[Bug 1951994] [NEW] Custom CAs for install source
Public bug reported: We would like to be able to fully install Ubuntu over https. Using our own certificate authority to secure the apt repo over https. So for example in our Autoinstall user-data file we would have something like: apt: primary: - arches: [default] uri: https://repo.internal/ ca-cert: | Our CA certificate goes here... Talking to dbungert in the IRC they mentioned it is not supported yet, but to create a ticket as it might be something that could be added. ** Affects: subiquity (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951994 Title: Custom CAs for install source To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/subiquity/+bug/1951994/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bacula-users] Remote backup through NAT?
I had a lot of problems getting my setup to work over NAT too. If you want email me directly and I can provide my full configs/help out. I think what ended up fixing it for me was updating all of the Bacula components to 7.2.0. I had a real struggle trying to get it to work with 5.x too. Here is what I would recommend: - For consistency make sure you are running all Bacula 7.2.0 on all computers. (Not sure if this is possible for Microsoft Windows Clients) - On your firewall for the internal lan where your bacula server and storage daemon is. Open/Forward ports 9101-9103. - In your bacula server for the "client" definition, make sure the "Address" is that of the public IP, or hostname of the client server. Mine looks like this: # On the Bacula Server # Client { Name = web221.mydomain.com-fd Password = mypassword Address = web221.mydomain.com FDPort = 9102 Catalog = MyCatalog File Retention = 30 days Job Retention = 6 months TLS Enable = yes TLS Require = yes TLS Certificate = /etc/bacula/certs/web221.mydomain.com.crt TLS Key = /etc/bacula/certs/web221.mydomain.com-daemon.key TLS CA Certificate File = /etc/bacula/certs/cacert.pem AutoPrune = yes } - On the client's bacula-fd.conf mine looks like this: # On the Linux Client # Director { Name = bacula-dir Password = mypassword TLS Certificate = /etc/bacula/certs/web221.mydomain.com.crt TLS Key = /etc/bacula/certs/web221.mydomain.com-daemon.key TLS CA Certificate File = /etc/bacula/certs/cacert.pem TLS Enable = yes TLS Require = yes } FileDaemon { Name = web221.mydomain.com-fd FDport = 9102 WorkingDirectory = /var/spool/bacula Pid Directory = /var/run Maximum Concurrent Jobs = 20 # Plugin Directory = /usr/lib64/bacula TLS Enable = yes TLS Require = yes TLS Certificate = /etc/bacula/certs/web221.mydomain.com.crt TLS Key = /etc/bacula/certs/web221.mydomain.com-daemon.key TLS CA Certificate File = /etc/bacula/certs/cacert.pem PKI Signatures = Yes# Enable Data Signing PKI Encryption = Yes# Enable Data Encryption PKI Keypair = "/etc/bacula/bacula_disk_keys/fd-web221.mydomain.com.pem"# Public and Private Keys PKI Master Key = "/etc/bacula/bacula_disk_keys/master.cert"# ONLY the Public Key } -- Wesley Render, Consultant OtherData www.otherdata.com -- Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311=/4140 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Catalog Backup Job - Volume Retention Period?
Hi Ana, Thanks for the information on this. We don't have a requirement for 2, or 3. For this reason I have just set our catalog to backup to a weekly retention pool. Thanks! -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] bconsole won't connect to director
Hi Tim, Do you have SELINUX Enforcing? Maybe check your /var/log/audit/audit.log for anything being blocked. Also, on our systems I found it easier to leave the Director Name to just = bacula-dir Do you have bacula1.example.com in your /etc/hosts file? I think it should look something like this: 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 bacula1 bacula1.example.com ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Catalog Backup Job - Volume Retention Period?
I was just wondering what people would recommend for the retention period for the catalog backup job. For example should I set the catalog backup job to go to a volume pool with a retention period of 1 week? By default it looks like it is set to go to the default pool which is set to 365 days on my system. (I think this would get too large). Thanks! -- Wesley Render, Consultant OtherData -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140 ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about Volume Pools and Strategy
In case this helps anyone. I ended up having problems with setting volume limits. For example I suddenly decided to adjust our incremental backups to run every 4 hours, and started reaching volume limits with errors. From what I have read in the documentation setting "Volume Use Duration" will effectively cause new volumes to be created, and old ones to be recycled based on the Volume Retention. Since I monitor servers disk space and this is just disk based backup, if I get an alert that the storage space on the backup space is filling up I will then look at reducing the retention periods on the volume sets. Here is what I have so far: Pool { Name = office-p-monthly Pool Type = Backup Volume Retention = 6 months Recycle = yes AutoPrune = yes Action On Purge = Truncate LabelFormat = office-p-monthly- Volume Use Duration = 23h Maximum Volume Bytes = 100G } Pool { Name = office-p-weekly Pool Type = Backup Volume Retention = 1 months Recycle = yes AutoPrune = yes Action On Purge = Truncate LabelFormat = office-p-weekly- Volume Use Duration = 23h Maximum Volume Bytes = 100G } Pool { Name = office-p-daily Pool Type = Backup Volume Retention = 14 days Recycle = yes AutoPrune = yes Action On Purge = Truncate LabelFormat = office-p-daily- Volume Use Duration = 23h Maximum Volume Bytes = 100G } Pool { Name = datacenter-p-monthly Pool Type = Backup Volume Retention = 6 months Recycle = yes AutoPrune = yes Action On Purge = Truncate LabelFormat = datacenter-p-monthly- Volume Use Duration = 23h Maximum Volume Bytes = 100G } Pool { Name = datacenter-p-weekly Pool Type = Backup Volume Retention = 1 months Recycle = yes AutoPrune = yes Action On Purge = Truncate LabelFormat = datacenter-p-weekly- Volume Use Duration = 23h Maximum Volume Bytes = 100G } Pool { Name = datacenter-p-daily Pool Type = Backup Volume Retention = 14 days Recycle = yes AutoPrune = yes Action On Purge = Truncate LabelFormat = datacenter-p-daily- Volume Use Duration = 23h Maximum Volume Bytes = 100G } Here are samples of the jobs: Job { Name = web221-domainname Type = Backup Level = Incremental Client = web221.domainname.com-fd FileSet = OurFileSet Schedule = WeeklyCycle Storage = horde-sd Pool = Default Full Backup Pool = datacenter-p-monthly Incremental Backup Pool = datacenter-p-daily Differential Backup Pool = datacenter-p-weekly Accurate = Yes Messages = Standard } Job { Name = web220-domainname Type = Backup Level = Incremental Client = web220.domainname.com-fd FileSet = OurFileSet Schedule = WeeklyCycle Storage = office-sd Pool = Default Full Backup Pool = office-p-monthly Incremental Backup Pool = office-p-daily Differential Backup Pool = office-p-weekly Accurate = Yes Messages = Standard } -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about Volume Pools and Strategy
It seems to be working a lot better with different volume pools at each storage location. I have one server backing up to the server at our office, and 2 servers backing up to the datacenter. Here is what I have so far: Pool { Name = office-p-monthly Pool Type = Backup Volume Retention = 6 months Recycle = yes AutoPrune = yes LabelFormat = office-p-monthly- Maximum Volume Jobs = 1 Maximum Volumes = 9 } Pool { Name = office-p-weekly Pool Type = Backup Maximum Volume Jobs = 1 Volume Retention = 1 months Recycle = yes AutoPrune = yes LabelFormat = office-p-weekly- Maximum Volumes = 7 } Pool { Name = office-p-daily Pool Type = Backup Maximum Volume Jobs = 6 Volume Retention = 14 days Recycle = yes AutoPrune = yes LabelFormat = office-p-daily- Maximum Volumes = 6 } Pool { Name = datacenter-p-monthly Pool Type = Backup Volume Retention = 6 months Recycle = yes AutoPrune = yes LabelFormat = datacenter-p-monthly- Maximum Volume Jobs = 2 Maximum Volumes = 9 } Pool { Name = datacenter-p-weekly Pool Type = Backup Maximum Volume Jobs = 2 Volume Retention = 1 months Recycle = yes AutoPrune = yes LabelFormat = datacenter-p-weekly- Maximum Volumes = 7 } Pool { Name = datacenter-p-daily Pool Type = Backup Maximum Volume Jobs = 2 Volume Retention = 14 days Recycle = yes AutoPrune = yes LabelFormat = datacenter-p-daily- Maximum Volumes = 6 } Quoting Carlo Filippetto <carlo.filippe...@gmail.com>: > I think you have to use one set of pool for every storage. > I think that you can write volumes of the same pool into different storage, > the problem may arrive when you have to restore... > > Try to a restore job... > > > This is my Schedule: > Schedule { >Name = "Custom" >Run = Level=Full Storage=ST-data Pool=P-Monthly 1st sat at 21:30 >Run = Level=Differential Storage=ST-data Pool=P-Weekly 2nd-5th sat > at 21:30 >Run = Level=Incremental Storage=ST-data Pool=P-Daily sun-fri at > 22:00 > } > > As you can see I set the Storage and Pool into every line, you can change > it. > > Why do you like to use a single pool? > If you have 2 storage may be more clear and easy to find every single > volumes if you have different pools.. > > Bye > > > > > > > 2015-11-04 0:38 GMT+01:00 Wesley Render <wren...@otherdata.com>: > >> Should each storage daemon/geographic storage location have it's own >> set of Volume Pools? Or can I share one set of Volume Pools between >> all of the storage daemons/storage locations? >> >> I am using auto labelling as well and it works great. >> >> >> >> -- >> Wesley Render, Consultant >> OtherData >> >> >> ---------- >> ___ >> Bacula-users mailing list >> Bacula-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bacula-users >> -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about Volume Pools and Strategy
Ok. Thanks Josh. I've already created Pools for each storage location and done the initial full backups so I will most likely stick with this method. So far the backups appear to run a lot better using different pools for each storage location. Thanks, -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
[Bacula-users] Question about Volume Pools and Strategy
I have recently started using Bacula and have a couple of questions regarding volume pools. I am using 7.2 version, and we have 4 Linux servers with a total of about 100GB of data to backup. 1. We have two different storage devices that are in different locations (because of bandwidth limitations). Should we be creating different Volume Pools for each storage location? I've tried testing using one pool, and two pools. When I use one pool and a backup job is run it displays an error "Marking Volume "Vol-0001" in Error in Catalog." and then it continues to run. When I setup two different volume pools it doesn't display this error. 2. I've noticed that some people recommend setting up different volume pools for Full, Differential and Incremental jobs. Is this still a recommended strategy for Bacula with backing up to disk, and if so when would someone use this strategy? The documentation here http://blog.bacula.org/whitepapers/CommunityDiskBackup.pdf doesn't mention this. I don't want to set things up, and then our volumes grow too large and have to re-do everything. Thank you, -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about Volume Pools and Strategy
Should each storage daemon/geographic storage location have it's own set of Volume Pools? Or can I share one set of Volume Pools between all of the storage daemons/storage locations? I am using auto labelling as well and it works great. -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about Volume Pools and Strategy
Thanks Carlo. This is very helpful. I also found this here which I missed before: http://www.bacula.org/7.0.x-manuals/en/main/Automated_Disk_Backup.html -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Question about Volume Pools and Strategy
Is anyone able to clarify question number 1? I should be all set after that. Thanks! -- Wesley Render, Consultant OtherData -- ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
I am trying to send only correlated events that are Total Inbound 5+ to mlogc. When I set the SecDefaultAction for phase1 and phase2 to pass,log or to nolog,auditlog it seems to send all events, even ones that are under TX 5 to the mlogc. When I set it to pass,nolog it seems to only send events that are Total Inbound 5+ to the mlogc. This is what I want, but pass,nolog is not one of the options listed in the section Alert Logging Control so I am just not sure if having it set to nolog is the correct method when sending correlated/anomaly events to mlogc. Regards, Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: August-27-14 1:55 PM To: Wesley Render; owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events Wesley, What exactly are you trying to achieve here? Ryan Barnett Senior Lead Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com http://www.trustwave.com/ On 8/25/14 6:20 PM, Wesley Render wren...@otherdata.com wrote: I was just wanting to follow up. Is anyone able to confirm the proper logging settings when using ModSecurity, and sending the logs out via mlogc to AuditConsole? Should we have our modsecurity_crs_10_setup.conf SecDefaultAction lines set to the following? SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog Thanks! Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Wesley Render Sent: August-20-14 11:30 AM To: 'OWASP Mod Security' Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
