mod_security X-Forwarded-For not being blockedmod_security IP collection key not being set correctlyMod security anomaly scoring in the audit logGood free guide for mod_security?How do you search for backdoors from the previous IT person?mod_security IP collection key not being set correctlySecAuditLogParts not working: mod_security keeps logging response bodymod_security not working at allJetmon being blocked by ModSecurity, how to write override rule?mod_security too strict rule?Installing mod_security for Apache 2.4Some mod_security rules not being appliedCan Modsecurity detect and block infected client computers that connect to a server?

Is it possible to fly backward if you have REALLY STRONG headwind?

Traversing Oceania: A Cryptic Journey

Why not invest in precious metals?

Teaching a class likely meant to inflate the GPA of student athletes

What is the maximum number of net attacks that one can make in a round?

Interval of parallel 5ths in the resolution of a German 6th chord

貧しい【まずしい】 poor 貧乏【びんぼう】な poor What's the difference?

Active low-pass filters --- good to what frequencies?

Cascading Switches. Will it affect performance?

Non-aqueous eyes?

Who enforces MPAA rating adherence?

sed + add word before string only if not exists

You have (3^2 + 2^3 + 2^2) Guesses Left. Figure out the Last one

If atoms are mostly vacuum, why are things so rigid around us?

Is it a bad idea to to run 24 tap and shock lands in standard

Russian word for a male zebra

Is it legal for a bar bouncer to confiscate a fake ID

Thread Pool C++ Implementation

LuaLaTex - how to use number, computed later in the document

What aircraft was used as Air Force One for the flight between Southampton and Shannon?

CSV how to trim values to 2 places in multiple columns using UNIX

Electricity free spaceship

Print lines between start & end pattern, but if end pattern does not exist, don't print

Let M and N be single-digit integers. If the product 2M5 x 13N is divisible by 36, how many ordered pairs (M,N) are possible?



mod_security X-Forwarded-For not being blocked


mod_security IP collection key not being set correctlyMod security anomaly scoring in the audit logGood free guide for mod_security?How do you search for backdoors from the previous IT person?mod_security IP collection key not being set correctlySecAuditLogParts not working: mod_security keeps logging response bodymod_security not working at allJetmon being blocked by ModSecurity, how to write override rule?mod_security too strict rule?Installing mod_security for Apache 2.4Some mod_security rules not being appliedCan Modsecurity detect and block infected client computers that connect to a server?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I made some changes to my config as per this suggestion:



SecAction 
 "id:901321,
 phase:1,
 pass,
 t:none,
 nolog,
 initcol:global=global,
 initcol:ip=%x-forwarded-for_%tx.ua_hash,
 setvar:'tx.real_ip=%x-forwarded-for'"


But nothing seems to happen. I noticed that my apache error_log was using the default error log format and logging everything as 127.0.0.1.



So I changed my ErrorLogFormat to:



ErrorLogFormat "[%ut] [%-m:%l] [pid %P:tid %T] %7F: %E: [client %X-Forwarded-Fori] %M% , referer %Refereri"


That made my logs better, but ModSecurity is still not doing any blocking. What's weird is that most of the ModSec logs in the apache error_log have an extra client IP section in them:



[Wed May..2019] [err] [pid X:tid X] [client XXX.XX.XX.XXX] [client 127.0.0.1] ModSecurity: Warning...


I have no idea where the extra [client 127.0.0.1] is coming from - I know it's definitely only doing this for ModSecurity logs in the error_log.



It seems like either ModSecurity is either constantly trying to block 127.0.0.1 or just not blocking anything..



So how can I get ModSecurity to block using the X-Forwarded-For header?



NOTE



  1. I do have SecRuleEngine On set properly.

  2. Versions: Apache 2.4, ModSecurity 2.9, OWASP 3





security apache-2.4 mod-security







share|improve this question




























    0















    I made some changes to my config as per this suggestion:



    SecAction 
     "id:901321,
     phase:1,
     pass,
     t:none,
     nolog,
     initcol:global=global,
     initcol:ip=%x-forwarded-for_%tx.ua_hash,
     setvar:'tx.real_ip=%x-forwarded-for'"


    But nothing seems to happen. I noticed that my apache error_log was using the default error log format and logging everything as 127.0.0.1.



    So I changed my ErrorLogFormat to:



    ErrorLogFormat "[%ut] [%-m:%l] [pid %P:tid %T] %7F: %E: [client %X-Forwarded-Fori] %M% , referer %Refereri"


    That made my logs better, but ModSecurity is still not doing any blocking. What's weird is that most of the ModSec logs in the apache error_log have an extra client IP section in them:



    [Wed May..2019] [err] [pid X:tid X] [client XXX.XX.XX.XXX] [client 127.0.0.1] ModSecurity: Warning...


    I have no idea where the extra [client 127.0.0.1] is coming from - I know it's definitely only doing this for ModSecurity logs in the error_log.



