Uncategorized

Mod_security upgrade from 1.8.7 to 2.1.1 — Major issue with mod_limitipconn

Well, I’m getting really close on the migration from mod_security-1.8.7 to mod_security-2.1.1. I’ve upgraded on a few servers, and overall the migration has been pretty successful. On one server, I came across a really weird issue. It appears that I’m experiencing a mod_security bypass issue.

Creating a simple SecRule to catch basic spam for comments, I noticed that my logs were recording the proper 403 (What I had set for status) but the request was allowed to process the target script regardless! This was a complete bypass of mod_security. After spending several hours of time debugging the problem, I finally isolated it to mod_limitipconn in conjunction with mod_security-2.1.1. With these two modules running, it almost appears that the request was processed first, then passed to mod_security.

Well, I’m getting really close on the migration from mod_security-1.8.7 to mod_security-2.1.1. I’ve upgraded on a few servers, and overall the migration has been pretty successful. On one server, I came across a really weird issue. It appears that I’m experiencing a mod_security bypass issue.

Creating a simple SecRule to catch basic spam for comments, I noticed that my logs were recording the proper 403 (What I had set for status) but the request was allowed to process the target script regardless! This was a complete bypass of mod_security. After spending several hours of time debugging the problem, I finally isolated it to mod_limitipconn in conjunction with mod_security-2.1.1. With these two modules running, it almost appears that the request was processed first, then passed to mod_security.

This was not an issue with mod_security-1.8.7 and I’ve posted several posts to the mod_sec mailing list as well as contacted security contacts to help debug the problem. The requirement of mod_limitipconn is needed to help counter basic DoS attacks on MP3 downloads where bandwidth was being used at high rates. Currently, on that server, I was forced to roll back to mod_security-1.8.7 to take advantage of all module features until I hear back from the mod_sec team.

I’ll everyone posted on what I found out on the matter. If anyone is using mod_limitipconn AND mod_security-2.x you may want to verify that requests are being stopped after processing. If you look at the logs alone, everything will look fine, you’ll need to manually test and verify.

Once I resolve this matter, I’ll put together a nice write up on the upgrade process.