I installed mod_security on my Ubuntu GNU/Linux server but when I send some simple requests to the web server that should match even the simplest rules, I fail to see any alerts or any log files that were supposed to exist in /var/log/apache2. What am I missing?
Before proceeding further here's my system details:
$ apache2ctl -t -D DUMP_MODULES | grep secu
Syntax OK
security2_module (shared)
$ sudo lsof | grep mod_security
apache2 12773 root mem REG 202,0 268828 50225 /usr/lib/apache2/modules/mod_security2.so
apache2 15287 www-data mem REG 202,0 268828 50225 /usr/lib/apache2/modules/mod_security2.so
apache2 15288 www-data mem REG 202,0 268828 50225 /usr/lib/apache2/modules/mod_security2.so
...
And here is the relevant part from my /etc/apache2/apache2.conf:
<IfModule mod_security2.c>
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
# Debug log
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 3
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to # 512 KB in length
SecResponseBodyLimit 524288
# Configure default blocking policy
# see ModSecurity Handbook, p. 175
#
#SecDefaultAction "phase:1,log,auditlog,pass"
Include /etc/apache2/modsecurity-crs_2.0.6/*.conf
Include /etc/apache2/modsecurity-crs_2.0.6/base_rules/*.conf
SecFilter "/bin/"
SecFilter "/cgi-bin" "deny,log,status:500"
# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"
</IfModule>
So I expect that if I try to visit my web site and send a request that matches one of the filters I declared above using SecFilter or anything that matches the base rules, etc. then I should see something in those files:
/var/log/apache2/modsec_debug.log
/var/log/apache2/modsec_audit.log
right?
However those files do not exist no matter what I try:
http://www.myserver.com/cgi-bin
http://www.myserver.com/index.html?q=/cgi-bin
http://www.myserver.com/bin
http://www.myserver.com/index.html?q=/bin
http://www.myserver.com/index.html?q=/bin/
Why can't I see any modsec_debug.log or modsec_audit.log in /var/log/apache2 ? I also don't get status 500 from the server. All I can see from the requests above is a few entries in the error.log file in /var/log/apache2 stating that the files I requested were not found but no alerts produced by mod_security.
What am I missing?
Best Answer
Shame on me! I've put the mod-security config directives before (and not after) the:
so mod-security module was not loaded actually! Now that I placed the mod-security directives below them, mod-security is loaded and it logs to the relevant files. Problem solved.