0

In my virtualhost I have this modsecurity setup

SecRuleEngine On
SecRule REQUEST_METHOD "@streq CONNECT" "id:1,nolog,drop,phase:1"

Despite the 'nolog' instruction I got in apache access log the CONNECT request with 403 forbidden error, why?

I need to drop (not simply deny) it and do not log

where am I wrong?

Giuseppe
  • 1
  • 1

1 Answers1

0

nolog refers to the Apache error log and the ModSecurity Audit logs, where ModSecurity rule exceptions are logged to.

There are no ModSecurity config options to prevent logging in the Apache access logs and I am not aware of any way of blocking this in Apache either.

The 403 response will not be sent as the connection will be dropped. This can be demonstrated by trying to use CONNECT with a curl command for example.

Barry Pollard
  • 4,461
  • 14
  • 26
  • Hi Barry, thank you for your response. I noticed that despite the drop connection (tested by curl) a 403 line in apache log was inserted however. – Giuseppe Jul 05 '19 at 07:29
  • Ok but what status code should it put in there? Apache did process the request and then decided to drop it. So should it 1) Not log it - as discussed above I don’t think that’s right 2) put a status code of DROP - but that’s not a valid HTTP status code or 3) Use 403 as that’s what would have been sent. ModSecurity decides to use 3). It’s not 100% right but for these reasons probably the best thing to do. – Barry Pollard Jul 05 '19 at 09:01
  • Now you could add a clause in your rule to change this to status code 999 (also not a valid status code really) if you want to measure this. – Barry Pollard Jul 05 '19 at 09:02
  • My target is to drop connection on the user side, and avoid apache consumes resource in elaborate it, and log it.. because the accesslog grown very fast. Or I have to consider an iptables way? – Giuseppe Jul 05 '19 at 14:50
  • Yeah by the time it realises it needs to drop it Apache will have done pretty much all of the processing it does! So yeah IP tables or another firewall sounds like what you want here. – Barry Pollard Jul 05 '19 at 14:59
  • thank you Barry! – Giuseppe Jul 05 '19 at 17:02