 15:18:07 in the log below. > > > > As far as I can see, it does not seem to run the rule in the > > REQUEST_HEADERS section, but rather at the REQUEST_BODY - is this what is > > the problem - ie it is checking for the admin string in the REQUEST_BODY > > rather than the REQUEST_HEADER > > > > I would gladly appreciate some help on this, as I am rather stuck. > > > > Rgds > > > > Gary > > > > > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Initialising transaction (txid VwJ3nsCoAUcAABgZAbQAAACX). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] > > Adding request cookie: name "__utma", value > > "1.1672802757.1445242759.1445242759.1456313530.2" > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] > > Adding request cookie: name "__utmz", value > > "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)" > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Transaction context created (dcfg 1039140). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Starting phase REQUEST_HEADERS. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Second phase starting (dcfg 1039140). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Input filter: This request does not have a body. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Starting phase REQUEST_BODY. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > This phase consists of 1 rule(s). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Recipe: Invoking rule 109b5e8; [file > > "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"]. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] > > Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" > > "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Rule returned 0. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > No match, not chained -> mode NEXT_RULE. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Hook insert_filter: Adding output filter (r 7fc1ec0098b0). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Starting phase RESPONSE_HEADERS. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Content Injection: Not enabled. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 10 bytes. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 624 bytes. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 8 bytes. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > Output filter: Bucket type EOS contains 0 bytes. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Output filter: Completed receiving response body (buffered full - 642 > > bytes). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Starting phase RESPONSE_BODY. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Output filter: Output forwarding complete. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Initialising logging. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Starting phase LOGGING. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Recording persistent data took 0 microseconds. > > [04/Apr/2016:15:18:06 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > > Audit log: Not configured to run for this request. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Initialising transaction (txid VwJ3qcCoAUcAABgZAbUAAACX). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] > > Adding request cookie: name "__utma", value > > "1.1672802757.1445242759.1445242759.1456313530.2" > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] > > Adding request cookie: name "__utmz", value > > "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)" > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Transaction context created (dcfg 1039140). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Starting phase REQUEST_HEADERS. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Second phase starting (dcfg 1039140). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Input filter: This request does not have a body. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Starting phase REQUEST_BODY. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > This phase consists of 1 rule(s). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Recipe: Invoking rule 109b5e8; [file > > "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"]. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] > > Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" > > "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > T (0) base64Decode: "\x05\xab"" > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Transformation completed in 24 usec. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Executing operator "contains" with param "admin:" against > > REQUEST_HEADERS:Authorization. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Target value: "\x05\xab"" > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Operator completed in 7 usec. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Rule returned 0. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > No match, not chained -> mode NEXT_RULE. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Hook insert_filter: Adding output filter (r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Starting phase RESPONSE_HEADERS. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Content Injection: Not enabled. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 1591 bytes. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 1295 bytes. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Bucket type FLUSH contains 0 bytes. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 8184 bytes. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Bucket type TRANSIENT contains 129 bytes. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > Output filter: Bucket type EOS contains 0 bytes. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Output filter: Completed receiving response body (buffered full - 11199 > > bytes). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Starting phase RESPONSE_BODY. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Output filter: Output forwarding complete. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Initialising logging. