Hi, On Tue, Apr 05, 2016 at 11:29:13AM +0100, Barry Pollard wrote: > Executing operator "contains" with param "admin:" against > REQUEST_HEADERS:Authorization. > > The username does not contain "admin:" with a colon. > Do you need to remove the colon from your rule?
No, Basic Auth header is defined as username colon password. https://en.wikipedia.org/wiki/Basic_access_authentication#Client_side So I think it looks a bit odd with the colon, but it is a means to anchor the end of the username. This should not be an issue. Ahoj, Christian > > Thanks, > Barry > > > ---------------------------------------- > > Date: Tue, 5 Apr 2016 11:13:42 +0200 > > From: christian.fol...@netnea.com > > To: barry_poll...@hotmail.com > > CC: gary.mans...@ricardo.com; csand...@trustwave.com; > > owasp-modsecurity-core-rule-set@lists.owasp.org > > Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > > modsecurity rules to prevent logins by specific user accounts? > > > > Indeed, I missed this. Probably clicked it away. > > > > Thank you Barry. > > > > Ahoj, > > > > Christian > > > > On Tue, Apr 05, 2016 at 09:46:58AM +0100, Barry Pollard wrote: > >> Christian not sure if you missed this as Gary had replied? > >> > >> Gary, the key issue is this: > >> > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Executing operator "contains" with param "admin:" against > >>> REQUEST_HEADERS:Authorization. > >> <snip> > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Rule returned 0. > >> > >> So your rule is not matching for some reason. I would suggest you turn the > >> audit engine on to capture all request: > >> > >> SecAuditEngine On > >> > >> And then see if this Authorization header is included, with a value > >> containing admin, by looking in the audit log. > >> > >> Alternatively write another rule that matches always: > >> > >> SecRule "REQUEST_URI" "." "phase:2,id:2,t:base64Decode,log,auditlog,allow" > >> > >> And again check audit log to see if the Authorization header is included, > >> with a value containing admin. > >> > >> By the way phase 2 (REQUEST_BODY) also includes phase 1 (REQUEST_HEADER) > >> details. You could move your rule to phase 1 and it will execute earlier > >> which might save you needlessly attempting other phase 2 rules if it > >> fails, but this is not the reason for your failure here. > >> > >> Hope that helps. > >> > >> Thanks, > >> Barry > >> > >> > >> > >> > >> ---------------------------------------- > >>> From: gary.mans...@ricardo.com > >>> To: csand...@trustwave.com; > >>> owasp-modsecurity-core-rule-set@lists.owasp.org > >>> Date: Mon, 4 Apr 2016 14:28:26 +0000 > >>> Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > >>> modsecurity rules to prevent logins by specific user accounts? > >>> > >>> I have got some debug logs, but am not certain how what they are telling > >>> me - I wonder if anyone can advise me on this? > >>> > >>> I have just the one rule in my config now: > >>> > >>> SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" > >>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" > >>> > >>> I started a fresh apache session with empty debug log, and accessed the > >>> web application from a fresh browser session (15:18:06) and was prompted > >>> to enter username and password. I entered the username grmawcadmin and > >>> the password and this shows at 15:18:07 in the log below. > >>> > >>> As far as I can see, it does not seem to run the rule in the > >>> REQUEST_HEADERS section, but rather at the REQUEST_BODY - is this what is > >>> the problem - ie it is checking for the admin string in the REQUEST_BODY > >>> rather than the REQUEST_HEADER > >>> > >>> I would gladly appreciate some help on this, as I am rather stuck. > >>> > >>> Rgds > >>> > >>> Gary > >>> > >>> > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Initialising transaction (txid VwJ3nsCoAUcAABgZAbQAAACX). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] > >>> Adding request cookie: name "__utma", value > >>> "1.1672802757.1445242759.1445242759.1456313530.2" > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] > >>> Adding request cookie: name "__utmz", value > >>> "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)" > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Transaction context created (dcfg 1039140). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Starting phase REQUEST_HEADERS. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Second phase starting (dcfg 1039140). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Input filter: This request does not have a body. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Starting phase REQUEST_BODY. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> This phase consists of 1 rule(s). