After looking around for a suitable filter to put in front of our Exchange server I've settled on EFA.
I've attempted using both a clean Centos6 build and install and also importing the vmware image into our Xenserver but have had similar problems with each.
I can log in to the web interface and open each link, but when I try and perform some actions I receive a "forbidden" error, eg when attempting to remove a whitelisted domain from the Greylist section I get:
Code: Select all
Forbidden:
You don't have permission to access /sgwi/awl.php on this server.
output from: /var/log/httpd/modsec_audit.log
Code: Select all
--579f384b-B--
POST /sgwi/awl.php?mode=domains&action=del_selection HTTP/1.1
Host: mydomain.com.au
Connection: keep-alive
Content-Length: 66
Cache-Control: max-age=0
Origin: https://mydomain.com.au
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mydomain.com.au/sgwi/awl.php?mode=domains
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=rl92iivbm38q2su48t41fthpk6
--579f384b-C--
chk%5B%5D=noname%40%40domain.com.au%40%40x.x.x.x
--579f384b-F--
HTTP/1.1 403 Forbidden
Content-Length: 214
Connection: close
Content-Type: text/html; charset=iso-8859-1
--579f384b-E--
--579f384b-H--
Message: Access denied with code 403 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:chk[].[file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"][msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: @ found within ARGS:chk[]: noname@@domain.com.au@@x.x.x.x"]
[ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"]
Action: Intercepted (phase 2)
Apache-Handler: php5-script
Stopwatch: 1490947463109443 1922 (- - -)
Stopwatch2: 1490947463109443 1922; combined=1417, p1=185, p2=1207, p3=0, p4=0, p5=25, sr=37, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"
--579f384b-Z--
output from: /var/log/httpd/ssl_access_log
Code: Select all
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET / HTTP/1.1" 200 155
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/ HTTP/1.1" 302 -
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /favicon.ico HTTP/1.1" 200 1150
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/login.php HTTP/1.1" 200 1418
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/style.css HTTP/1.1" 200 15933
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/images/mailwatch-logo.png HTTP/1.1" 200 15657
192.168.35.50 - - [31/Mar/2017:19:04:01 +1100] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.35.50 - - [31/Mar/2017:19:04:07 +1100] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.35.50 - - [31/Mar/2017:19:04:07 +1100] "GET /mailscanner/status.php HTTP/1.1" 200 5906
192.168.35.50 - - [31/Mar/2017:19:04:10 +1100] "GET /mailscanner/grey.php HTTP/1.1" 200 6001
192.168.35.50 - - [31/Mar/2017:19:04:10 +1100] "GET /sgwi/index.php HTTP/1.1" 200 4716
192.168.35.50 - - [31/Mar/2017:19:04:10 +1100] "GET /sgwi/main.css HTTP/1.1" 200 1045
192.168.35.50 - - [31/Mar/2017:19:04:15 +1100] "POST /sgwi/awl.php?mode=domains HTTP/1.1" 200 4744
192.168.35.50 - - [31/Mar/2017:19:04:15 +1100] "GET /sgwi/main.css HTTP/1.1" 200 1045
192.168.35.50 - - [31/Mar/2017:19:04:23 +1100] "POST /sgwi/awl.php?mode=domains&action=del_selection HTTP/1.1" 403 214
output from: /var/log/httpd/ssl_access_log
Code: Select all
[Fri Mar 31 19:04:15 2017] [error] [client 192.168.35.50] PHP Warning: mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://mydomain.com.au/sgwi/index.php
[Fri Mar 31 19:04:23 2017] [error] [client 192.168.35.50] ModSecurity: Access denied with code 403 (phase 2).Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS:chk[]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"][msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: @ found within ARGS:chk[]: oname@@domain.com.au@@x.x.x.x"] [ver "OWASP_CRS/2.2.6"][maturity "9"] [accuracy "8"] [hostname "mydomain.com.au"] [uri "/sgwi/awl.php"] [unique_id "WN4Nh8CoIwcAABU5BWYAAAAH"]
Cheers,
Brad