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Starting phase LOGGING. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > > This phase consists of 0 rule(s). > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Recording persistent data took 0 microseconds. > > [04/Apr/2016:15:18:17 +0100] > > [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > > Audit log: Not configured to run for this request. > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > From: Chaim Sanders [mailto:csand...@trustwave.com] > > Sent: 31 March 2016 17:33 > > To: Mansell, Gary <gary.mans...@ricardo.com>; > > owasp-modsecurity-core-rule-set@lists.owasp.org > > Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > > modsecurity rules to prevent logins by specific user accounts? > > > > Hey Gary, > > While I'm not sure what's going wrong with your rule I suggest you check > > out the debug log... it will usually contain valuable information to help > > you debug your issues :). Maybe someone else will be able to spot the issue. > > > > -----Original Message----- > > From: Mansell, Gary [mailto:gary.mans...@ricardo.com] > > Sent: Thursday, March 31, 2016 12:31 PM > > To: Chaim Sanders <csand...@trustwave.com>; > > owasp-modsecurity-core-rule-set@lists.owasp.org > > Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > > modsecurity rules to prevent logins by specific user accounts? > > > > Is there no one who can help me further on this, as it seems exactly the > > sort of thing that modsecurity should be able to do (but I am struggling > > with)? > > > > All of my Web Application admin accounts end in the string "admin", and I > > would like to be able to use a modsecurity rule on the reverse proxy server > > in the DMZ to prevent any admin logins (as admins should only ever login > > directly via the internal apache server rather than the reverse proxy)? > > > > It is my understanding that even though this is a https request, as this > > application uses basic authentication, every request via the reverse apache > > server includes a base64 encoded username and password in the authorisation > > header - I can't understand why I can't block this with a simple > > modsecurity rule. > > > > The rule suggestion that I was sent by Chaim seems to make sense to me, but > > I just can't get it to work - it seems to be looking to deny any request > > with authorization Header containing the string "admin:" > > > > SecRule REQUEST_HEADERS:Authorization "@contains admin:" > > "id:1,t:base64Decode,deny,status:403" > > > > Can anyone help me on this - is there just a simple typo in the rule > > perhaps? Do I have to choose a unique ID value other than 1 (as I had the > > Owasp core rule set configured too)? > > > > Rgds > > > > Gary > > > > > > > > > > I have had a good crack at trying to get this to work, but to no avail, > > unfortunately. > > > > SecRule REQUEST_HEADERS:Authorization "@contains admin:" > > "id:1,t:base64Decode,deny,status:403" > > > > I tried changing the contains string to various things that may be > > relevant, but still no joy. > > > > Is it perhaps because both the reverse proxy and the internal apache server > > are configured for https? > > > > How do I tell whether my system is using base64 to encode the username in > > the header? > > > > I have to say I am completely lost with this now, it seems like something > > that modsecurity should be able to do, but I don't know where to start with > > debugging, or testing this to get it to work? > > > > Any ideas anyone? > > > > Rgds > > > > Gary > > > > > > -----Original Message----- > > From: Chaim Sanders [mailto:csand...@trustwave.com] > > Sent: 14 March 2016 15:58 > > To: Mansell, Gary <gary.mans...@ricardo.com>; > > owasp-modsecurity-core-rule-set@lists.owasp.org > > Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > > modsecurity rules to prevent logins by specific user accounts? > > > > Hey Gary, > > This Is actually a great question and should be very easily possible. > > Typically Basic Authentication uses base64. So you could do something > > similar to the following (untested) SecRule REQUEST_HEADERS:Authorization > > "@contains admin:" "id:1, t:base64Decode,deny,status:403' > > > > -----Original Message----- > > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf > > Of Mansell, Gary > > Sent: Monday, March 14, 2016 11:13 AM > > To: owasp-modsecurity-core-rule-set@lists.owasp.org > > Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use > > modsecurity rules to prevent logins by specific user accounts? > > > > Hi, > > > > I have an internal Web application that uses Apache Basic Authentication, > > checking user account logins against an internal LDAP Server for > > authentication. > > > > I am now looking to present this Web Application to whitelisted IP's on the > > Internet, by means of a Reverse Proxy Apache Server in a DMZ with > > modsecurity enabled and one of the free rulesets to protect the application > > being abused. Both the Reverse Proxy and the Internal Apache server are > > configured for https only. > > > > It occurs to me that Administrative users should never be able to login to > > the Web Application from the via the Reverse Proxy Apache server - I hence > > wonder if it is possible to use modsecurity on the Reverse Apache server to > > prevent specific Admin user accounts from logging in to the Web Application? > > > > If so, please can someone point me in the direction of how I might achieve > > this? > > > > Thanks > > > > Gary > > > > > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > This e-mail and any files transmitted with it are confidential and intended > > solely for the use of the individual or entity to whom they are addressed. > > If you have received this e-mail in error please notify the sender > > immediately and delete this e-mail from your system. > > Please note that any views or opinions presented in this e-mail are solely > > those of the author and do not necessarily represent those of Ricardo (save > > for reports and other documentation formally approved and signed for > > release to the intended recipient). Only Directors are authorised to enter > > into legally binding obligations on behalf of Ricardo. Ricardo may monitor > > outgoing and incoming e-mails and other telecommunications systems. By > > replying to this e-mail you give consent to such monitoring. The recipient > > should check e-mail and any attachments for the presence of viruses. > > Ricardo accepts no liability for any damage caused by any virus transmitted > > by this e-mail. > > "Ricardo" means Ricardo plc and its subsidiary companies. > > Ricardo plc is a public limited company registered in England with > > registered number 00222915. > > The registered office of Ricardo plc is Shoreham Technical Centre, > > Shoreham-by Sea, West Sussex, BN43 5FG. