PassEnv variable MODSEC_ENABLE was undefined Solution [Solved]

PassEnv variable MODSEC_ENABLE was undefined Solution

ModSecurity error

We have a dedicated server running WHM/CentOS/SuPHP/CSF with a fairly large dedi server company. I already contacted support, and they wrote,

Regarding this issue you will require assistance from the website developer and ModSecurity professionals.

I thought they were professionals. Anyway, here's what I'm trying to do. I want to block brute force WP logins. So, in /usr/local/apache/conf/modsec2.user.conf, I currently have

SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /usr/local/apache/logs/data
SecRequestBodyAccess On

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134
<Locationmatch "/wp-login.php">

    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.'"

    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
I've also tried
SecDataDir /tmp
Either way, apache error_log is full of lines like
[Tue May 06 16:55:26 2014] [error] [client] ModSecurity: collection_store: Failed to access DBM file "/usr/local/apache/logs/data/ip": No such file or directory
I hope there's a professional here who can suggest something to try. I do not want to try Atomic ModSecurity at this time, whatever that is. Thanks.


It doesn't exist. In fact, the /usr/local/apache/logs/data directory doesn't exist. So, I created it, then set owner to 'nobody' -- and now the error messages have gone away. /usr/local/apache/logs/data now looks like this:

./  ../  ip.dir  ip.pag  user.dir  user.pag
however, /usr/local/apache/logs/error_log now has these new warnings:
[Tue May 06 18:11:30 2014] [warn] PassEnv variable MODSEC_ENABLE was undefined
on the other hand, I also see these:
[Tue May 06 18:13:18 2014] [error] [client] ModSecurity: Access denied with code 401 (phase 2). Operator GT matched 0 at USER:bf_block. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "11"] [id "5000135"] [msg "ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes."]
so, it seems to be working. 
(it blocked a russian ip. later on, it blocked a bulgarian ip. we're not expecting russian or bulgarian logins)

Post a Comment