Apache & mod_security – resolving false positives
I recently found that some users could not access this site due to what seemed to be ‘false positive’ matches in the mod_security rule base. In this particular instance the rule was one for ‘backdoor’ or ‘trojan’ access attempts.
For now, I disable the rule (or set it to log only) and I decide to see how I might resolve this sort of problem. Items to review include:
- set Apache & mod_security logging to a ‘deep’ level in an attempt to see what is matching the rule
- review Apache configuration for possible issues (i.e. running out of CPU/RAM which leads to the false positive?)
- too many mod_security rules? (i.e. which leads to a CPU/RAM resource problem?)
- something else/the unknown?
- note that problem did not show up on custom ‘mobile’ pages…
I start with the mod_security detail log - In this particular case the problem seems to be a combination of page (blog) content combined with software theme/plugins and certain browsers…. WHEW!
Now, how to resolve?
Server Notes
- the problem was limited to the ‘home page’ for one domain being served by Apache
- when testing, try different, unique pages to confirm the problem page (in this instance, multiple blog posts were on the home page which made locating the ‘problem’ more interesting…)
- I had excluded my own IP from mod_security rules in prior testing – best to apply rules to all to catch such problems…
Related posts:
- Apache, mod_security & GEO-IP I previously posted about using the mod_geoip Apache module to...
- Apache – mod_security – web application firewall ModSecurity is a web application firewall (WAF) for the Apache...
- Apache – mod_security logging options Resolving a small problem with debug logging when using the...
- GeoIP Blocking – examples for Apache The GOOD news – using the GeoIP module (mod_geoip.c.) can...
- Blocking web SPAM with Apache and Wordpress Ignorance is bliss, right? After many years of publishing traditional...