Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expirevar not working #315

Closed
iliuta opened this issue Dec 15, 2023 · 6 comments
Closed

expirevar not working #315

iliuta opened this issue Dec 15, 2023 · 6 comments

Comments

@iliuta
Copy link

iliuta commented Dec 15, 2023

Hi,

I'm not sure this project is still maintained but I give a try.

I'm trying to block agressive attacks using core rule set REQUEST-912-DOS-PROTECTION.conf with my nginx ingress controller installation.

It looks like once a couple IP + user agent is blocked, then it never expires.
tx.dos_block_timeout is not taken into account.
While desperately searching on the internet for an explanation, some agree that expirevar is not working properly.

Is there any solution I can apply? Thanks.
@martinhsv
Copy link
Contributor

Hello @iliuta ,

The ModSecurity-nginx project is only for the ModSecurity nginx connector. It has less activity because most of the work related to a use of ModSecurity with nginx occurs in the ModSecurity project ( https://github.com/SpiderLabs/ModSecurity ).

Check your ModSecurity version. The expirevar action had not yet been implemented in versions 3.0.0 through 3.0.10.

The functionality is present, however, in ModSecurity v3.0.11, which was published earlier this month.

@iliuta
Copy link
Author

iliuta commented Dec 15, 2023

Thanks @martinhsv
It's difficult to understand these version numbers. Actually the ModSecurity I'm using is bundled with the nginx ingress controller and it looks to be 1.0.3.
The OWASP core rules bundled are of version 3.3.5.

@martinhsv
Copy link
Contributor

Version 1.0.3 would be the version of the Connector (the ModSecurity-nginx project).

If you are not sure what version of ModSecurity 3.0.x you are using there are a few different ways you can tell, including:

  1. If using SecAuditLogFormat JSON, the ModSecurity version will automatically be included in audit log output (assuming you have 'part H' enabled').

  2. You can specifically output the version using the ModSecurity variable MODSEC_BUILD. E.g. SecAction "id:1003,phase:1,log,auditlog,msg:'ModSecurity version: %{MODSEC_BUILD}'" (although this format is a little less user friendly).

@iliuta
Copy link
Author

iliuta commented Dec 15, 2023

Thanks again @martinhsv for this useful information.
I've got this in the audit log:
"modsecurity":"ModSecurity v3.0.8 (Linux)","connector":"ModSecurity-nginx v1.0.3"

@airween
Copy link
Member

airween commented Dec 16, 2023

I've got this in the audit log: "modsecurity":"ModSecurity v3.0.8 (Linux)"

expirevar was fixed in 3.0.11, few days ago. Just fyi.

@iliuta
Copy link
Author

iliuta commented Dec 16, 2023

Thanks @airween
I think I have my answer.
There is a request for including ModSecurity 3.0.11 in the Nginx ingress controller build but it's not done yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@airween @iliuta @martinhsv