3.0.1.9 permission issues

Report bugs and workarounds
r31griffo
Posts: 19
Joined: 31 Mar 2017 05:09

Re: 3.0.1.9 permission issues

Post by r31griffo »

Hi Shawniverson,

I've been tinkering with 3.0.1.9 and it looks great, but I'm considering waiting until 3.0.2.0 is released before putting this into production. If you were to estimate (I won't hold you to it), could you indicate when this might be released? This is just so I can make an informed decision to either push on with the current version or wait a little while for the next, I'm happy to do some pre-release testing if that helps.

Cheers,
Brad

EDIT:
Sorry, I just noticed the new release 3.0.2.0 viewtopic.php?f=8&t=2326
(At the moment the download page shows 3.0.1.9)
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

Yeah, as a matter of fact, I'm going to be releasing a 3.0.2.1 asap. Uncovered a bug in MailWatch on 3.0.2.0 affecting the reports.

Going to keep rapid releasing until we stabilize, so keep an eye out for new updates.
r31griffo
Posts: 19
Joined: 31 Mar 2017 05:09

Re: 3.0.1.9 permission issues

Post by r31griffo »

Thanks shawniverson.
Is there a thread related to the reports problem?...It's not the "Directory Transversal" thing is it?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

No, directory traversal is a separate issue.

The thread for the reports issue is here....

viewtopic.php?f=13&t=2327
perforator
Posts: 8
Joined: 01 Aug 2013 09:17

Re: 3.0.1.9 permission issues

Post by perforator »

Same sort of issue here today.
Went through the kernel upgrade and then the EFA upgrade.

I can see a lot of new rules in the above mentioned file /etc/httpd/conf.d/mod_security.conf
It seamed though that I still missed one line, I was getting this error. modsecurity_crs_41_sql_injection_attacks.conf"] [line "168"] [id "981172"]

So I added "SecRuleRemoveById 981172" at the very end of the list, and now it works fine again. :dance: :violin:

Best AntiSPAM/Virus server !!! :clap: :clap: :clap:
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

I'll add this to the next update :D
efa-user
Posts: 18
Joined: 27 Jul 2017 10:59

Re: 3.0.1.9 permission issues

Post by efa-user »

FYI I saw this error when trying to delete some greylist entries on 3.0.2.3
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

modsecurity will be disabled by default new builds for the next update.

Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 »

shawniverson wrote: 31 Jul 2017 20:41 modsecurity will be disabled by default new builds for the next update.

Existing users are encouraged to turn it off using EFA-Configure, as it is no longer necessary to protect MailWatch.
Running 3.0.2.3
The option to disable modsecurity breaks the web gui all together. Re-enabling it fixes the gui.

Code: Select all

Modsecurity Settings

By default, EFA uses modsecurity
You can disable modsecurity.  Bear in mind this might increase your security exposure.

[EFA] Disable modsecurity? (y/N/c): y
Stopping httpd:                                            [  OK  ]
Starting httpd: Syntax error on line 6 of /etc/httpd/conf.d/mod_security.conf:
Invalid command 'SecRuleRemoveById', perhaps misspelled or defined by a module not included in the server configuration
                                                           [FAILED]

Modsecurity [Disabled]
httpd error_log

Code: Select all

[Sun Aug 27 04:03:07 2017] [notice] Digest: generating secret for digest authentication ...
[Sun Aug 27 04:03:07 2017] [notice] Digest: done
[Sun Aug 27 04:03:08 2017] [notice] Apache/2.2.15 (Unix) PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue Aug 29 09:16:53 2017] [notice] caught SIGTERM, shutting down
[Tue Aug 29 09:26:19 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Tue Aug 29 09:26:20 2017] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Tue Aug 29 09:26:20 2017] [notice] Digest: generating secret for digest authentication ...
[Tue Aug 29 09:26:20 2017] [notice] Digest: done
[Tue Aug 29 09:26:21 2017] [notice] Apache/2.2.15 (Unix) PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Tue Aug 29 09:26:44 2017] [notice] caught SIGTERM, shutting down

modsec_audit.log

Code: Select all

--9303835d-C--
chk%5B%5D=bounce-md_30640799.59a56a46.v1-ca4441c3316341beb06015cb8fe21cc5%40%40stats.symless.com%40%40198.2.180%40%40xxxxx%40xxxxxx.com&chk%5B%5D=bounce-md_30640799.59a56bd4.v1-e33bfe04d26e48b58a632ed2da3c8c87%40%40stats.symless.com%40%40198.2.180%40%40xxxxx%40xxxxxx.com&acttype=domove
--9303835d-F--
HTTP/1.0 403 Forbidden
Connection: close
Content-Type: text/html; charset=iso-8859-1

--9303835d-E--

--9303835d-H--
Message: Access denied with code 403 (phase 4). Pattern match "^5\\d{2}$" at RESPONSE_STATUS. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_50_outbound.conf"] [line "53"] [id "970901"] [rev "2"] [msg "The application is not available"] [data "Matched Data: 500 found within RESPONSE_STATUS: 500"] [severity "ERROR"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "WASCTC/WASC-13"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.6"]
Message: Warning. Operator GE matched 4 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_correlation.conf"] [line "40"] [id "981205"] [msg "Outbound Anomaly Score Exceeded (score 4): The application is not available"]
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Warning:  mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Warning:  mysqli::mysqli(): Headers and client library minor version mismatch. Headers:50173 Library:50312 in /var/www/html/sgwi/includes/functions.inc.php on line 26, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Apache-Error: [file "/builddir/build/BUILD/php-5.3.3/sapi/apache2handler/sapi_apache2.c"] [line 326] [level 3] PHP Fatal error:  Uncaught exception 'mysqli_sql_exception' with message 'Duplicate entry '198.2.180-stats.symless.com-bounce-md_30640799.59a56a46.v1-ca444' for key 'PRIMARY'' in /var/www/html/sgwi/includes/functions.inc.php:27\\nStack trace:\\n#0 /var/www/html/sgwi/includes/functions.inc.php(27): mysqli->query('INSERT INTO fro...')\\n#1 /var/www/html/sgwi/includes/connect.inc.php(29): do_query('INSERT INTO fro...')\\n#2 /var/www/html/sgwi/connect.php(66): move_entry('bounce-md_30640...', 'stats.symless.c...', '198.2.180', 'xxxxx@xxxxx...')\\n#3 {main}\\n  thrown in /var/www/html/sgwi/includes/functions.inc.php on line 27, referer: https://exchedge.hsh1.com/sgwi/connect.php?sort=first_seen&csort=sender_name&order=desc
Action: Intercepted (phase 4)
Apache-Handler: php5-script
Stopwatch: 1504013949387271 7432 (- - -)
Stopwatch2: 1504013949387271 7432; combined=4104, p1=194, p2=3781, p3=3, p4=48, p5=78, sr=44, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.6.
Server: Apache
Engine-Mode: "ENABLED"

--9303835d-Z--
Last edited by zane93 on 29 Aug 2017 14:59, edited 1 time in total.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: 3.0.1.9 permission issues

Post by shawniverson »

zane93,

Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.

SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
zane93
Posts: 44
Joined: 08 Mar 2016 22:08

Re: 3.0.1.9 permission issues

Post by zane93 »

shawniverson wrote: 29 Aug 2017 14:58 zane93,

Remove the first three "SecRuleRemoveById" in modsecurity.conf in the first if block.

SecRuleRemoveById 960017
SecRuleRemoveById 950908
SecRuleRemoveById 950109
Works like a charm now thanks!
Post Reply