Closed MyAlien closed 4 years ago
Hi @MyAlien,
I would suggest you create a separated script, to go over the logs and alert you whenever convenient.
Putting the exec inside ModSecurity to send an email could lead to a performance issue.
Apart from that, what is the error message that you are getting? What is your ModSecurity version?
ModSecurity version v3 .
Do you have a solution to be notified by email with the details of the attack?
Thank you .
OWASP ModSecurity CRS v3.2.0
Right, that is not your ModSecurity version, but the ruleset that you have loaded.
What is your webserver?
Server Web NGINX v1.15.8
The server hosts websites also databases.
Can you send me the error message that you are facing?
When I add at the end of an rules exec:/loc/script-email.sh, I restart nginx and it causes an error.
Right, but can you send me this error message?
-- L'unité (unit) nginx.service a commencé à démarrer. sept. 18 14:02:41 www nginx[16067]: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf. Line: 35. Column: 85. Expecting an action, got: \ sept. 18 14:02:41 www nginx[16067]: nginx: configuration file /etc/nginx/nginx.conf test failed sept. 18 14:02:41 www systemd[1]: nginx.service: Control process exited, code=exited status=1 sept. 18 14:02:41 www systemd[1]: Failed to start A high performance web server and a reverse proxy server. -- Subject: L'unité (unit) nginx.service a échoué -- Defined-By: systemd
Is it correct?
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,\exec:/opt/send-email-modsecurity.sh"
you may want to remove the escape character in front of the exec action. It will be:
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,exec:/opt/send-email-modsecurity.sh"
You may want to double-check if in the context of the rules it is really doing what you meant it to do.
In ModSecurity you have no possibility to alert by email of an attack?
without using exec
Remove /
I still have an error.
SecRule &TX:'/WEB_ATTACK/' "@ge 1" "t:none,exec:/opt/send-email-modsecurity.sh"
-- L'unité (unit) nginx.service a commencé à démarrer. sept. 18 14:11:21 www nginx[19407]: nginx: [emerg] "modsecurity_rules_file" directive Rules error. File: /etc/nginx/modsec/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf. Line: 35. Column: 37. exec: Lua support was not en sept. 18 14:11:21 www nginx[19407]: nginx: configuration file /etc/nginx/nginx.conf test failed sept. 18 14:11:21 www systemd[1]: nginx.service: Control process exited, code=exited status=1 sept. 18 14:11:21 www systemd[1]: Failed to start A high performance web server and a reverse proxy server. -- Subject: L'unité (unit) nginx.service a échoué
Hi @MyAlien,
I've just identified that version 3 is only supporting the execution of Lua script on the exec action. I have created issue #2167 to track the progress of the implementation for that missing feature.
In the meanwhile, I suggest you go over the possibility to inspect the log files.
OK thanks .
If I understand correctly: impossible to send a mail that there was a detected attack? Even in Lua it is not possible?
The exec action should support the execution of Lua scripts without further problem.
OK Using Script Lua and restart nginx give error : Lua support was not enabled .
Is there anything installed?
Lua is an optional dependency for ModSecurity. It is enable/disable in compilation time. You need to re-compile your ModSecurity, making sure that you have the Lua devel package installed. By the end of ./configure you should see something like:
ModSecurity - v3.0.3-153-gae67c896 for Linux
Mandatory dependencies
+ libInjection ....v3.9.2-30-gbf234eb
+ SecLang tests ....5d85f36
Optional dependencies
+ GeoIP/MaxMind ....found
* (MaxMind) v1.3.2
-lmaxminddb , -DWITH_MAXMIND
* (GeoIP) v1.6.12
-lGeoIP , -I/usr/include/
+ LibCURL ....found v7.65.3
-lcurl, -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
+ YAJL ....found v2.1.0
-lyajl , -DWITH_YAJL -I/usr/include/yajl
+ LMDB ....disabled
+ LibXML2 ....found v2.9.9
-lxml2 -lz -llzma -licui18n -licuuc -licudata -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2
+ SSDEEP ....found
-lfuzzy -L/usr/lib/, -DWITH_SSDEEP -I/usr/include
+ LUA ....found v503
-llua5.3 -L/usr/lib/, -DWITH_LUA -I/usr/include
Other Options
+ Test Utilities ....enabled
+ SecDebugLog ....enabled
+ afl fuzzer ....disabled
+ library examples ....enabled
+ Building parser ....disabled
+ Treating pm operations as critical section ....disabled
Notice the Lua entry.
