One other thing I've just spotted: I entered the username grmawcadmin
Executing operator "contains" with param "admin:" against REQUEST_HEADERS:Authorization. The username does not contain "admin:" with a colon. Do you need to remove the colon from your rule? Thanks, Barry ---------------------------------------- > Date: Tue, 5 Apr 2016 11:13:42 +0200 > From: christian.fol...@netnea.com > To: barry_poll...@hotmail.com > CC: gary.mans...@ricardo.com; csand...@trustwave.com; > owasp-modsecurity-core-rule-set@lists.owasp.org > Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > modsecurity rules to prevent logins by specific user accounts? > > Indeed, I missed this. Probably clicked it away. > > Thank you Barry. > > Ahoj, > > Christian > > On Tue, Apr 05, 2016 at 09:46:58AM +0100, Barry Pollard wrote: >> Christian not sure if you missed this as Gary had replied? >> >> Gary, the key issue is this: >> >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Executing operator "contains" with param "admin:" against >>> REQUEST_HEADERS:Authorization. >> <snip> >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Rule returned 0. >> >> So your rule is not matching for some reason. I would suggest you turn the >> audit engine on to capture all request: >> >> SecAuditEngine On >> >> And then see if this Authorization header is included, with a value >> containing admin, by looking in the audit log. >> >> Alternatively write another rule that matches always: >> >> SecRule "REQUEST_URI" "." "phase:2,id:2,t:base64Decode,log,auditlog,allow" >> >> And again check audit log to see if the Authorization header is included, >> with a value containing admin. >> >> By the way phase 2 (REQUEST_BODY) also includes phase 1 (REQUEST_HEADER) >> details. You could move your rule to phase 1 and it will execute earlier >> which might save you needlessly attempting other phase 2 rules if it fails, >> but this is not the reason for your failure here. >> >> Hope that helps. >> >> Thanks, >> Barry >> >> >> >> >> ---------------------------------------- >>> From: gary.mans...@ricardo.com >>> To: csand...@trustwave.com; owasp-modsecurity-core-rule-set@lists.owasp.org >>> Date: Mon, 4 Apr 2016 14:28:26 +0000 >>> Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use >>> modsecurity rules to prevent logins by specific user accounts? >>> >>> I have got some debug logs, but am not certain how what they are telling me >>> - I wonder if anyone can advise me on this? >>> >>> I have just the one rule in my config now: >>> >>> SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" >>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" >>> >>> I started a fresh apache session with empty debug log, and accessed the web >>> application from a fresh browser session (15:18:06) and was prompted to >>> enter username and password. I entered the username grmawcadmin and the >>> password and this shows at 15:18:07 in the log below. >>> >>> As far as I can see, it does not seem to run the rule in the >>> REQUEST_HEADERS section, but rather at the REQUEST_BODY - is this what is >>> the problem - ie it is checking for the admin string in the REQUEST_BODY >>> rather than the REQUEST_HEADER >>> >>> I would gladly appreciate some help on this, as I am rather stuck. >>> >>> Rgds >>> >>> Gary >>> >>> >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Initialising transaction (txid VwJ3nsCoAUcAABgZAbQAAACX). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] >>> Adding request cookie: name "__utma", value >>> "1.1672802757.1445242759.1445242759.1456313530.2" >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] >>> Adding request cookie: name "__utmz", value >>> "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)" >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Transaction context created (dcfg 1039140). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Starting phase REQUEST_HEADERS. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Second phase starting (dcfg 1039140). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Input filter: This request does not have a body. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Starting phase REQUEST_BODY. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> This phase consists of 1 rule(s). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Recipe: Invoking rule 109b5e8; [file >>> "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"]. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] >>> Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" >>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Rule returned 0. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> No match, not chained -> mode NEXT_RULE. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Hook insert_filter: Adding output filter (r 7fc1ec0098b0). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Starting phase RESPONSE_HEADERS. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Content Injection: Not enabled. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 10 bytes. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 624 bytes. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 8 bytes. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> Output filter: Bucket type EOS contains 0 bytes. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Output filter: Completed receiving response body (buffered full - 642 >>> bytes). