SecConnReadStateLimit and SecReadStateLimit doesn't work with Apache 2.4.x #786
Comments
|
When I deploying ModSec 2.8.0 (Build with Apache Runtime in httpd 2.2.15) and Nginx 1.6.2 I also got problem like you. |
|
@mariuszzbrowski You may want to achieve similar results by using the directives: SecConnReadStateLimit and SecConnWriteStateLimit. You may want to look those links:
Regarding the rules that you have created, you may want to look at the '/content/logs/httpd/debug.log'. It should contains useful information how those variables of your rules are being resolved, helping you to figure out what is going wrong. |
|
@doantranhoang Can you give more details about what you want to achieve? Or details on the problems that you are facing? Maybe a good idea is to open a new ticket of fire questions to our users mailing list. I would say that you will probably have a fast response if you ask in our users mailing list. |
|
@doantranhoang if you are also interested in protect your server from "Slow HTTP", please notice that the SecConnReadStateLimit and SecConnWriteStateLimit directives are Apache only. Let me know what exactly problem that you are facing and we can give you better help. |
|
@zimmerle Thanks you so much. I'm wrong when not reading docs carefully so I thought SecConnReadStateLimit and SecConnWriteStateLimit directives used for all platforms. Today I have a problem when I use CRS to detect Slow HTTP Attack with ModSec on Nginx, i setting timeout for requests with Nginx's directives client_header_timeout 30; Next, I use two following CRS rules in modsecurity_crs_11_slow_dos_protection.conf SecRule RESPONSE_STATUS "@Streq 408" "phase:5,t:none,log,msg:'Counter +1',pass,setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60,id:'10'" SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,deny,msg:'Client Connection Dropped due to high number of slow DoS alerts',id:'11'" Test Slow POST Attack with slowloris.pl and check my logs "POST / HTTP/1.1" 408 ..... It's really has many timeout responses status (408) but ModSecurity rule not capturing this, so two CRS rules above not working. I try to test with others RESPONSE_STATUS or RESPONSE_HEADERS and it working perfetch except 408. Has anyone try this rules success with Nginx and ModSecurity? |
|
Exact same Problem here! System:
Among my configuration I Include the |
Hello,
I try to protect apache server before Slow HTTP Headers attack using SecConnReadStateLimit and SecReadStateLimit but this directives doesn't work with Apache 2.4.x.
I've tested few version of Apache and ModSecurity on centos 6 and centos 7 servers without success.
Apache version tested:
2.4.3 Package from internal repository
2.4.6 Package form repository
2.4.9 Compiled on my own ./configure --prefix=/usr/local/apache-2.4.9 --with-included-apr -enable-nonportable-atomics=yes --enable-so --enable-ssl
ModSecurity version tested:
2.8.0 Compiled on my own ./configure --with-apxs=path_to_apxs --with-apu=patch_to_apu --with-apr=path_to_apr
2.7.5 Compiled on my own ./configure --with-apxs=path_to_apxs --with-apu=patch_to_apu --with-apr=path_to_apr
2.7.3 Package from repository
ModSecurity configuration (2.7.3 and 2.7.5):
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
SecRuleEngine on
SecTmpDir /tmp/
SecDataDir /tmp/
SecDebugLog /content/logs/httpd/debug.log
SecDebugLogLevel 9
SecReadStateLimit 50
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecRule RESPONSE_STATUS "@Streq 408" "phase:5,t:none,log,msg:'Counter +1',pass,setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60,id:'10'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,deny,msg:'Client Connection Dropped due to high number of slow DoS alerts',id:'11'"
SecDefaultAction "phase:2,pause:3000,deny,nolog,auditlog"
ModSecurity configuration (2.8.0):
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
SecRuleEngine on
SecTmpDir /tmp/
SecDataDir /tmp/
SecDebugLog /content/logs/httpd/debug.log
SecDebugLogLevel 9
SecConnEngine on
SecConnReadStateLimit 50
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecRule RESPONSE_STATUS "@Streq 408" "phase:5,t:none,log,msg:'Counter +1',pass,setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60,id:'10'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,deny,msg:'Client Connection Dropped due to high number of slow DoS alerts',id:'11'"
SecDefaultAction "phase:2,pause:3000,deny,nolog,auditlog"
I've tested configuration using slowhttptest tool and behavior is that ModSecurity don't block new incoming connections after reach Read Connection limit..
With Apache 2.2.15 and ModSecurity 2.7.3 intstalled form Repository on Centos 6 all configuration works perfect.
Has someone had the same problem with apache 2.4.x ?
Please advise.
The text was updated successfully, but these errors were encountered: