owasp-modsecurity / ModSecurity-nginx

ModSecurity v3 Nginx Connector
Apache License 2.0
1.59k stars 282 forks source link

expirevar not working #315

Closed iliuta closed 11 months ago

iliuta commented 11 months ago

Hi,

I'm not sure this project is still maintained but I give a try.

I'm trying to block agressive attacks using core rule set REQUEST-912-DOS-PROTECTION.conf with my nginx ingress controller installation.

It looks like once a couple IP + user agent is blocked, then it never expires. tx.dos_block_timeout is not taken into account. While desperately searching on the internet for an explanation, some agree that expirevar is not working properly.

Is there any solution I can apply? Thanks.

martinhsv commented 11 months ago

Hello @iliuta ,

The ModSecurity-nginx project is only for the ModSecurity nginx connector. It has less activity because most of the work related to a use of ModSecurity with nginx occurs in the ModSecurity project ( https://github.com/SpiderLabs/ModSecurity ).

Check your ModSecurity version. The expirevar action had not yet been implemented in versions 3.0.0 through 3.0.10.

The functionality is present, however, in ModSecurity v3.0.11, which was published earlier this month.

iliuta commented 11 months ago

Thanks @martinhsv It's difficult to understand these version numbers. Actually the ModSecurity I'm using is bundled with the nginx ingress controller and it looks to be 1.0.3. The OWASP core rules bundled are of version 3.3.5.

martinhsv commented 11 months ago

Version 1.0.3 would be the version of the Connector (the ModSecurity-nginx project).

If you are not sure what version of ModSecurity 3.0.x you are using there are a few different ways you can tell, including:

1) If using SecAuditLogFormat JSON, the ModSecurity version will automatically be included in audit log output (assuming you have 'part H' enabled').

2) You can specifically output the version using the ModSecurity variable MODSEC_BUILD. E.g. SecAction "id:1003,phase:1,log,auditlog,msg:'ModSecurity version: %{MODSEC_BUILD}'" (although this format is a little less user friendly).

iliuta commented 11 months ago

Thanks again @martinhsv for this useful information. I've got this in the audit log: "modsecurity":"ModSecurity v3.0.8 (Linux)","connector":"ModSecurity-nginx v1.0.3"

airween commented 11 months ago

I've got this in the audit log: "modsecurity":"ModSecurity v3.0.8 (Linux)"

expirevar was fixed in 3.0.11, few days ago. Just fyi.

iliuta commented 11 months ago

Thanks @airween I think I have my answer. There is a request for including ModSecurity 3.0.11 in the Nginx ingress controller build but it's not done yet.