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Starting phase RESPONSE_BODY. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Output filter: Output forwarding complete. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Initialising logging. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Starting phase LOGGING. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Recording persistent data took 0 microseconds. >>> [04/Apr/2016:15:18:06 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] >>> Audit log: Not configured to run for this request. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Initialising transaction (txid VwJ3qcCoAUcAABgZAbUAAACX). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] >>> Adding request cookie: name "__utma", value >>> "1.1672802757.1445242759.1445242759.1456313530.2" >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] >>> Adding request cookie: name "__utmz", value >>> "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)" >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Transaction context created (dcfg 1039140). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Starting phase REQUEST_HEADERS. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Second phase starting (dcfg 1039140). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Input filter: This request does not have a body. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Starting phase REQUEST_BODY. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> This phase consists of 1 rule(s). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Recipe: Invoking rule 109b5e8; [file >>> "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"]. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] >>> Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" >>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> T (0) base64Decode: "\x05\xab"" >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Transformation completed in 24 usec. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Executing operator "contains" with param "admin:" against >>> REQUEST_HEADERS:Authorization. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Target value: "\x05\xab"" >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Operator completed in 7 usec. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Rule returned 0. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> No match, not chained -> mode NEXT_RULE. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Hook insert_filter: Adding output filter (r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Starting phase RESPONSE_HEADERS. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Content Injection: Not enabled. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 1591 bytes. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 1295 bytes. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Bucket type FLUSH contains 0 bytes. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 8184 bytes. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Bucket type TRANSIENT contains 129 bytes. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> Output filter: Bucket type EOS contains 0 bytes. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Output filter: Completed receiving response body (buffered full - 11199 >>> bytes). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Starting phase RESPONSE_BODY. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Output filter: Output forwarding complete. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Initialising logging. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Starting phase LOGGING. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] >>> This phase consists of 0 rule(s). >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Recording persistent data took 0 microseconds. >>> [04/Apr/2016:15:18:17 +0100] >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] >>> Audit log: Not configured to run for this request. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: Chaim Sanders [mailto:csand...@trustwave.com] >>> Sent: 31 March 2016 17:33 >>> To: Mansell, Gary <gary.mans...@ricardo.com>; >>> owasp-modsecurity-core-rule-set@lists.owasp.org >>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use >>> modsecurity rules to prevent logins by specific user accounts? >>> >>> Hey Gary, >>> While I'm not sure what's going wrong with your rule I suggest you check >>> out the debug log... it will usually contain valuable information to help >>> you debug your issues :). Maybe someone else will be able to spot the issue. >>> >>> -----Original Message----- >>> From: Mansell, Gary [mailto:gary.mans...@ricardo.com] >>> Sent: Thursday, March 31, 2016 12:31 PM >>> To: Chaim Sanders <csand...