mod_secuirty 2.2.7 on opensuse 13.1

beckspaced · March 21, 2014, 5:48pm

hello there

i got a bit of a problem mit the newest mod security 2.2.7 on opensuse 13.1 with apache 2.4.6

i want to use mod security to protect against the slow dos attack … like slowlaris

for that i use the experimental rule modsecurity_crs_11_slow_dos_protection.conf from OWASP ModSecurity Core Rule Set (CRS) 2.2.9 (newest)

mod security is running without any problems, but if i activate the slow dos rule set i get blocked by the server

[Fri Mar 21 17:23:04.018323 2014] :warn] [pid 29457] ModSecurity: Access denied with code 400. Too many threads [150] of 100 allowed in READ state from 91.22.223.123 - Possible DoS C
onsumption Attack [Rejected]

but i’m more than sure that i don’t have 150 threads connected to the server

the apache server-status just shows me 2 threads by my IP connected to the server

something doesn’t add up!

the mod security rule set defines by default:

SecReadStateLimit 100

so i had a deeper look, as i run mod security on 2 other suse machines without any problems!

mod security also wants to store collection data on the disk

SecDataDir /tmp

normally it then creates ip.dir / ip.pag and global.dir / global.pag in the folder /tmp after an apache restart
it does so on the other 2 suse boxes

but somehow it doesn’t on the 13.1

so, now my thinking is, if it can’t create the files for collecting data it then probably blocks me by default?
while not having 150 threads connected from my IP to the server?

why isn’t mod security creating the collection data files on restart?

/tmp/ip.dir
/tmp/global.dir

none of those files exist

if someone could help me out and guide me towards the right direction i would be more than grateful

thanks & all the best
becki

beckspaced · March 22, 2014, 2:58pm

this questions has also been asked -> http://www.opensuse-forum.de/mod-security-2-2-7-problem-opensuse-13-1-software-anwendungen/allgemeines-f17/t10111-f21/

tsu2 · March 22, 2014, 10:18pm

Are you confusing threads with User connections?

How are you determining the number of threads running related to your Apache process? To me, this would be a very complicated number to calculate which depends on how your Apache is setup, what mods are running, your running website(s), and who knows what else.

IIRC, if you have the YAST web server applet installed, available thread allocation was one of the settings that was exposed for easy configuration(I hope my memory isn’t incorrect). If not, I’d guess it should be a setting in httpd.conf

TSU

beckspaced · March 23, 2014, 10:59am

hello tsu2, thanks a lot for your reply

yes, perhaps i was confusing threads with user connections, but i only quoted the mod security error log

[Fri Mar 21 17:23:04.018323 2014] :warn] [pid 29457] ModSecurity: Access denied with code 400. Too many threads [150] of 100 allowed in READ state from 91.22.223.123 - Possible DoS C onsumption Attack [Rejected]

and here in the error log it says threads … which happens once i enable the slow dos protection rule → modsecurity_crs_11_slow_dos_protection.conf from OWASP ModSecurity Core Rule Set (CRS) 2.2.9 (newest)

SecReadStateLimit 100

The new directive is called SecReadStateLimit and its purpose is to hook into the Connection-level Filter of Apache and restrict the number of Apache threads that are in a SERVER_BUSY_STATE for each IP address.

http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html

but if i look at the server-status of my webserver i see that there’s currently 1 request being processed, 4 idle workers and lots of open slots and there’s only one child server running with one connection to my IP address

so according to server-status there’s really not a lot going on on the web server. actually next to nothing as the server is not public accessable …

but whenever i enable SecRateReadLimit 100 (the default value) i get blocked by mod security.

i use the default MPM prefork apache configuration with
StartServers 5
MinSpareServers 5
MaxSpareServers 10
ServerLimit 150
MaxClients 150
MaxRequestsPerChild 10000

so … i really don’t get it! and i’m really out of ideas ;-(

why is this SecReadStateLimit 100 not working as expected?

or am i really totally missing something? any help would be more than appreciated

thanks & all the best
becki