Page 2 of 2
Re: 3.0.1.9 permission issues
Posted: 10 Apr 2017 01:37
by r31griffo
Hi Shawniverson,
I've been tinkering with 3.0.1.9 and it looks great, but I'm considering waiting until 3.0.2.0 is released before putting this into production. If you were to estimate (I won't hold you to it), could you indicate when this might be released? This is just so I can make an informed decision to either push on with the current version or wait a little while for the next, I'm happy to do some pre-release testing if that helps.
Cheers,
Brad
EDIT:
Sorry, I just noticed the new release 3.0.2.0
viewtopic.php?f=8&t=2326
(At the moment the download page shows 3.0.1.9)
Re: 3.0.1.9 permission issues
Posted: 10 Apr 2017 10:08
by shawniverson
Yeah, as a matter of fact, I'm going to be releasing a 3.0.2.1 asap. Uncovered a bug in MailWatch on 3.0.2.0 affecting the reports.
Going to keep rapid releasing until we stabilize, so keep an eye out for new updates.
Re: 3.0.1.9 permission issues
Posted: 10 Apr 2017 11:20
by r31griffo
Thanks shawniverson.
Is there a thread related to the reports problem?...It's not the "Directory Transversal" thing is it?
Re: 3.0.1.9 permission issues
Posted: 10 Apr 2017 15:08
by shawniverson
No, directory traversal is a separate issue.
The thread for the reports issue is here....
viewtopic.php?f=13&t=2327
Re: 3.0.1.9 permission issues
Posted: 20 Apr 2017 14:56
by perforator
Same sort of issue here today.
Went through the kernel upgrade and then the EFA upgrade.
I can see a lot of new rules in the above mentioned file /etc/httpd/conf.d/mod_security.conf
It seamed though that I still missed one line, I was getting this error.
modsecurity_crs_41_sql_injection_attacks.conf"] [line "168"] [id "981172"]
So I added "SecRuleRemoveById 981172" at the very end of the list, and now it works fine again.
Best AntiSPAM/Virus server !!!
Re: 3.0.1.9 permission issues
Posted: 20 Apr 2017 21:38
by shawniverson
I'll add this to the next update
Re: 3.0.1.9 permission issues
Posted: 27 Jul 2017 11:06
by efa-user
FYI I saw this error when trying to delete some greylist entries on 3.0.2.3
Re: 3.0.1.9 permission issues
Posted: 31 Jul 2017 20:41
by shawniverson
modsecurity will be disabled by default new builds for the next update.
Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
Re: 3.0.1.9 permission issues
Posted: 29 Aug 2017 14:53
by zane93
shawniverson wrote: ↑31 Jul 2017 20:41
modsecurity will be disabled by default new builds for the next update.
Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
Running 3.0.2.3
The option to disable modsecurity breaks the web gui all together. Re-enabling it fixes the gui.
Code: Select all
Modsecurity Settings
By default, EFA uses modsecurity
You can disable modsecurity. Bear in mind this might increase your security exposure.
[EFA] Disable modsecurity? (y/N/c): y
Stopping httpd: [ OK ]
Starting httpd: Syntax error on line 6 of /etc/httpd/conf.d/mod_security.conf:
Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]
Modsecurity [Disabled]
httpd error_log
Code: Select all
[Sun Aug 27 04:03:07 2017] [notice] Digest: generating secret for digest authentication ...
[Sun Aug 27 04:03:07 2017] [notice] Digest: done
[Sun Aug 27 04:03:08 2017] [notice] Apache/2.2.15 (Unix) PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue Aug 29 09:16:53 2017] [notice] caught SIGTERM, shutting down
[Tue Aug 29 09:26:19 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Tue Aug 29 09:26:20 2017] [notice] Digest: generating secret for digest authentication ...
[Tue Aug 29 09:26:20 2017] [notice] Digest: done
[Tue Aug 29 09:26:21 2017] [notice] Apache/2.2.15 (Unix) PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue Aug 29 09:26:44 2017] [notice] caught SIGTERM, shutting down
modsec_audit.log
Code: Select all
--9303835d-C--
chk%5B%5D=bounce-md_30640799.59a56a46.v1-ca4441c3316341beb06015cb8fe21cc5%40%40stats.symless.com%40%40198.2.180%40%40xxxxx%40xxxxxx.com&chk%5B%5D=bounce-md_30640799.59a56bd4.v1-e33bfe04d26e48b58a632ed2da3c8c87%40%40stats.symless.com%40%40198.2.180%40%40xxxxx%40xxxxxx.com&acttype=domove
--9303835d-F--
HTTP/1.0 403 Forbidden
Connection: close
Content-Type: text/html; charset=iso-8859-1
--9303835d-E--
--9303835d-H--
Message: Access denied with code 403 (phase 4). Pattern match "^5\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"]
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"]
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Fatal error: Uncaught exception 'mysqli_sql_exception' with message 'Duplicate entry '198.2.180-stats.symless.com-bounce-md_30640799.59a56a46.v1-ca444' for key 'PRIMARY'' in /var/www/html/sgwi/includes/functions.inc.php:27\\nStack trace:\\n#0 /var/www/html/sgwi/includes/functions.inc.php(27): mysqli->query('INSERT INTO fro...')\\n#1 /var/www/html/sgwi/includes/connect.inc.php(29): do_query('INSERT INTO fro...')\\n#2 /var/www/html/sgwi/connect.php(66): move_entry('bounce-md_30640...', 'stats.symless.c...', '198.2.180', 'xxxxx@xxxxx...')\\n#3 {main}\\n thrown in /var/www/html/sgwi/includes/functions.inc.php on line 27, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Action: Intercepted (phase 4)
Apache-Handler: php5-script
Stopwatch: 1504013949387271 7432 (- - -)
Stopwatch2: 1504013949387271 7432; combined=4104, p1=194, p2=3781, p3=3, p4=48, p5=78, sr=44, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"
--9303835d-Z--
Re: 3.0.1.9 permission issues
Posted: 29 Aug 2017 14:58
by shawniverson
zane93,
Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
Re: 3.0.1.9 permission issues
Posted: 29 Aug 2017 15:00
by zane93
shawniverson wrote: ↑29 Aug 2017 14:58
zane93,
Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.
SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
Works like a charm now thanks!