Absolutely spot on thank you so much for the solution, it works exactly as I originally hoped it would. Normal users can login fine via the external reverse proxy server, but admin users get denied access by the modsecurity rule.
Barry and Chaim - I really appreciate you both taking the time to help me with this because I was completely stumped and yet felt it should be something well within the capabilities of modsecurity. I only hope that this information in the mailing list is of help to others that may want to do a similar thing. Great Stuff !! From: Barry Pollard [mailto:barry_poll...@hotmail.com] Sent: 15 April 2016 13:29 To: Mansell, Gary <gary.mans...@ricardo.com>; Chaim Sanders <csand...@trustwave.com>; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use modsecurity rules to prevent logins by specific user accounts? OK so the audit log shows shows this in your header: Authorization: Basic Z3JtYXdjYWRtaW46dGVzdA== The value of the Authorization header is therefore "Basic Z3JtYXdjYWRtaW46dGVzdA==" which cannot be base64 decoded due to that initial "Basic " part which is not Base 64 encoded. This is what you are supposed to send so nothing wrong with your header, but it explains why your rule is not working as ModSecurity does not know you only want to base64 decode part of the header. So you need to write a chained rule to capture the actual base64 encoded part using backets and "capture" and then base 64 decode the TX:1 variable which is captured: SecRule "REQUEST_HEADERS:Authorization" "^Basic (.*)$" "phase:1,id:1003,log,capture,chain,deny,status:403" SecRule TX:1 "@contains admin" "t:base64Decode" I've tested this and it seems to work. Thanks, Barry > From: gary.mans...@ricardo.com<mailto:gary.mans...@ricardo.com> > To: barry_poll...@hotmail.com<mailto:barry_poll...@hotmail.com>; > csand...@trustwave.com<mailto:csand...@trustwave.com>; > owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: RE: [Owasp-modsecurity-core-rule-set] Is it possible to use > modsecurity rules to prevent logins by specific user accounts? > Date: Fri, 15 Apr 2016 10:37:16 +0000 > > I added the rule, cleared the logs and logged in again with the grmawcadmin > user > > Here are the updated logs as requested. > -------------------------------------------------------------------------------------------------------------------------------------------------------------- This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender immediately and delete this e-mail from your system. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Ricardo (save for reports and other documentation formally approved and signed for release to the intended recipient). Only Directors are authorised to enter into legally binding obligations on behalf of Ricardo. Ricardo may monitor outgoing and incoming e-mails and other telecommunications systems. By replying to this e-mail you give consent to such monitoring. The recipient should check e-mail and any attachments for the presence of viruses. Ricardo accepts no liability for any damage caused by any virus transmitted by this e-mail. "Ricardo" means Ricardo plc and its subsidiary companies. Ricardo plc is a public limited company registered in England with registered number 00222915. The registered office of Ricardo plc is Shoreham Technical Centre, Shoreham-by Sea, West Sussex, BN43 5FG. --------------------------------------------------------------------------------------------------------------------------------------------------------------
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
