Generate exceptions for mod_security from log messages
I just had to help a customer to deploy a typo3 installation on a apache webserver runnig with mod_security2
enabled. Since this module blocked many requests I needed to define a bunch of exceptions in the clients vHost configuration. To make this easy for the future I came up with this little piece of bash to generate the exceptions directly from the messages is the apache error log.
root@webhost:~# export last_url=""; grep ModSecurity /var/log/apache2/error.log | grep -P "\[id \"\d+\"\]" | grep -P "\[uri \".*?\"\]" | grep --color -Po "\[id \"\d+\"\]|\[uri \".*?\"\]" | cut -d\" -f2 | xargs -n2 echo | while read l; do id="`echo \"$l\" | sort -n | cut -d' ' -f1`"; url="`echo \"$l\" | cut -d' ' -f2`"; echo -e "$url|$id"; done | sort -u | while read l; do url="`echo \"$l\" | cut -d'|' -f1`"; id="`echo \"$l\" | cut -d'|' -f2`"; [ -n "$last_url" -a "$url" != "$last_url" ] && echo -e "\t</IfModule>\n</Location>"; [ "$url" != "$last_url" ] && echo -e "<Location \"$url\">\n\t<IfModule mod_security2.c>"; echo -e "\t\tSecRuleRemoveById $id"; last_url="$url"; done; echo -e "\t</IfModule>\n</Location>"; unset last_url;
Running this produces Location
blocks for the URLs blocked by the module with exceptions for the triggered rules that can be included into the vHost configuration.
<Location "/typo3/ajax.php"> <IfModule mod_security2.c> SecRuleRemoveById 921130 SecRuleRemoveById 941100 SecRuleRemoveById 941110 SecRuleRemoveById 941140 SecRuleRemoveById 941160 SecRuleRemoveById 941270 SecRuleRemoveById 949110 SecRuleRemoveById 980130 </IfModule> </Location> <Location "/typo3/alt_doc.php"> <IfModule mod_security2.c> SecRuleRemoveById 921130 SecRuleRemoveById 941100 SecRuleRemoveById 941110 SecRuleRemoveById 941140 SecRuleRemoveById 941160 SecRuleRemoveById 941270 SecRuleRemoveById 949110 SecRuleRemoveById 980130 </IfModule> </Location> <Location "/typo3/mod.php"> <IfModule mod_security2.c> SecRuleRemoveById 921130 SecRuleRemoveById 941100 SecRuleRemoveById 941110 SecRuleRemoveById 941140 SecRuleRemoveById 941160 SecRuleRemoveById 941270 SecRuleRemoveById 949110 SecRuleRemoveById 980130 </IfModule> </Location> <Location "/typo3/sysext/install/Start/Install.php"> <IfModule mod_security2.c> SecRuleRemoveById 921130 SecRuleRemoveById 930120 SecRuleRemoveById 942100 SecRuleRemoveById 949110 SecRuleRemoveById 980130 </IfModule> </Location>
Just double check that no exception for evil requests was generated from the log by accident.