0

I have the latest version of Modsecurity (as of March 25th 2019) installed on my server. I am using OWASP rulesets along with fail2ban on Linux.

I know it is designed to block hacking attempts. Should I assume that people who are not attempting to hack my server, but simply may have infected computers are detected the same as hackers and hacker bots etc?

What happens is that certain people try to connect to my computer and tell me they cannot. So I look in the logs and sure enough, Modsecurity detected either an SQL injection attack from their IP or some other severe level attack.

So, to several of them I suggested they run an updated boot time scan of their computer and sure enough, they found lots of malware and viruses and were able to connect after clearing them with no further issues.

So, now I'm trying to confirm that when my forum members try to connect to my server and modsecurity reports a lot of nefarious activity from their verified IP address, that it is because their computer has viruses or malware on it that is being payloaded onto their connection to my server.

I need to be confident that I am telling them the correct thing if I suggest to them that they need to check their own computer for malware or viruses.

I can't see any other explanation. Can someone confirm this is probably what's happening since some of those members are quite sure (even without checking) that their computers are not infected with any malware or viruses.

And if that's the case, then I need to find out why modsecurity is saying otherwise because it is blocking my forum members.

User6655
  • 11
  • 5
  • What if it doesn't have XSS vulnerabilities? I don't block them. ModSecurity and fail2ban does when it detects malicious activity. Isn't that the purpose of them? While this is a useful reply, it doesn't really answer the question. – User6655 Mar 25 '19 at 12:28
  • I found this and it brings a lot of insight into the issue. https://www.oreilly.com/ideas/how-to-tune-your-waf-installation-to-reduce-false-positives – User6655 Mar 25 '19 at 14:19

2 Answers2

1

Web applications can be made for a lot of different things, while OWASP CSR detects a wide variety of potentially malicious request and responses. Something that could be considered malicious in general might be within normal operation on a web application or on a certain functionality of it. E.g. rules for HTML injection aren't compatible with a content management systems that should allow site administrators to add HTML content.

After enabling ModSecurity with OWASP CSR you should first detect rules that are always fired during normal operation and whitelist them. As the same rules might be useful somewhere else, try and limit the whitelisting only to certain pages. From the error logs you can pair [id "XXX"] with [uri "/YYY/ZZZ.php"] and disable a list of rules causing false positives (example for Apache):

<LocationMatch /YYY/ZZZ.php>
  <IfModule mod_security2.c>
    SecRuleRemoveById XXX
  </IfModule>
</LocationMatch>

While Fail2Ban jail is a good addition for stopping malicious activities, it should only be enabled after whitelisting has been finished and there's almost zero false positives. Otherwise it will block your users just because they were using your web application as intended.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks for that post. Problem I have with disabling and whitelisting is how do I know if they're false positives or actual attacks on the server? I certainly don't want to over ride the reason for having those things in place to begin with. It's all quite confusing. – User6655 Mar 24 '19 at 19:43
  • 1
    Use the site as intended, monitoring ModSecurity entries with your IP address on the error log. – Esa Jokinen Mar 24 '19 at 19:44
  • Yes, meaning that if I see similar detections of attacks against the server coming from a local or trusted IP, then it can be assumed the rules are detecting false positives? If I understand this correctly then it is perhaps a good way. Very helpful reply, but still doesn't exactly answer the question as posted. – User6655 Mar 25 '19 at 12:33
0

Do not assume anything - check. You have to be very careful when interpreting the logs from modsecurity, it has many false positives.

should be a comment
  • 1
  • OK, I've read that. But I'm not sure how to go about this. What I see in the Modsecurity logs is supposedly a copy of what their browser sent to the server. It's either there....or not....right? How would one go about "checking very carefully" ? How does one tell a real positive from a fake positive? – User6655 Mar 24 '19 at 19:39