Congrats, you're on your way to hard core security with mod_security! But now you're audit log is filling up faster than a North Dakota Bear at a Golden Coral (Sorry, Brian) with general errors that DO NOT trigger any mod_sec rules.
Normally, out of the box, you'll have mod_security's SecAuditEngine rules set like so:
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04)"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog "|bin/rotatelogs.exe -l -f f:/logs/%Y-%m-%d-modsec-audit.log 86400"
Or ... something close to that. Let's break down the REGEX on the line for SecAuditLogRelevantStatus:
?:5 -- Log anything that is a 500 level error, e.g., 500 Internal Server Error or the lovely 503 Service Unavailable.
4(?!04) -- Log any 400 level error EXCEPT for any 404 errors.
I'm all for the 500 level errors being logged as those should never happen, but for my modsec_audit log I'm FILLING up with about a million 401's that I could care less about. Apache is going to grab these anyway in a much more compressed format, so I don't need to also see these in my modsec log. So, to fix that (and if you're a REGEX noob like me) just modify that 4(?!04) line to read:
"^(?:5|4(?!04|01)"
By adding that "|01" to the end, we're just saying any 404 OR 401's, which, Apache is going to grab for you anyway.
Hope that clears up your mod_sec logs!!
Wednesday, March 4, 2015
Friday, February 20, 2015
Windows Firewall IP Scope Limit is 1000 Entries
1,000 ENTRIES IS THE MAX WINDOWS FIREWALL RULES WILL ACCEPT.
For the longest time, we've been building in-house security tools to keep bad actors out of our Apache, or at the least, keep them from banging on our ports. One of the C# tools we built will do a REGEX search in Apache's logs and if it sees something fishy will automatically add it to the Windows Firewall via an inbound rule for port 80 and 443 we created called "Block Apache Punks". (It used to have a very rated R name before. They made me change it. Use your imagination). Here's what it normally looks like when you're making an individual IP entry:
And then when you hit OK, it'll appear that it's taking it, but when you hit apply on your rule, you will see the error: "The array bounds are invalid." and it will NOT accept your entry. Because you've hit the limit. Which is dumb. It's 2015. Why is this happening.
We never looked it up, but heard there was a limit to the amount of IP's and CIDR addresses you could add to this list ... well, we found out last week what that number is: It's 1,000, like the big fat text above.
Hopefully, you'll come across this from a Google search and realize you NEED to move to something with much much more flexibility in your OpsSec plan for keeping out the bad guys. As I type this, we're moving to Apache mod_security with about 20 rules already and the ability to add infinite IP's if we need to. Something we should have done a long long time ago.
Wednesday, February 18, 2015
Windows 8.1 Offline Activation
Windows 8.1 is pretty slick, but if you're on NIPRnet, there is 0% chance it will activate itself over the network. Gone are the days of using the 1-800 number to call Microsoft and activate over the phone with 40 some odd digits, so if you're lucky enough to move to Windows 8.1 (Bye bye Pass-the-Hash Hacks!) here's how to activate IF you have a product key handy (Thanks, MSDN Subscription!)
1. Copy your product key to the clipboard
2. Right click on the Windows 8.1 Start Thingy and choose Run
3. Now type "slui 3" and hit Enter. This kicks off the Windows Activation Client and the option "3" tells slui to run the GUI.
1. Copy your product key to the clipboard
2. Right click on the Windows 8.1 Start Thingy and choose Run
3. Now type "slui 3" and hit Enter. This kicks off the Windows Activation Client and the option "3" tells slui to run the GUI.
4. You should see the below, where you'll paste your Win 8.1 key and hit close .. no need to wait for the spinning "I'm working on something" circle gif that will load.
5. That's it! Enjoy not being harassed every week about your activation key. YOU'RE WELCOME.
Thursday, February 12, 2015
Adobe CS6 Registration for Offline Activation and You Can Too!
So, they finally broke down and bought you Adobe CS6 eh? But you know you can't login with you're AdobeID, right? Because Adobe isn't allowed through the firewall, right? (THANKS DISA)
Well, have I got awesome news for you! Here's how to get your Adobe Photoshop/Illustrator registered and not explode in 7 days and you can too:
1. You should get the "Sign in now" page right away after starting your install and putting in your serial number for CS6. Choose sign in later if you haven't installed your CS6 yet.
2. Once you're installed, start up Illustrator and choose the "help" menu up top, then "product registration".
3. It'll bring up the "Sign in Required" page, but that's what we want. You'll see the "Having trouble connecting to the internet?" link now, click it. It should have also opened up the offline activation website at Adobe. Don't close that.
4. You'll now get the "No Internet Connection" page and the option (finally) to do an "Offline Activation". Click that button:
5. Now, you'll see the steps for an offline activation and the button to generate a request code. Click that bad boy!
6. You'll see a new screen with your request code shown (I've blurred mine out). Copy this to your clipboard and have it handy for the Adobe website to follow:
7. Now, at the website for your request code, you'll click the "Generate a Response Code" link right in the middle of that page:
8. It'll prompt you to sign in with your AdobeID next. So, do that:
9. Now, you'll paste the request code you generated and enter your serial number that you probably lost and just spent the last 4 hours looking for, or you're realizing you need that number now and are going to leave this page for tomorrow. At any rate, paste your code and enter your SN, then click "Generate Response Code".
10. If you were successful you'll see this next page showing you the response code for your offline activation. Copy the response code to your clipboard and we're almost done!
12. Now, take the response code you've just copied and paste it into the offline activation window you left open (You did leave that open, right?) and click (finally!) "Activate".
13. Finally! You're activated and CS6 won't asplode your computer! Now go have fun making all those Photoshops of your boss's head onto a donkey.
14. You're done. Get outta here. Close the window already. GAWD.
Well, have I got awesome news for you! Here's how to get your Adobe Photoshop/Illustrator registered and not explode in 7 days and you can too:
1. You should get the "Sign in now" page right away after starting your install and putting in your serial number for CS6. Choose sign in later if you haven't installed your CS6 yet.
6. You'll see a new screen with your request code shown (I've blurred mine out). Copy this to your clipboard and have it handy for the Adobe website to follow:
9. Now, you'll paste the request code you generated and enter your serial number that you probably lost and just spent the last 4 hours looking for, or you're realizing you need that number now and are going to leave this page for tomorrow. At any rate, paste your code and enter your SN, then click "Generate Response Code".
Subscribe to:
Posts (Atom)