vennedey.net

Generate exceptions for mod_security from log messages

On Fri, 14 Sep 2018 21:39:31 +0200 by Falco Nordmann

I just had to help a customer to deploy a typo3 installation on a apache webserver runnig with mod_security2 enabled. Since this module blocked many requests I needed to define a bunch of exceptions in the clients vHost configuration. To make this easy for the future I came up with this little piece of bash to generate the exceptions directly from the messages is the apache error log.

root@webhost:~# export last_url=""; grep ModSecurity /var/log/apache2/error.log | grep -P "\[id \"\d+\"\]" | grep -P "\[uri \".*?\"\]" | grep --color -Po "\[id \"\d+\"\]|\[uri \".*?\"\]" | cut -d\" -f2 | xargs -n2 echo | while read l; do id="`echo \"$l\" | sort -n | cut -d' ' -f1`"; url="`echo \"$l\" | cut -d' ' -f2`"; echo -e "$url|$id"; done | sort -u | while read l; do url="`echo \"$l\" | cut -d'|' -f1`"; id="`echo \"$l\" | cut -d'|' -f2`"; [ -n "$last_url" -a "$url" != "$last_url" ] && echo -e "\t</IfModule>\n</Location>"; [ "$url" != "$last_url" ] && echo -e "<Location \"$url\">\n\t<IfModule mod_security2.c>"; echo -e "\t\tSecRuleRemoveById $id";  last_url="$url"; done; echo -e "\t</IfModule>\n</Location>"; unset last_url;

Running this produces Location blocks for the URLs blocked by the module with exceptions for the triggered rules that can be included into the vHost configuration.

<Location "/typo3/ajax.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 941100
                SecRuleRemoveById 941110
                SecRuleRemoveById 941140
                SecRuleRemoveById 941160
                SecRuleRemoveById 941270
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>
<Location "/typo3/alt_doc.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 941100
                SecRuleRemoveById 941110
                SecRuleRemoveById 941140
                SecRuleRemoveById 941160
                SecRuleRemoveById 941270
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>
<Location "/typo3/mod.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 941100
                SecRuleRemoveById 941110
                SecRuleRemoveById 941140
                SecRuleRemoveById 941160
                SecRuleRemoveById 941270
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>
<Location "/typo3/sysext/install/Start/Install.php">
        <IfModule mod_security2.c>
                SecRuleRemoveById 921130
                SecRuleRemoveById 930120
                SecRuleRemoveById 942100
                SecRuleRemoveById 949110
                SecRuleRemoveById 980130
        </IfModule>
</Location>

Just double check that no exception for evil requests was generated from the log by accident.

Comments

Write a comment
* optional