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Recipe: Invoking rule 109b5e8; [file > >>> "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"]. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][5] > >>> Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" > >>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Rule returned 0. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> No match, not chained -> mode NEXT_RULE. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Hook insert_filter: Adding output filter (r 7fc1ec0098b0). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Starting phase RESPONSE_HEADERS. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Content Injection: Not enabled. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 10 bytes. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 624 bytes. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0098b0). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 8 bytes. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> Output filter: Bucket type EOS contains 0 bytes. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Output filter: Completed receiving response body (buffered full - 642 > >>> bytes). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Starting phase RESPONSE_BODY. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Output filter: Output forwarding complete. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Initialising logging. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Starting phase LOGGING. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Recording persistent data took 0 microseconds. > >>> [04/Apr/2016:15:18:06 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0098b0][/Windchill/app/][4] > >>> Audit log: Not configured to run for this request. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Initialising transaction (txid VwJ3qcCoAUcAABgZAbUAAACX). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] > >>> Adding request cookie: name "__utma", value > >>> "1.1672802757.1445242759.1445242759.1456313530.2" > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] > >>> Adding request cookie: name "__utmz", value > >>> "1.1445242759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)" > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Transaction context created (dcfg 1039140). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Starting phase REQUEST_HEADERS. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Second phase starting (dcfg 1039140). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Input filter: This request does not have a body. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Starting phase REQUEST_BODY. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> This phase consists of 1 rule(s). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Recipe: Invoking rule 109b5e8; [file > >>> "/opt/ptc/HTTPServer/conf/crs/ricardo.conf"] [line "11"] [id "1"]. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][5] > >>> Rule 109b5e8: SecRule "REQUEST_HEADERS:Authorization" "@contains admin:" > >>> "phase:2,log,auditlog,id:1,t:base64Decode,deny,status:403" > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> T (0) base64Decode: "\x05\xab"" > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Transformation completed in 24 usec. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Executing operator "contains" with param "admin:" against > >>> REQUEST_HEADERS:Authorization. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Target value: "\x05\xab"" > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Operator completed in 7 usec. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Rule returned 0. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> No match, not chained -> mode NEXT_RULE. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Hook insert_filter: Adding output filter (r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Starting phase RESPONSE_HEADERS. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Content Injection: Not enabled. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 1591 bytes. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 1295 bytes. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Bucket type FLUSH contains 0 bytes. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 8184 bytes. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Bucket type TRANSIENT contains 129 bytes. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Receiving output (f 7fc1ec01d9e8, r 7fc1ec0340f0). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> Output filter: Bucket type EOS contains 0 bytes. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Output filter: Completed receiving response body (buffered full - 11199 > >>> bytes). