0

I have a password protected directory on my web server. To protect that from brute force attack, I tried to add the IP-Based BLocking config as below in the apache2 config file.

But everytime I restart Apache2 I get syntax error. Does anyone know how to resolve this? Thanks

Apache version: 2.2
Mod Security CRS - 2.2.8-1

Error when restart Apache

/etc/init.d/apache2 restart
 * Restarting web server apache2                     [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 252 of /etc/apache2/apache2.conf:
ModSecurity: No action id present within the rule
Action 'configtest' failed.
The Apache error log may have more information.

Here is the apache config file content:

232 Alias /shared /var/shared
233 <Directory /var/shared>
234         Options Indexes MultiViews FollowSymLinks
235         AllowOverride AuthConfig
236         Order allow,deny
237         Allow from all
238 </Directory>
239
240 <IfModule security2_module>
241     Include /usr/share/modsecurity-crs/*.conf
242     Include /usr/share/modsecurity-crs/base_rules/*.conf
243 </IfModule>
244 <LocationMatch /shared>
245         # Uncomment to troubleshoot
246        SecDebugLogLevel 9
247        SecDebugLog /tmp/troubleshooting.log
248
249        # Enforce an existing IP address block
250        SecRule IP:bf_block "@eq 1" \
251                "phase:2,deny,\
252                msg:'IP address blocked because of suspected brute-forceattack'"
253
254        # Check that this is a POST
255        SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass"
256             # AND Check for authentication failure and increment counters
257             # NOTE this is for a Rails application, you probably need to customize this
258                SecRule RESPONSE_STATUS "^200" \
259                        "setvar:IP.bf_counter=+1"
260
261        # Check for too many failures from a single IP address. Block for 10 minutes.
262        SecRule IP:bf_counter "@ge 3" \
263                "phase:5,pass,t:none, \
264                setvar:IP.bf_block,\
265                setvar:!IP.bf_counter,\
266                expirevar:IP.bf_block=600"
267 </LocationMatch>

There is nothing in the error logs except that it was shutting down while I initiated restart command.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Matt
  • 11
  • 1
  • 2
  • 5

3 Answers3

1

I would say that an action unique ID is mandatory.

Try :

SecRule IP:bf_block "@eq 1" "phase:2,deny,id:'1234',msg:'IP address blocked because of suspected brute-forceattack'"

For id use any number you want, just ensure to not use the same twice (or more).

krisFR
  • 12,830
  • 3
  • 31
  • 40
  • Sorry! That is throwing the same error too.. – Matt Jul 22 '14 at 17:40
  • I've edited : try `id:'1234'` (replace `=` by `:` and add `'`) – krisFR Jul 22 '14 at 17:41
  • Okay i gave id to line 252 and 255 as well. But now the last second line has syntax error expirevar:IP.bf_block=600" See anything wrong here? And is there any way to add 2 locations in LocationMatch? Like ??? Or should I duplicate the code again for the second location? – Matt Jul 23 '14 at 08:26
1

ModSecurity: No action id present within the rule

The error above is encountered with rules setup and working well with older mod_security module versions (like before v. 2.7.x). Starting with ModSecurity 2.7 a unique ID needs to be assigned to the rule or chain in which it appears, "this action is mandatory and must be numeric".

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id

So the error shows up after moving the rules to servers with newer versions of mod_security module or, after in place mod_security updates /upgrades, like from 2.6.x to 2.7.x etc.

Steve Baroti
  • 11
  • 2
0

you must just add id of action because modsecurity require id number , for expemle : 

SecRule REQUEST_FILENAME "form.php" "***id:'400001'***,chain,deny,log,msg:'Spam detected'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"
Jenny D
  • 27,358
  • 21
  • 74
  • 110
rmz
  • 1