Mod_security – Syntax error

apache-2.2mod-security

I have a password protected directory on my web server. To protect that from brute force attack, I tried to add the IP-Based BLocking config as below in the apache2 config file.

But everytime I restart Apache2 I get syntax error. Does anyone know how to resolve this? Thanks

Apache version: 2.2
Mod Security CRS – 2.2.8-1

Error when restart Apache

/etc/init.d/apache2 restart
 * Restarting web server apache2                     [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 252 of /etc/apache2/apache2.conf:
ModSecurity: No action id present within the rule
Action 'configtest' failed.
The Apache error log may have more information.

Here is the apache config file content:

232 Alias /shared /var/shared
233 <Directory /var/shared>
234         Options Indexes MultiViews FollowSymLinks
235         AllowOverride AuthConfig
236         Order allow,deny
237         Allow from all
238 </Directory>
239
240 <IfModule security2_module>
241     Include /usr/share/modsecurity-crs/*.conf
242     Include /usr/share/modsecurity-crs/base_rules/*.conf
243 </IfModule>
244 <LocationMatch /shared>
245         # Uncomment to troubleshoot
246        SecDebugLogLevel 9
247        SecDebugLog /tmp/troubleshooting.log
248
249        # Enforce an existing IP address block
250        SecRule IP:bf_block "@eq 1" \
251                "phase:2,deny,\
252                msg:'IP address blocked because of suspected brute-forceattack'"
253
254        # Check that this is a POST
255        SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass"
256             # AND Check for authentication failure and increment counters
257             # NOTE this is for a Rails application, you probably need to customize this
258                SecRule RESPONSE_STATUS "^200" \
259                        "setvar:IP.bf_counter=+1"
260
261        # Check for too many failures from a single IP address. Block for 10 minutes.
262        SecRule IP:bf_counter "@ge 3" \
263                "phase:5,pass,t:none, \
264                setvar:IP.bf_block,\
265                setvar:!IP.bf_counter,\
266                expirevar:IP.bf_block=600"
267 </LocationMatch>

There is nothing in the error logs except that it was shutting down while I initiated restart command.

Best Answer

I would say that an action unique ID is mandatory.

Try :

SecRule IP:bf_block "@eq 1" "phase:2,deny,id:'1234',msg:'IP address blocked because of suspected brute-forceattack'"

For id use any number you want, just ensure to not use the same twice (or more).

Related Topic