3.0.1.9 permission issues
Re: 3.0.1.9 permission issues
Hi Shawniverson,
I've been tinkering with 3.0.1.9 and it looks great, but I'm considering waiting until 3.0.2.0 is released before putting this into production. If you were to estimate (I won't hold you to it), could you indicate when this might be released? This is just so I can make an informed decision to either push on with the current version or wait a little while for the next, I'm happy to do some pre-release testing if that helps.
Cheers,
Brad
EDIT:
Sorry, I just noticed the new release 3.0.2.0 viewtopic.php?f=8&t=2326
(At the moment the download page shows 3.0.1.9)
I've been tinkering with 3.0.1.9 and it looks great, but I'm considering waiting until 3.0.2.0 is released before putting this into production. If you were to estimate (I won't hold you to it), could you indicate when this might be released? This is just so I can make an informed decision to either push on with the current version or wait a little while for the next, I'm happy to do some pre-release testing if that helps.
Cheers,
Brad
EDIT:
Sorry, I just noticed the new release 3.0.2.0 viewtopic.php?f=8&t=2326
(At the moment the download page shows 3.0.1.9)
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
Yeah, as a matter of fact, I'm going to be releasing a 3.0.2.1 asap. Uncovered a bug in MailWatch on 3.0.2.0 affecting the reports.
Going to keep rapid releasing until we stabilize, so keep an eye out for new updates.
Going to keep rapid releasing until we stabilize, so keep an eye out for new updates.
Re: 3.0.1.9 permission issues
Thanks shawniverson.
Is there a thread related to the reports problem?...It's not the "Directory Transversal" thing is it?
Is there a thread related to the reports problem?...It's not the "Directory Transversal" thing is it?
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
No, directory traversal is a separate issue.
The thread for the reports issue is here....
viewtopic.php?f=13&t=2327
The thread for the reports issue is here....
viewtopic.php?f=13&t=2327
-
- Posts: 8
- Joined: 01 Aug 2013 09:17
Re: 3.0.1.9 permission issues
Same sort of issue here today.
Went through the kernel upgrade and then the EFA upgrade.
I can see a lot of new rules in the above mentioned file /etc/httpd/conf.d/mod_security.conf
It seamed though that I still missed one line, I was getting this error. modsecurity_crs_41_sql_injection_attacks.conf"] [line "168"] [id "981172"]
So I added "SecRuleRemoveById 981172" at the very end of the list, and now it works fine again.
Best AntiSPAM/Virus server !!!
Went through the kernel upgrade and then the EFA upgrade.
I can see a lot of new rules in the above mentioned file /etc/httpd/conf.d/mod_security.conf
It seamed though that I still missed one line, I was getting this error. modsecurity_crs_41_sql_injection_attacks.conf"] [line "168"] [id "981172"]
So I added "SecRuleRemoveById 981172" at the very end of the list, and now it works fine again.
Best AntiSPAM/Virus server !!!
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
I'll add this to the next update
Re: 3.0.1.9 permission issues
FYI I saw this error when trying to delete some greylist entries on 3.0.2.3
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
modsecurity will be disabled by default new builds for the next update.
Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
Re: 3.0.1.9 permission issues
Running 3.0.2.3shawniverson wrote: ↑31 Jul 2017 20:41 modsecurity will be disabled by default new builds for the next update.
Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
The option to disable modsecurity breaks the web gui all together. Re-enabling it fixes the gui.
Code: Select all
Modsecurity Settings
By default, EFA uses modsecurity
You can disable modsecurity. Bear in mind this might increase your security exposure.
[EFA] Disable modsecurity? (y/N/c): y
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 6 of /etc/httpd/conf.d/mod_security.conf:
Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]
Modsecurity [Disabled]
Code: Select all
[Sun Aug 27 04:03:07 2017] [notice] Digest: generating secret for digest authentication ...
[Sun Aug 27 04:03:07 2017] [notice] Digest: done
[Sun Aug 27 04:03:08 2017] [notice] Apache/2.2.15 (Unix) PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue Aug 29 09:16:53 2017] [notice] caught SIGTERM, shutting down
[Tue Aug 29 09:26:19 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Tue Aug 29 09:26:20 2017] [notice] Digest: generating secret for digest authentication ...
[Tue Aug 29 09:26:20 2017] [notice] Digest: done
[Tue Aug 29 09:26:21 2017] [notice] Apache/2.2.15 (Unix) PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue Aug 29 09:26:44 2017] [notice] caught SIGTERM, shutting down
modsec_audit.log
Code: Select all
--9303835d-C--
chk%5B%5D=bounce-md_30640799.59a56a46.v1-ca4441c3316341beb06015cb8fe21cc5%40%40stats.symless.com%40%40198.2.180%40%40xxxxx%40xxxxxx.com&chk%5B%5D=bounce-md_30640799.59a56bd4.v1-e33bfe04d26e48b58a632ed2da3c8c87%40%40stats.symless.com%40%40198.2.180%40%40xxxxx%40xxxxxx.com&acttype=domove
--9303835d-F--
HTTP/1.0 403 Forbidden
Connection: close
Content-Type: text/html; charset=iso-8859-1
--9303835d-E--
--9303835d-H--
Message: Access denied with code 403 (phase 4). Pattern match "^5\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"]
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"]
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'Duplicate entry '198.2.180-stats.symless.com-bounce-md_30640799.59a56a46.v1-ca444' for key 'PRIMARY'' in /var/www/html/sgwi/includes/functions.inc.php:27\\nStack trace:\\n#0 /var/www/html/sgwi/includes/functions.inc.php(27): mysqli->query('INSERT INTO fro...')\\n#1 /var/www/html/sgwi/includes/connect.inc.php(29): do_query('INSERT INTO fro...')\\n#2 /var/www/html/sgwi/connect.php(66): move_entry('bounce-md_30640...', 'stats.symless.c...', '198.2.180', 'xxxxx@xxxxx...')\\n#3 {main}\\n thrown in /var/www/html/sgwi/includes/functions.inc.php on line 27, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Action: Intercepted (phase 4)
Apache-Handler: php5-script
Stopwatch: 1504013949387271 7432 (- - -)
Stopwatch2: 1504013949387271 7432; combined=4104, p1=194, p2=3781, p3=3, p4=48, p5=78, sr=44, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"
--9303835d-Z--
Last edited by zane93 on 29 Aug 2017 14:59, edited 1 time in total.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: 3.0.1.9 permission issues
zane93,
Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
Re: 3.0.1.9 permission issues
Works like a charm now thanks!shawniverson wrote: ↑29 Aug 2017 14:58 zane93,
Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109