How to install the Lua Module?
adding module in /opt/lua-nginx-module checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... not found checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env) ... not found ./configure: error: ngx_http_lua_module requires the Lua or LuaJIT library and LUAJIT_LIB is defined as /opt/luajit/lib and LUAJIT_INC (path for lua.h) /opt/luajit/include/luajit-2.1, but we cannot find LuaJIT there. root@www:/opt/nginx-1.15.8#
All Logs Lua Module
root@www:/opt# cd nginx-1.15.8/ root@www:/opt/nginx-1.15.8# ./configure --prefix=/opt/nginx --with-ld-opt="-Wl,-rpath,/opt/luajit/lib" --add-module=/opt/ngx_devel_kit --add-module=/opt/lua-nginx-module checking for OS
- Linux 4.4.0-161-generic x86_64 checking for C compiler ... found
- using GNU C compiler
- gcc version: 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.11) checking for gcc -pipe switch ... found checking for --with-ld-opt="-Wl,-rpath,/opt/luajit/lib" ... found checking for -Wl,-E switch ... found checking for gcc builtin atomic operations ... found checking for C99 variadic macros ... found checking for gcc variadic macros ... found checking for gcc builtin 64 bit byteswap ... found checking for unistd.h ... found checking for inttypes.h ... found checking for limits.h ... found checking for sys/filio.h ... not found checking for sys/param.h ... found checking for sys/mount.h ... found checking for sys/statvfs.h ... found checking for crypt.h ... found checking for Linux specific features checking for epoll ... found checking for EPOLLRDHUP ... found checking for EPOLLEXCLUSIVE ... not found checking for O_PATH ... found checking for sendfile() ... found checking for sendfile64() ... found checking for sys/prctl.h ... found checking for prctl(PR_SET_DUMPABLE) ... found checking for prctl(PR_SET_KEEPCAPS) ... found checking for capabilities ... found checking for crypt_r() ... found checking for sys/vfs.h ... found checking for nobody group ... not found checking for nogroup group ... found checking for poll() ... found checking for /dev/poll ... not found checking for kqueue ... not found checking for crypt() ... not found checking for crypt() in libcrypt ... found checking for F_READAHEAD ... not found checking for posix_fadvise() ... found checking for O_DIRECT ... found checking for F_NOCACHE ... not found checking for directio() ... not found checking for statfs() ... found checking for statvfs() ... found checking for dlopen() ... not found checking for dlopen() in libdl ... found checking for sched_yield() ... found checking for sched_setaffinity() ... found checking for SO_SETFIB ... not found checking for SO_REUSEPORT ... found checking for SO_ACCEPTFILTER ... not found checking for SO_BINDANY ... not found checking for IP_TRANSPARENT ... found checking for IP_BINDANY ... not found checking for IP_BIND_ADDRESS_NO_PORT ... found checking for IP_RECVDSTADDR ... not found checking for IP_SENDSRCADDR ... not found checking for IP_PKTINFO ... found checking for IPV6_RECVPKTINFO ... found checking for TCP_DEFER_ACCEPT ... found checking for TCP_KEEPIDLE ... found checking for TCP_FASTOPEN ... found checking for TCP_INFO ... found checking for accept4() ... found checking for eventfd() ... found checking for int size ... 4 bytes checking for long size ... 8 bytes checking for long long size ... 8 bytes checking for void * size ... 8 bytes checking for uint32_t ... found checking for uint64_t ... found checking for sig_atomic_t ... found checking for sig_atomic_t size ... 4 bytes checking for socklen_t ... found checking for in_addr_t ... found checking for in_port_t ... found checking for rlim_t ... found checking for uintptr_t ... uintptr_t found checking for system byte ordering ... little endian checking for size_t size ... 8 bytes checking for off_t size ... 8 bytes checking for time_t size ... 8 bytes checking for AF_INET6 ... found checking for setproctitle() ... not found checking for pread() ... found checking for pwrite() ... found checking for pwritev() ... found checking for sys_nerr ... found checking for localtime_r() ... found checking for clock_gettime(CLOCK_MONOTONIC) ... found checking for posix_memalign() ... found checking for memalign() ... found checking for mmap(MAP_ANON|MAP_SHARED) ... found checking for mmap("/dev/zero", MAP_SHARED) ... found checking for System V shared memory ... found checking for POSIX semaphores ... not found checking for POSIX semaphores in libpthread ... found checking for struct msghdr.msg_control ... found checking for ioctl(FIONBIO) ... found checking for struct tm.tm_gmtoff ... found checking for struct dirent.d_namlen ... not found checking for struct dirent.d_type ... found checking for sysconf(_SC_NPROCESSORS_ONLN) ... found checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found checking for openat(), fstatat() ... found checking for getaddrinfo() ... found configuring additional modules adding module in /opt/ngx_devel_kit
- ngx_devel_kit was configured adding module in /opt/lua-nginx-module checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env, with -ldl) ... not found checking for LuaJIT library in /opt/luajit/lib and /opt/luajit/include/luajit-2.1 (specified by the LUAJIT_LIB and LUAJIT_INC env) ... not found ./configure: error: ngx_http_lua_module requires the Lua or LuaJIT library and LUAJIT_LIB is defined as /opt/luajit/lib and LUAJIT_INC (path for lua.h) /opt/luajit/include/luajit-2.1, but we cannot find LuaJIT there. root@www:/opt/nginx-1.15.8#
You have to install the Lua development files (or package), eg:
apt install liblua5.3-dev
Ok thx
I can not find the modules ?