    It seems like either ModSecurity is either constantly trying to block 127.0.0.1 or just not blocking anything..



    So how can I get ModSecurity to block using the X-Forwarded-For header?



    NOTE



    1. I do have SecRuleEngine On set properly.

    2. Versions: Apache 2.4, ModSecurity 2.9, OWASP 3





    security apache-2.4 mod-security







    share|improve this question
























      0












      0








      0








      I made some changes to my config as per this suggestion:



      SecAction 
       "id:901321,
       phase:1,
       pass,
       t:none,
       nolog,
       initcol:global=global,
       initcol:ip=%x-forwarded-for_%tx.ua_hash,
       setvar:'tx.real_ip=%x-forwarded-for'"


      But nothing seems to happen. I noticed that my apache error_log was using the default error log format and logging everything as 127.0.0.1.



      So I changed my ErrorLogFormat to:



      ErrorLogFormat "[%ut] [%-m:%l] [pid %P:tid %T] %7F: %E: [client %X-Forwarded-Fori] %M% , referer %Refereri"


      That made my logs better, but ModSecurity is still not doing any blocking. What's weird is that most of the ModSec logs in the apache error_log have an extra client IP section in them:



      [Wed May..2019] [err] [pid X:tid X] [client XXX.XX.XX.XXX] [client 127.0.0.1] ModSecurity: Warning...


      I have no idea where the extra [client 127.0.0.1] is coming from - I know it's definitely only doing this for ModSecurity logs in the error_log.



      It seems like either ModSecurity is either constantly trying to block 127.0.0.1 or just not blocking anything..



      So how can I get ModSecurity to block using the X-Forwarded-For header?



      NOTE



      1. I do have SecRuleEngine On set properly.

      2. Versions: Apache 2.4, ModSecurity 2.9, OWASP 3





      security apache-2.4 mod-security







      share|improve this question














      I made some changes to my config as per this suggestion:



      SecAction 
       "id:901321,
       phase:1,
       pass,
       t:none,
       nolog,
       initcol:global=global,
       initcol:ip=%x-forwarded-for_%tx.ua_hash,
       setvar:'tx.real_ip=%x-forwarded-for'"


      But nothing seems to happen. I noticed that my apache error_log was using the default error log format and logging everything as 127.0.0.1.



      So I changed my ErrorLogFormat to:



      ErrorLogFormat "[%ut] [%-m:%l] [pid %P:tid %T] %7F: %E: [client %X-Forwarded-Fori] %M% , referer %Refereri"


      That made my logs better, but ModSecurity is still not doing any blocking. What's weird is that most of the ModSec logs in the apache error_log have an extra client IP section in them:



      [Wed May..2019] [err] [pid X:tid X] [client XXX.XX.XX.XXX] [client 127.0.0.1] ModSecurity: Warning...


      I have no idea where the extra [client 127.0.0.1] is coming from - I know it's definitely only doing this for ModSecurity logs in the error_log.



      It seems like either ModSecurity is either constantly trying to block 127.0.0.1 or just not blocking anything..



      So how can I get ModSecurity to block using the X-Forwarded-For header?



      NOTE



      1. I do have SecRuleEngine On set properly.

      2. Versions: Apache 2.4, ModSecurity 2.9, OWASP 3





      security apache-2.4 mod-security




      security apache-2.4 mod-security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked May 23 at 18:17









      Yes BarryYes Barry

      11613




      11613




















          1 Answer
          1






          active

          oldest

          votes


















          1














          The first part of your linked suggestion has this



          SecAction "phase:1,nolog,pass,initcol:IP=%REQUEST_HEADERS.x-forwarded-for"


          As you can see it specifies that x-forwarded-for is part of REQUEST_HEADERS but that is missing from your version of this.



          Do be aware that just logging the IP will not cause blocking. It is used to persist data that can be used in subsequent rules (e.g. log a counter against an IP and iterate it with each request, and then block if it goes above a certain limit for basic DoS protection). So make sure you’ve got some rules configured to DO something with that IP address!



          Also, as discussed in the comments, ModSecurity logs collections in a disk based file. This causes contention when lots of Apache processes try to access it at the same time. And the cleanup that ModSecurity does also can fail meaning the file grows and grows until it eats up all disk space or slows Apache to a crawl. I am not a fan of using them, especially on a site with an volume. I see them as a proof of concept of what ModSecurity could do to expand its single request rules based engine to a cross request one, but it’s not production ready IMHO. For more on this see here: https://sourceforge.net/p/mod-security/mailman/message/34393121/



          The double client_ip logging is a remnant of when ModSecurity used to use a non-standard way of logging. They moved to Apache native logging (which has more features - like the ability to log HTTP Headers like x-forwarded-for) but only noticed late the double client_ip (as both Apache standing logging module and ModSecurity is now logging this). They left as is to avoid breaking anyone who depended on the original client_ip logging. See here for more details: https://github.com/SpiderLabs/ModSecurity/pull/840






          share|improve this answer

























          • Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

            – