Hoxt.com – Open Source Mirrors Apache, CPAN, PHP, MySQL, PuTTY, Linux Virtual Server, Linux Documentation Project, ProFTPD

6Jul/100

mod_security and Apache dummy internal connection

The core rule looks specially for 127.0.0.1 so if your apache is listening to specific IPs and not 127.0.0.1, this rule will be ignored.

Solution: add Listen 127.0.0.1:80 to your httpd.conf, it should be the first line before other Listen's statements

You might want to add exceptions or slowly introduce the rulesets. Some core rules are very specific and might not work for your case.

#Include modsecurity.d/base_rules/modsecurity_crs_20_protocol_violations.conf
#Include modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf
#Include modsecurity.d/base_rules/modsecurity_crs_23_request_limits.conf
#Include modsecurity.d/base_rules/modsecurity_crs_30_http_policy.conf
#Include modsecurity.d/base_rules/modsecurity_crs_35_bad_robots.conf
#Include modsecurity.d/base_rules/modsecurity_crs_40_generic_attacks.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_phpids_converter.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_phpids_filters.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
#Include modsecurity.d/base_rules/modsecurity_crs_41_xss_attacks.conf
#Include modsecurity.d/base_rules/modsecurity_crs_42_tight_security.conf
#Include modsecurity.d/base_rules/modsecurity_crs_45_trojans.conf
#Include modsecurity.d/base_rules/modsecurity_crs_47_common_exceptions.conf
#Include modsecurity.d/base_rules/modsecurity_crs_48_local_exceptions.conf
#Include modsecurity.d/base_rules/modsecurity_crs_49_enforcement.conf
#Include modsecurity.d/base_rules/modsecurity_crs_49_inbound_blocking.conf
#Include modsecurity.d/base_rules/modsecurity_crs_50_outbound.conf
#Include modsecurity.d/base_rules/modsecurity_crs_59_outbound_blocking.conf
#Include modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf

Some example exceptions

# avoid for Apache dummy internal connection
SecRule REMOTE_ADDR "^127\.0\.0\.1$" phase:1,nolog,allow,ctl:ruleEngine=Off

# turn off for this file
SecRule REQUEST_BASENAME "^special\.php$" phase:1,nolog,allow,ctl:ruleEngine=Off

# certain agents do not send Accept header and it's okay, I don't need to see those errors
SecRule REQUEST_HEADERS:User-Agent "SomeAgentString" phase:1,nolog,pass,ctl:ruleRemoveById=960015

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.