@trustwave.com>; >>> owasp-modsecurity-core-rule-set@lists.owasp.org >>> Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use >>> modsecurity rules to prevent logins by specific user accounts? >>> >>> Is there no one who can help me further on this, as it seems exactly the >>> sort of thing that modsecurity should be able to do (but I am struggling >>> with)? >>> >>> All of my Web Application admin accounts end in the string "admin", and I >>> would like to be able to use a modsecurity rule on the reverse proxy server >>> in the DMZ to prevent any admin logins (as admins should only ever login >>> directly via the internal apache server rather than the reverse proxy)? >>> >>> It is my understanding that even though this is a https request, as this >>> application uses basic authentication, every request via the reverse apache >>> server includes a base64 encoded username and password in the authorisation >>> header - I can't understand why I can't block this with a simple >>> modsecurity rule. >>> >>> The rule suggestion that I was sent by Chaim seems to make sense to me, but >>> I just can't get it to work - it seems to be looking to deny any request >>> with authorization Header containing the string "admin:" >>> >>> SecRule REQUEST_HEADERS:Authorization "@contains admin:" >>> "id:1,t:base64Decode,deny,status:403" >>> >>> Can anyone help me on this - is there just a simple typo in the rule >>> perhaps? Do I have to choose a unique ID value other than 1 (as I had the >>> Owasp core rule set configured too)? >>> >>> Rgds >>> >>> Gary >>> >>> >>> >>> >>> I have had a good crack at trying to get this to work, but to no avail, >>> unfortunately. >>> >>> SecRule REQUEST_HEADERS:Authorization "@contains admin:" >>> "id:1,t:base64Decode,deny,status:403" >>> >>> I tried changing the contains string to various things that may be >>> relevant, but still no joy. >>> >>> Is it perhaps because both the reverse proxy and the internal apache server >>> are configured for https? >>> >>> How do I tell whether my system is using base64 to encode the username in >>> the header? >>> >>> I have to say I am completely lost with this now, it seems like something >>> that modsecurity should be able to do, but I don't know where to start with >>> debugging, or testing this to get it to work? >>> >>> Any ideas anyone? >>> >>> Rgds >>> >>> Gary >>> >>> >>> -----Original Message----- >>> From: Chaim Sanders [mailto:csand...@trustwave.com] >>> Sent: 14 March 2016 15:58 >>> To: Mansell, Gary <gary.mans...@ricardo.com>; >>> owasp-modsecurity-core-rule-set@lists.owasp.org >>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use >>> modsecurity rules to prevent logins by specific user accounts? >>> >>> Hey Gary, >>> This Is actually a great question and should be very easily possible. >>> Typically Basic Authentication uses base64. So you could do something >>> similar to the following (untested) SecRule REQUEST_HEADERS:Authorization >>> "@contains admin:" "id:1, t:base64Decode,deny,status:403' >>> >>> -----Original Message----- >>> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org >>> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf >>> Of Mansell, Gary >>> Sent: Monday, March 14, 2016 11:13 AM >>> To: owasp-modsecurity-core-rule-set@lists.owasp.org >>> Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use >>> modsecurity rules to prevent logins by specific user accounts? >>> >>> Hi, >>> >>> I have an internal Web application that uses Apache Basic Authentication, >>> checking user account logins against an internal LDAP Server for >>> authentication. >>> >>> I am now looking to present this Web Application to whitelisted IP's on the >>> Internet, by means of a Reverse Proxy Apache Server in a DMZ with >>> modsecurity enabled and one of the free rulesets to protect the application >>> being abused. Both the Reverse Proxy and the Internal Apache server are >>> configured for https only. >>> >>> It occurs to me that Administrative users should never be able to login to >>> the Web Application from the via the Reverse Proxy Apache server - I hence >>> wonder if it is possible to use modsecurity on the Reverse Apache server to >>> prevent specific Admin user accounts from logging in to the Web Application? >>> >>> If so, please can someone point me in the direction of how I might achieve >>> this? >>> >>> Thanks >>> >>> Gary >>> >>> >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> This e-mail and any files transmitted with it are confidential and intended >>> solely for the use of the individual or entity to whom they are addressed. >>> If you have received this e-mail in error please notify the sender >>> immediately and delete this e-mail from your system. >>> Please note that any views or opinions presented in this e-mail are solely >>> those of the author and do not necessarily represent those of Ricardo (save >>> for reports and other documentation formally approved and signed for >>> release to the intended recipient). Only Directors are authorised to enter >>> into legally binding obligations on behalf of Ricardo. Ricardo may monitor >>> outgoing and incoming e-mails and other telecommunications systems. By >>> replying to this e-mail you give consent to such monitoring. The recipient >>> should check e-mail and any attachments for the presence of viruses. >>> Ricardo accepts no liability for any damage caused by any virus transmitted >>> by this e-mail. >>> "Ricardo" means Ricardo plc and its subsidiary companies. >>> Ricardo plc is a public limited company registered in England with >>> registered number 00222915. >>> The registered office of Ricardo plc is Shoreham Technical Centre, >>> Shoreham-by Sea, West Sussex, BN43 5FG. >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>> http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set >>> >>> ________________________________ >>> >>> This transmission may contain information that is privileged, confidential, >>> and/or exempt from disclosure under applicable law. If you are not the >>> intended recipient, you are hereby