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Starting phase RESPONSE_BODY. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Output filter: Output forwarding complete. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Initialising logging. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Starting phase LOGGING. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][9] > >>> This phase consists of 0 rule(s). > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Recording persistent data took 0 microseconds. > >>> [04/Apr/2016:15:18:17 +0100] > >>> [windchill-test.ricardo.com/sid#10af9e8][rid#7fc1ec0340f0][/Windchill/app/][4] > >>> Audit log: Not configured to run for this request. > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> -----Original Message----- > >>> From: Chaim Sanders [mailto:csand...@trustwave.com] > >>> Sent: 31 March 2016 17:33 > >>> To: Mansell, Gary <gary.mans...@ricardo.com>; > >>> owasp-modsecurity-core-rule-set@lists.owasp.org > >>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > >>> modsecurity rules to prevent logins by specific user accounts? > >>> > >>> Hey Gary, > >>> While I'm not sure what's going wrong with your rule I suggest you check > >>> out the debug log... it will usually contain valuable information to help > >>> you debug your issues :). Maybe someone else will be able to spot the > >>> issue. > >>> > >>> -----Original Message----- > >>> From: Mansell, Gary [mailto:gary.mans...@ricardo.com] > >>> Sent: Thursday, March 31, 2016 12:31 PM > >>> To: Chaim Sanders <csand...@trustwave.com>; > >>> owasp-modsecurity-core-rule-set@lists.owasp.org > >>> Subject: Re: [Owasp-modsecurity-core-rule-set] Is it possible to use > >>> modsecurity rules to prevent logins by specific user accounts? > >>> > >>> Is there no one who can help me further on this, as it seems exactly the > >>> sort of thing that modsecurity should be able to do (but I am struggling > >>> with)? > >>> > >>> All of my Web Application admin accounts end in the string "admin", and I > >>> would like to be able to use a modsecurity rule on the reverse proxy > >>> server in the DMZ to prevent any admin logins (as admins should only ever > >>> login directly via the internal apache server rather than the reverse > >>> proxy)? > >>> > >>> It is my understanding that even though this is a https request, as this > >>> application uses basic authentication, every request via the reverse > >>> apache server includes a base64 encoded username and password in the > >>> authorisation header - I can't understand why I can't block this with a > >>> simple modsecurity rule. > >>> > >>> The rule suggestion that I was sent by Chaim seems to make sense to me, > >>> but I just can't get it to work - it seems to be looking to deny any > >>> request with authorization Header containing the string "admin:" > >>> > >>> SecRule REQUEST_HEADERS:Authorization "@contains admin:" > >>> "id:1,t:base64Decode,deny,status:403" > >>> > >>> Can anyone help me on this - is there just a simple typo in the rule > >>> perhaps? Do I have to choose a unique ID value other than 1 (as I had the > >>> Owasp core rule set configured too)? > >>> > >>> Rgds > >>> > >>> Gary > >>> > >>> > >>> > >>> > >>> I have had a good crack at trying to get this to work, but to no avail, > >>> unfortunately. > >>> > >>> SecRule REQUEST_HEADERS:Authorization "@contains admin:" > >>> "id:1,t:base64Decode,deny,status:403" > >>> > >>> I tried changing the contains string to various things that may be > >>> relevant, but still no joy. > >>> > >>> Is it perhaps because both the reverse proxy and the internal apache > >>> server are configured for https? > >>> > >>> How do I tell whether my system is using base64 to encode the username in > >>> the header? > >>> > >>> I have to say I am completely lost with this now, it seems like something > >>> that modsecurity should be able to do, but I don't know where to start > >>> with debugging, or testing this to get it to work? > >>> > >>> Any ideas anyone? > >>> > >>> Rgds > >>> > >>> Gary > >>> > >>> > >>> -----Original Message----- > >>> From: Chaim Sanders [mailto:csand...@trustwave.com] > >>> Sent: 14 March 2016 15:58 > >>> To: Mansell, Gary <gary.mans...