Results 1 to 4 of 4

Thread: mod_secuirty 2.2.7 on opensuse 13.1

  1. #1

    Default mod_secuirty 2.2.7 on opensuse 13.1

    hello there ;-)

    i got a bit of a problem mit the newest mod security 2.2.7 on opensuse 13.1 with apache 2.4.6

    i want to use mod security to protect against the slow dos attack ... like slowlaris

    for that i use the experimental rule modsecurity_crs_11_slow_dos_protection.conf from OWASP ModSecurity Core Rule Set (CRS) 2.2.9 (newest)

    mod security is running without any problems, but if i activate the slow dos rule set i get blocked by the server

    [Fri Mar 21 17:23:04.018323 2014] [:warn] [pid 29457] ModSecurity: Access denied with code 400. Too many threads [150] of 100 allowed in READ state from 91.22.223.123 - Possible DoS C
    onsumption Attack [Rejected]

    but i'm more than sure that i don't have 150 threads connected to the server

    the apache server-status just shows me 2 threads by my IP connected to the server

    something doesn't add up!

    the mod security rule set defines by default:

    SecReadStateLimit 100

    so i had a deeper look, as i run mod security on 2 other suse machines without any problems!

    mod security also wants to store collection data on the disk

    SecDataDir /tmp

    normally it then creates ip.dir / ip.pag and global.dir / global.pag in the folder /tmp after an apache restart
    it does so on the other 2 suse boxes

    but somehow it doesn't on the 13.1

    so, now my thinking is, if it can't create the files for collecting data it then probably blocks me by default?
    while not having 150 threads connected from my IP to the server?

    why isn't mod security creating the collection data files on restart?

    /tmp/ip.dir
    /tmp/global.dir

    none of those files exist

    if someone could help me out and guide me towards the right direction i would be more than grateful ;-)

    thanks & all the best
    becki

  2. #2

    Default Re: mod_secuirty 2.2.7 on opensuse 13.1

    this questions has also been asked -> http://www.opensuse-forum.de/mod-sec...17/t10111-f21/

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,279
    Blog Entries
    2

    Default Re: mod_secuirty 2.2.7 on opensuse 13.1

    Are you confusing threads with User connections?

    How are you determining the number of threads running related to your Apache process? To me, this would be a very complicated number to calculate which depends on how your Apache is setup, what mods are running, your running website(s), and who knows what else.

    IIRC, if you have the YAST web server applet installed, available thread allocation was one of the settings that was exposed for easy configuration(I hope my memory isn't incorrect). If not, I'd guess it should be a setting in httpd.conf

    TSU

  4. #4

    Default Re: mod_secuirty 2.2.7 on opensuse 13.1

    hello tsu2, thanks a lot for your reply ;-)

    yes, perhaps i was confusing threads with user connections, but i only quoted the mod security error log

    [Fri Mar 21 17:23:04.018323 2014] [:warn] [pid 29457] ModSecurity: Access denied with code 400. Too many threads [150] of 100 allowed in READ state from 91.22.223.123 - Possible DoS C onsumption Attack [Rejected]

    and here in the error log it says threads ... which happens once i enable the slow dos protection rule -> modsecurity_crs_11_slow_dos_protection.conf from OWASP ModSecurity Core Rule Set (CRS) 2.2.9 (newest)

    SecReadStateLimit 100

    The new directive is called SecReadStateLimit and its purpose is to hook into the Connection-level Filter of Apache and restrict the number of Apache threads that are in a SERVER_BUSY_STATE for each IP address.

    http://blog.spiderlabs.com/2011/07/a...s-attacks.html

    but if i look at the server-status of my webserver i see that there's currently 1 request being processed, 4 idle workers and lots of open slots and there's only one child server running with one connection to my IP address

    so according to server-status there's really not a lot going on on the web server. actually next to nothing as the server is not public accessable ...

    but whenever i enable SecRateReadLimit 100 (the default value) i get blocked by mod security.

    i use the default MPM prefork apache configuration with
    StartServers 5
    MinSpareServers 5
    MaxSpareServers 10
    ServerLimit 150
    MaxClients 150
    MaxRequestsPerChild 10000

    so ... i really don't get it! and i'm really out of ideas ;-(

    why is this SecReadStateLimit 100 not working as expected?

    or am i really totally missing something? any help would be more than appreciated ;-)

    thanks & all the best
    becki

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •