Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ModSecurity CRS Firewall Rules #17775

Closed
rothn opened this issue Oct 1, 2024 · 3 comments
Closed

ModSecurity CRS Firewall Rules #17775

rothn opened this issue Oct 1, 2024 · 3 comments

Comments

@rothn
Copy link

rothn commented Oct 1, 2024

Description:

Many popular web applications like Wordpress have open firewall rules to prevent false positives for those who run application firewalls by helping the firewall better understand the applications under it. Synapse and other servers should add firewall rules to the CoreRuleSet Plugin Registry.
@johays
Copy link

johays commented Dec 8, 2024
edited by MadLittleMods
Loading

I can confirm this issue: after enabling mod_security on a server running both apache2 websites and Synapse homeserver, the homeserver stopped working. Logs are flooded with messages like:

[08/Dec/2024:13:55:53 +0000] Z1WlaRUnoS7KPM6vUkZc7gAAAA8 168.119.12.66 36202 192.168.08.23 8448
--c0725c34-B--
PUT /_matrix/federation/v1/send/1733529044363 HTTP/1.1
Content-Length: 225
User-Agent: Synapse/1.120.2
Content-Type: application/json
Authorization: X-Matrix origin="other-server.net",key="ed25519:a_jqCJ",sig="Om399r5OF3gJAhYRO/1ulmdFrh15cxc5AcOPgIkLiNVRVjj+bRUX58U/pmbzvG3OP7lD8Z5EiTD9RdVelRZ2Aw",destination="chat.server.com"
Host: chat.server.com

Message: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 44.33.55.22] ModSecurity: Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/usr/share/modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "45"] [id "911100"] [msg "Method is not allowed by policy"] [data "PUT"] [severity "CRITICAL"] [ver "OWASP_CRS/3.2.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"] [hostname "chat.server.com"] [uri "/_matrix/federation/v1/send/1732892290966"] [unique_id "Z1Wlczpa5ckyZQMnHpf98AAAAAI"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 44.33.55.22] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "91"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "chat.server.com"] [uri "/_matrix/federation/v1/send/1732892290966"] [unique_id "Z1Wlczpa5ckyZQMnHpf98AAAAAI"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 44.33.55.22] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"] [hostname "chat.server.com"] [uri "/_matrix/federation/v1/send/1732892290966"] [unique_id "Z1Wlczpa5ckyZQMnHpf98AAAAAI"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1733666163297048 76872 (- - -)
Stopwatch2: 1733666163297048 76872; combined=15292, p1=947, p2=13749, p3=0, p4=0, p5=596, sr=176, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "ENABLED"

@johays
Copy link

johays commented Dec 8, 2024

work-around suggested here, have not tested it: coreruleset/coreruleset#1321
Suggestion to do what original post suggests, to develop WAF rulesets to integrate Synapse with mod_security.

@MadLittleMods
Copy link
Contributor

Seems fine if the community wanted to add the necessary rules for Synapse but I don't think we're interested in maintaining a 3rd party ruleset.

@MadLittleMods MadLittleMods closed this as not planned Won't fix, can't repro, duplicate, stale Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MadLittleMods @rothn @johays