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > > > > ________________________________ > > > > This transmission may contain information that is privileged, confidential, > > and/or exempt from disclosure under applicable law. If you are not the > > intended recipient, you are hereby notified that any disclosure, copying, > > distribution, or use of the information contained herein (including any > > reliance thereon) is strictly prohibited. If you received this transmission > > in error, please immediately contact the sender and destroy the material in > > its entirety, whether in electronic or hard copy format. > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > This e-mail and any files transmitted with it are confidential and intended > > solely for the use of the individual or entity to whom they are addressed. > > If you have received this e-mail in error please notify the sender > > immediately and delete this e-mail from your system. > > Please note that any views or opinions presented in this e-mail are solely > > those of the author and do not necessarily represent those of Ricardo (save > > for reports and other documentation formally approved and signed for > > release to the intended recipient). Only Directors are authorised to enter > > into legally binding obligations on behalf of Ricardo. Ricardo may monitor > > outgoing and incoming e-mails and other telecommunications systems. By > > replying to this e-mail you give consent to such monitoring. The recipient > > should check e-mail and any attachments for the presence of viruses. > > Ricardo accepts no liability for any damage caused by any virus transmitted > > by this e-mail. > > "Ricardo" means Ricardo plc and its subsidiary companies. > > Ricardo plc is a public limited company registered in England with > > registered number 00222915. > > The registered office of Ricardo plc is Shoreham Technical Centre, > > Shoreham-by Sea, West Sussex, BN43 5FG. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > This e-mail and any files transmitted with it are confidential and intended > > solely for the use of the individual or entity to whom they are addressed. > > If you have received this e-mail in error please notify the sender > > immediately and delete this e-mail from your system. > > Please note that any views or opinions presented in this e-mail are solely > > those of the author and do not necessarily represent those of Ricardo (save > > for reports and other documentation formally approved and signed for > > release to the intended recipient). Only Directors are authorised to enter > > into legally binding obligations on behalf of Ricardo. Ricardo may monitor > > outgoing and incoming e-mails and other telecommunications systems. By > > replying to this e-mail you give consent to such monitoring. The recipient > > should check e-mail and any attachments for the presence of viruses. > > Ricardo accepts no liability for any damage caused by any virus transmitted > > by this e-mail. > > "Ricardo" means Ricardo plc and its subsidiary companies. > > Ricardo plc is a public limited company registered in England with > > registered number 00222915. > > The registered office of Ricardo plc is Shoreham Technical Centre, > > Shoreham-by Sea, West Sussex, BN43 5FG. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > > ________________________________ > > > > This transmission may contain information that is privileged, confidential, > > and/or exempt from disclosure under applicable law. If you are not the > > intended recipient, you are hereby notified that any disclosure, copying, > > distribution, or use of the information contained herein (including any > > reliance thereon) is strictly prohibited. If you received this transmission > > in error, please immediately contact the sender and destroy the material in > > its entirety, whether in electronic or hard copy format. > > > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > This e-mail and any files transmitted with it are confidential and intended > > solely for the use of the individual or entity to whom they are > > addressed. If you have received this e-mail in error please notify the > > sender immediately and delete this e-mail from your system. > > Please note that any views or opinions presented in this e-mail are solely > > those of the author and do not necessarily represent those > > of Ricardo (save for reports and other documentation formally approved and > > signed for release to the intended recipient). Only Directors > > are authorised to enter into legally binding obligations on behalf of > > Ricardo. Ricardo may monitor outgoing and incoming e-mails and > > other telecommunications systems. By replying to this e-mail you give > > consent to such monitoring. The recipient should check e-mail and > > any attachments for the presence of viruses. Ricardo accepts no liability > > for any damage caused by any virus transmitted by this e-mail. > > "Ricardo" means Ricardo plc and its subsidiary companies. > > Ricardo plc is a public limited company registered in England with > > registered number 00222915. > > The registered office of Ricardo plc is Shoreham Technical Centre, > > Shoreham-by Sea, West Sussex, BN43 5FG. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------- > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