@ricardo.com>; > >>> owasp-modsecurity-core-rule-set@lists.owasp.org > >>> Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > >>> modsecurity rules to prevent logins by specific user accounts? > >>> > >>> Hey Gary, > >>> This Is actually a great question and should be very easily possible. > >>> Typically Basic Authentication uses base64. So you could do something > >>> similar to the following (untested) SecRule REQUEST_HEADERS:Authorization > >>> "@contains admin:" "id:1, t:base64Decode,deny,status:403' > >>> > >>> -----Original Message----- > >>> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > >>> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On > >>> Behalf Of Mansell, Gary > >>> Sent: Monday, March 14, 2016 11:13 AM > >>> To: owasp-modsecurity-core-rule-set@lists.owasp.org > >>> Subject: [Owasp-modsecurity-core-rule-set] Is it possible to use > >>> modsecurity rules to prevent logins by specific user accounts? > >>> > >>> Hi, > >>> > >>> I have an internal Web application that uses Apache Basic Authentication, > >>> checking user account logins against an internal LDAP Server for > >>> authentication. > >>> > >>> I am now looking to present this Web Application to whitelisted IP's on > >>> the Internet, by means of a Reverse Proxy Apache Server in a DMZ with > >>> modsecurity enabled and one of the free rulesets to protect the > >>> application being abused. Both the Reverse Proxy and the Internal Apache > >>> server are configured for https only. > >>> > >>> It occurs to me that Administrative users should never be able to login > >>> to the Web Application from the via the Reverse Proxy Apache server - I > >>> hence wonder if it is possible to use modsecurity on the Reverse Apache > >>> server to prevent specific Admin user accounts from logging in to the Web > >>> Application? > >>> > >>> If so, please can someone point me in the direction of how I might > >>> achieve this? > >>> > >>> Thanks > >>> > >>> Gary > >>> > >>> > >>> > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> This e-mail and any files transmitted with it are confidential and > >>> intended solely for the use of the individual or entity to whom they are > >>> addressed. If you have received this e-mail in error please notify the > >>> sender immediately and delete this e-mail from your system. > >>> Please note that any views or opinions presented in this e-mail are > >>> solely those of the author and do not necessarily represent those of > >>> Ricardo (save for reports and other documentation formally approved and > >>> signed for release to the intended recipient). Only Directors are > >>> authorised to enter into legally binding obligations on behalf of > >>> Ricardo. Ricardo may monitor outgoing and incoming e-mails and other > >>> telecommunications systems. By replying to this e-mail you give consent > >>> to such monitoring. The recipient should check e-mail and any attachments > >>> for the presence of viruses. Ricardo accepts no liability for any damage > >>> caused by any virus transmitted by this e-mail. > >>> "Ricardo" means Ricardo plc and its subsidiary companies. > >>> Ricardo plc is a public limited company registered in England with > >>> registered number 00222915. > >>> The registered office of Ricardo plc is Shoreham Technical Centre, > >>> Shoreham-by Sea, West Sussex, BN43 5FG. > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> _______________________________________________ > >>> Owasp-modsecurity-core-rule-set mailing list > >>> Owasp-modsecurity-core-rule-set@lists.owasp.org > >>> http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > >>> > >>> ________________________________ > >>> > >>> This transmission may contain information that is privileged, > >>> confidential, and/or exempt from disclosure under applicable law. If you > >>> are not the intended recipient, you are hereby notified that any > >>> disclosure, copying, distribution, or use of the information contained > >>> herein (including any reliance thereon) is strictly prohibited. If you > >>> received this transmission in error, please immediately contact the > >>> sender and destroy the material in its entirety, whether in electronic or > >>> hard copy format. > >>> > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> This e-mail and any files transmitted with it are confidential and > >>> intended solely for the use of the individual or entity to whom they are > >>> addressed. If you have received this e-mail in error please notify the > >>> sender immediately and delete this e-mail from your system. > >>> Please note that any views or opinions presented in this e-mail are > >>> solely those of the author and do not necessarily represent those of > >>> Ricardo (save for reports and other documentation formally approved and > >>> signed for release to the intended recipient). Only Directors are > >>> authorised to enter into legally binding obligations on behalf of > >>> Ricardo. Ricardo may monitor outgoing and incoming e-mails and other > >>> telecommunications systems. By replying to this e-mail you give consent > >>> to such monitoring. The recipient should check e-mail and any attachments > >>> for the presence of viruses. Ricardo accepts no liability for any damage > >>> caused by any virus transmitted by this e-mail. > >>> "Ricardo" means Ricardo plc and its subsidiary companies. > >>> Ricardo plc is a public limited company registered in England with > >>> registered number 00222915. > >>> The registered office of Ricardo plc is Shoreham Technical Centre, > >>> Shoreham-by Sea, West Sussex, BN43 5FG. > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> _______________________________________________ > >>> Owasp-modsecurity-core-rule-set mailing list > >>> Owasp-modsecurity-core-rule-set@lists.owasp.org > >>> http://scanmail.trustwave.com/?c=4062&d=wND91tX1TZq0UB15loWcH4RfFlxJe-IvfXYgFS8s2g&s=5&u=https%3a%2f%2flists%2eowasp%2eorg%2fmailman%2flistinfo%2fowasp-modsecurity-core-rule-set > >>> > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> This e-mail and any files transmitted with it are confidential and > >>> intended solely for the use of the individual or entity to whom they are > >>> addressed. If you have received this e-mail in error please notify the > >>> sender immediately and delete this e-mail from your system. > >>> Please note that any views or opinions presented in this e-mail are > >>> solely those of the author and do not necessarily represent those of > >>> Ricardo (save for reports and other documentation formally approved and > >>> signed for release to the intended recipient). Only Directors are > >>> authorised to enter into legally binding obligations on behalf of > >>> Ricardo. Ricardo may monitor outgoing and incoming e-mails and other > >>> telecommunications systems. By replying to this e-mail you give consent > >>> to such monitoring. The recipient should check e-mail and any attachments > >>> for the presence of viruses. Ricardo accepts no liability for any damage > >>> caused by any virus transmitted by this e-mail. > >>> "Ricardo" means Ricardo plc and its subsidiary companies. > >>> Ricardo plc is a public limited company registered in England with > >>> registered number 00222915. > >>> The registered office of Ricardo plc is Shoreham Technical Centre, > >>> Shoreham-by Sea, West Sussex, BN43 5FG. > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> > >>> ________________________________ > >>> > >>> This transmission may contain information that is privileged, > >>> confidential, and/or exempt from disclosure under applicable law. If you > >>> are not the intended recipient, you are hereby notified that any > >>> disclosure, copying, distribution, or use of the information contained > >>> herein (including any reliance thereon) is strictly prohibited. If you > >>> received this transmission in error, please immediately contact the > >>> sender and destroy the material in its entirety, whether in electronic or > >>> hard copy format. > >>> > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> This e-mail and any files transmitted with it are confidential and > >>> intended solely for the use of the individual or entity to whom they are > >>> addressed. If you have received this e-mail in error please notify the > >>> sender immediately and delete this e-mail from your system. > >>> Please note that any views or opinions presented in this e-mail are > >>> solely those of the author and do not necessarily represent those > >>> of Ricardo (save for reports and other documentation formally approved > >>> and signed for release to the intended recipient). Only Directors > >>> are authorised to enter into legally binding obligations on behalf of > >>> Ricardo. Ricardo may monitor outgoing and incoming e-mails and > >>> other telecommunications systems. By replying to this e-mail you give > >>> consent to such monitoring. The recipient should check e-mail and > >>> any attachments for the presence of viruses. Ricardo accepts no liability > >>> for any damage caused by any virus transmitted by this e-mail. > >>> "Ricardo" means Ricardo plc and its subsidiary companies. > >>> Ricardo plc is a public limited company registered in England with > >>> registered number 00222915. > >>> The registered office of Ricardo plc is Shoreham Technical Centre, > >>> Shoreham-by Sea, West Sussex, BN43 5FG. > >>> -------------------------------------------------------------------------------------------------------------------------------------------------------------- > >>> _______________________________________________ > >>> Owasp-modsecurity-core-rule-set mailing list > >>> Owasp-modsecurity-core-rule-set@lists.owasp.org > >>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >> > >> _______________________________________________ > >> Owasp-modsecurity-core-rule-set mailing list > >> Owasp-modsecurity-core-rule-set@lists.owasp.org > >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > > > -- > > mailto:christian.fol...@netnea.com > > http://www.christian-folini.ch > > twitter: @ChrFolini > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
