/etc/ Lfd warning and IP blocked

This forum is only for reproducible bugs with csf and lfd (i.e. not iptables problems, lack of understanding how to use a feature, etc). Posts must be accompanied with full technical details of the problem and how it can be recreated. Any posts not adhering to this, or not considered bugs, will be moved to the General Discussion (csf) forum.
Post Reply
megahost
Junior Member
Posts: 2
Joined: 06 Dec 2007, 19:36

/etc/ Lfd warning and IP blocked

Post by megahost »

I have the following problem:
i have some websites using directories like "/etc".

anytime the csf finds a reference to an /etc directory logs it, warns me and also denies IP access.

i've noticed also that joomla/mambo and other pre-made scripts or cms's, are using /etc directories....

here is an example of warning i receive 20 times a day:

Time: Thu Dec 6 21:19:56 2007
IP: xx.xx.xx.xx
Failures: 5 (mod_security)
Interval: 280 seconds
Blocked: Yes

Log entries:
[Thu Dec 06 21:19:31 2007] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at REQUEST_FILENAME. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "www.somedomain.com"] [uri "/components/com_zoom/etc/zoom.css"] [unique_id "AnCkVlkmgJ4AAHYbS4cAAAAg"]


is this a bug, is there a workaround to avoid this?

thanks.
Top
sdjl
Junior Member
Posts: 81
Joined: 10 Dec 2006, 16:56
Location: London, UK.

Post by sdjl »

That's an over zealous mod_security rule doing the trick for you. CSF is just obeying mod_security and blocking when your limit is reached.
I'd suggest tweaking that rule so it's not as strict for a simple /etc directory at the end of your URL.

David
Top
megahost
Junior Member
Posts: 2
Joined: 06 Dec 2007, 19:36

Post by megahost »

thank you for replying, sdjl.

here is the rule from the mod security, it is the only rule with "etc" in it:

==========
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
==========

can you please tell me what to edit here?

i am kind of new to servers...so please bare with me...

thanks.
Top
sdjl
Junior Member
Posts: 81
Joined: 10 Dec 2006, 16:56
Location: London, UK.

Post by sdjl »

I'd remove it entirely as it's far too generic.
Look at installing a selection of the rules availble from Got Root here instead: http://www.gotroot.com/tiki-index.php?p ... rity+rules

David
Top
Post Reply

Return to “Report Bugs (csf)”