ConfigServer Community Forum

I have the following problem:
i have some websites using directories like "/etc".

anytime the csf finds a reference to an /etc directory logs it, warns me and also denies IP access.

i've noticed also that joomla/mambo and other pre-made scripts or cms's, are using /etc directories....

here is an example of warning i receive 20 times a day:

Time: Thu Dec 6 21:19:56 2007
IP: xx.xx.xx.xx
Failures: 5 (mod_security)
Interval: 280 seconds
Blocked: Yes

Log entries:
[Thu Dec 06 21:19:31 2007] [error] [client xx.xx.xx.xx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at REQUEST_FILENAME. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"] [hostname "www.somedomain.com"] [uri "/components/com_zoom/etc/zoom.css"] [unique_id "AnCkVlkmgJ4AAHYbS4cAAAAg"]


is this a bug, is there a workaround to avoid this?

thanks.

That's an over zealous mod_security rule doing the trick for you. CSF is just obeying mod_security and blocking when your limit is reached.
I'd suggest tweaking that rule so it's not as strict for a simple /etc directory at the end of your URL.

David

thank you for replying, sdjl.

here is the rule from the mod security, it is the only rule with "etc" in it:

==========
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:\.(?:ht(?:access|passwd|group)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" \
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
==========

can you please tell me what to edit here?

i am kind of new to servers...so please bare with me...

thanks.

I'd remove it entirely as it's far too generic.
Look at installing a selection of the rules availble from Got Root here instead: http://www.gotroot.com/tiki-index.php?p ... rity+rules

David