-- L'unité (unit) nginx.service a commencé à démarrer. sept. 18 16:28:24 www nginx[8287]: nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_lua_module.so" failed (/usr/share/nginx/modules/ngx_http_lua_module sept. 18 16:28:24 www nginx[8287]: nginx: configuration file /etc/nginx/nginx.conf test failed sept. 18 16:28:24 www systemd[1]: nginx.service: Control process exited, code=exited status=1 sept. 18 16:28:24 www systemd[1]: Failed to start A high performance web server and a reverse proxy server. -- Subject: L'unité (unit) nginx.service a échoué -- Defined-By: systemd
root@www:/opt/nginx-1.15.8# ./configure --add-module=/usr/share/nginx/modules Not completed
Is /usr/share/nginx/modules/ngx_http_lua_module.so
exists?
No
root@www:~# ls /usr/share/nginx/modules/ ngx_http_auth_pam_module.so ngx_http_geoip_module.so ngx_http_subs_filter_module.so ngx_mail_module.so ngx_http_dav_ext_module.so ngx_http_image_filter_module.so ngx_http_upstream_fair_module.so ngx_stream_module.so ngx_http_echo_module.so ngx_http_modsecurity_module.so ngx_http_xslt_filter_module.so root@www:~#
Then you have to install it:
sudo apt install libnginx-mod-http-lua
(on Debian/Ubuntu systems)
Thx
root@www:~# ls /usr/share/nginx/modules/ ndk_http_module.so ngx_http_echo_module.so ngx_http_lua_module.so ngx_http_upstream_fair_module.so ngx_stream_module.so ngx_http_auth_pam_module.so ngx_http_geoip_module.so ngx_http_modsecurity_module.so ngx_http_xslt_filter_module.so ngx_http_dav_ext_module.so ngx_http_image_filter_module.so ngx_http_subs_filter_module.so ngx_mail_module.so root@www:~#
sept. 20 19:00:17 www nginx[7150]: nginx: [emerg] dlopen() "/usr/share/nginx/modules/ngx_http_lua_module.so" failed (/usr/share/nginx/modules/ngx_http_lua_module.so: undefined symbol: ndk_set_var_value) in /etc/nginx/nginx.conf:5
Do you have a Debian system?
Please share with us this output:
ls -la /etc/nginx/modules-enabled/*.conf
You have to see something like this:
lrwxrwxrwx 1 root root 52 Jan 28 2019 /etc/nginx/modules-enabled/10-mod-http-ndk.conf -> /usr/share/nginx/modules-available/mod-http-ndk.conf
lrwxrwxrwx 1 root root 57 Jan 28 2019 /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf -> /usr/share/nginx/modules-available/mod-http-auth-pam.conf
lrwxrwxrwx 1 root root 60 Jan 28 2019 /etc/nginx/modules-enabled/50-mod-http-cache-purge.conf -> /usr/share/nginx/modules-available/mod-http-cache-purge.conf
...
Also copy here this output:
nginx -V
Please put the outputs between 3 ` character, like this: ``` to format the output.
Edit: note, that here is the similar problem, and I think the solution was the order of modules - that's why I asked the outputs above.
I think you can detect log changes and send email,just got an idea but i haven't tried,Or try log analysis tools
Hello, I am a beginner on ModSec. How to send an email as soon as an attack is detected by ModSec.
For all ModSec rules.
I tried to add exec: /local/script.sh Then restart Nginx but error every time.
Thank you .