notified that any disclosure, copying, >>> distribution, or use of the information contained herein (including any >>> reliance thereon) is strictly prohibited. If you received this transmission >>> in error, please immediately contact the sender and destroy the material in >>> its entirety, whether in electronic or hard copy format. >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> This e-mail and any files transmitted with it are confidential and intended >>> solely for the use of the individual or entity to whom they are addressed. >>> If you have received this e-mail in error please notify the sender >>> immediately and delete this e-mail from your system. >>> Please note that any views or opinions presented in this e-mail are solely >>> those of the author and do not necessarily represent those of Ricardo (save >>> for reports and other documentation formally approved and signed for >>> release to the intended recipient). Only Directors are authorised to enter >>> into legally binding obligations on behalf of Ricardo. Ricardo may monitor >>> outgoing and incoming e-mails and other telecommunications systems. By >>> replying to this e-mail you give consent to such monitoring. The recipient >>> should check e-mail and any attachments for the presence of viruses. >>> Ricardo accepts no liability for any damage caused by any virus transmitted >>> by this e-mail. >>> "Ricardo" means Ricardo plc and its subsidiary companies. >>> Ricardo plc is a public limited company registered in England with >>> registered number 00222915. >>> The registered office of Ricardo plc is Shoreham Technical Centre, >>> Shoreham-by Sea, West Sussex, BN43 5FG. >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>> http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> This e-mail and any files transmitted with it are confidential and intended >>> solely for the use of the individual or entity to whom they are addressed. >>> If you have received this e-mail in error please notify the sender >>> immediately and delete this e-mail from your system. >>> Please note that any views or opinions presented in this e-mail are solely >>> those of the author and do not necessarily represent those of Ricardo (save >>> for reports and other documentation formally approved and signed for >>> release to the intended recipient). Only Directors are authorised to enter >>> into legally binding obligations on behalf of Ricardo. Ricardo may monitor >>> outgoing and incoming e-mails and other telecommunications systems. By >>> replying to this e-mail you give consent to such monitoring. The recipient >>> should check e-mail and any attachments for the presence of viruses. >>> Ricardo accepts no liability for any damage caused by any virus transmitted >>> by this e-mail. >>> "Ricardo" means Ricardo plc and its subsidiary companies. >>> Ricardo plc is a public limited company registered in England with >>> registered number 00222915. >>> The registered office of Ricardo plc is Shoreham Technical Centre, >>> Shoreham-by Sea, West Sussex, BN43 5FG. >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> >>> ________________________________ >>> >>> This transmission may contain information that is privileged, confidential, >>> and/or exempt from disclosure under applicable law. If you are not the >>> intended recipient, you are hereby notified that any disclosure, copying, >>> distribution, or use of the information contained herein (including any >>> reliance thereon) is strictly prohibited. If you received this transmission >>> in error, please immediately contact the sender and destroy the material in >>> its entirety, whether in electronic or hard copy format. >>> >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> This e-mail and any files transmitted with it are confidential and intended >>> solely for the use of the individual or entity to whom they are >>> addressed. If you have received this e-mail in error please notify the >>> sender immediately and delete this e-mail from your system. >>> Please note that any views or opinions presented in this e-mail are solely >>> those of the author and do not necessarily represent those >>> of Ricardo (save for reports and other documentation formally approved and >>> signed for release to the intended recipient). Only Directors >>> are authorised to enter into legally binding obligations on behalf of >>> Ricardo. Ricardo may monitor outgoing and incoming e-mails and >>> other telecommunications systems. By replying to this e-mail you give >>> consent to such monitoring. The recipient should check e-mail and >>> any attachments for the presence of viruses. Ricardo accepts no liability >>> for any damage caused by any virus transmitted by this e-mail. >>> "Ricardo" means Ricardo plc and its subsidiary companies. >>> Ricardo plc is a public limited company registered in England with >>> registered number 00222915. >>> The registered office of Ricardo plc is Shoreham Technical Centre, >>> Shoreham-by Sea, West Sussex, BN43 5FG. >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- >>> _______________________________________________ >>> Owasp-modsecurity-core-rule-set mailing list >>> Owasp-modsecurity-core-rule-set@lists.owasp.org >>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > mailto:christian.fol...@netnea.com > http://www.christian-folini.ch > twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