I was just wanting to follow up. Is anyone able to confirm the proper logging settings when using ModSecurity, and sending the logs out via mlogc to AuditConsole? Should we have our modsecurity_crs_10_setup.conf SecDefaultAction lines set to the following? SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog Thanks! Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Wesley Render Sent: August-20-14 11:30 AM To: 'OWASP Mod Security' Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring Blocking) Version: SecComponentSignature OWASP_CRS/2.2.9 Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
No. I have not actually tested it with other web software. Maybe try the following? * Make sure the modsecurity_crs_11_brute_force.conf is loading properly . Maybe you have made a mistake with symbolic link or putting the file in wrong folder. * Make sure you have uncommented the brute force rule in modsecurity_crs_10_setup.conf (By default it is commented out) * Maybe try changing your URL to include your actual web login file? I know they show it without pound symbols on each end. Like this: setvar:'tx.brute_force_protected_urls=/wp-login.php', \ Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 http://www.otherdata.com/ www.otherdata.com http://www.facebook.com/otherdata From: Sabin Ranjit [mailto:think.sa...@gmail.com] Sent: August-21-14 11:21 PM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working naah!! I tried it, its not working for me. I used the value like that but when i do brute force attempt in the web application with random username and password it gives me nothing in the mod audit log. I'm using burp suit pro intruder for testing. Have you tried it besides wordpress? Wonder what I'm doing wrong. thanks anyway. cheers On Thu, Aug 21, 2014 at 11:43 PM, Wesley Render wren...@otherdata.com mailto:wren...@otherdata.com wrote: I believe you would just set yours like this (Just include the URL after the domain name)…. # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 tel:1.403.228.1221%20ext%20201 http://www.otherdata.com/ www.otherdata.com http://www.facebook.com/otherdata From: Sabin Ranjit [mailto:think.sa...@gmail.com mailto:think.sa...@gmail.com ] Sent: August-21-14 10:39 AM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org mailto:owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for this of url ? I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render wren...@otherdata.com mailto:wren...@otherdata.com wrote: In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 tel:1.403.228.1221%20ext%20201 http://www.otherdata.com/ www.otherdata.com http://www.facebook.com/otherdata From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Sabin Ranjit Sent: August-21-14 4:17 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org mailto:owasp-modsecurity-core-rule-set@lists.owasp.org
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 http://www.otherdata.com/ www.otherdata.com http://www.facebook.com/otherdata From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Sabin Ranjit Sent: August-21-14 4:17 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working
I believe you would just set yours like this (Just include the URL after the domain name)…. # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/user/user/login/#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 http://www.otherdata.com/ www.otherdata.com http://www.facebook.com/otherdata From: Sabin Ranjit [mailto:think.sa...@gmail.com] Sent: August-21-14 10:39 AM To: Wesley Render Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi Wesley, I'm not using wordpress, I'm try to protect my application made in Yii framework and its login url looks like this: https://domainname.net/user/user/login/ how can I set brute_force_protected_urls value for this of url ? I tried few ways but it gave me syntax error. thanks, regards On Thu, Aug 21, 2014 at 9:36 PM, Wesley Render wren...@otherdata.com mailto:wren...@otherdata.com wrote: In your modsecurity_crs_10_setup.conf file you need to make sure to uncomment, and define the paths for your login page. You will notice the first line of the rule is commented out with a regular pound symbol. Then restart apache. Here is how mine looks. I set it up for WordPress and Drupal. It has been working well for WordPress brute force attempts: # # -- [[ Brute Force Protection ]] - # # If you are using the Brute Force Protection rule set, then uncomment the following # lines and set the following variables: # - Protected URLs: resources to protect (e.g. login pages) - set to your login page # - Burst Time Slice Interval: time interval window to monitor for bursts # - Request Threshold: request # threshold to trigger a burst # - Block Period: temporary block timeout # SecAction \ id:'900014', \ phase:1, \ t:none, \ setvar:'tx.brute_force_protected_urls=#/wp-login.php# #/user#', \ setvar:'tx.brute_force_burst_time_slice=60', \ setvar:'tx.brute_force_counter_threshold=10', \ setvar:'tx.brute_force_block_timeout=300', \ nolog, \ pass Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 tel:1.403.228.1221%20ext%20201 http://www.otherdata.com/ www.otherdata.com http://www.facebook.com/otherdata From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org ] On Behalf Of Sabin Ranjit Sent: August-21-14 4:17 AM To: owasp-modsecurity-core-rule-set@lists.owasp.org mailto:owasp-modsecurity-core-rule-set@lists.owasp.org Subject: [Owasp-modsecurity-core-rule-set] crs against brute force not working hi, im using latest modsecurity rule set and i tried out crs_11_bruteforce from experimental rule. But its not working for me. I created a shortlink of it in the activated rules directory, restarted the apache and when i brute force my web application login page the modsecurity audit log dont give me any brute force warnings. what could be the problem? Im using burp suite pro version's intruder for brute forcing. can anyone point to helpful resource that i can follow? thanks. regards sabin ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events
When I set it to the following, I get a lot less logs coming in. I am confused on how it should be set as well when sending logs to AuditConsole using mlogc. Here is a summary of relevant settings I have right now (below). I guess it seems as though the logging settings are not able to combine one correlated event into the audit log. They can only combine one correlated event into the apache error_log? modsecurity_crs_10_setup.conf Settings ## # Collaborative Detection Mode SecDefaultAction phase:1,pass,nolog SecDefaultAction phase:2,pass,nolog # Collaborative Detection Blocking # SecAction \ id:'94', \ phase:1, \ t:none, \ setvar:tx.anomaly_score_blocking=on, \ nolog, \ pass modsec2.user.conf Settings ## SecDataDir /usr/local/apache/conf/sec-data SecTmpDir /usr/local/apache/conf/sec-tmp SecRuleEngine On SecPcreMatchLimit 5 SecPcreMatchLimitRecursion 5 # With SecRequestBodyAccess turned on care needs to be taken with false positives SecRequestBodyAccess On SecRequestBodyLimit 134217728 SecRequestBodyLimitAction ProcessPartial SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 524228 SecResponseBodyLimitAction ProcessPartial SecServerSignature Apache SecCookieFormat 0 # Additional ModSecurity Logging Options for mlogc # Use ReleventOnly auditing SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) # Must use concurrent logging SecAuditLogType Concurrent # Send all audit log parts SecAuditLogParts ABDEFHIJKZ # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf SecAuditLogStorageDir /var/log/mlogc/data # Pipe audit log to mlogc with your configuration SecAuditLog |/usr/local/modsecurity/bin/mlogc /etc/mlogc.conf # OWASP Rules Include conf/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include conf/owasp-modsecurity-crs/activated_rules/*.conf # Trustwave Commercial Rules Include conf/slr_vuln_rules/owasp_crs_integration/attack_type/*.conf Wesley Render, IT Consultant, RHCSA Phone: 1.403.228.1221 ext 201 www.otherdata.com -Original Message- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Earl Fogel Sent: August-20-14 9:59 AM To: OWASP Mod Security Subject: Re: [Owasp-modsecurity-core-rule-set] inbound_anomaly_score_level - Only send critical events I have this problem as well. I also have: SecDefaultAction phase:1,pass,nolog,auditlog SecDefaultAction phase:2,pass,nolog,auditlog SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) Could that be relevent? How should these be set in collaborative detection mode? Earl - On Wed, 20 Aug 2014, Josh Amishav-Zlatin jam...@owasp.org wrote: On Wed, Aug 20, 2014 at 6:56 AM, Wesley Render wren...@otherdata.com wrote: Would anyone know if it would be possible to adjust the core rule set configuration file so that only events that have a total inbound score of 5 or higher are sent to the audit log. (Running in Collaborative Detection and Anomaly Scoring Blocking) Version: SecComponentSignature OWASP_CRS/2.2.9 Hi Wesley, When the CRS is used in anomaly mode it should not create audit logs unless the event passes the threshold set in the 10 file. Can you send me privately an event from AuditConsole that does not have an anomaly score level above 5? I'm specifically interested in sections H and K. - Josh ___ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
[git-users] How to uninstall Git on Centos 6.x
I have installed Git from source on a Centos 6.x server. Would anyone know how to properly uninstall the source version? I would like to upgrade to an RPM version. -- You received this message because you are subscribed to the Google Groups Git for human beings group. To view this discussion on the web visit https://groups.google.com/d/msg/git-users/-/HyPTJTLwuUUJ. To post to this group, send email to git-users@googlegroups.com. To unsubscribe from this group, send email to git-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/git-users?hl=en.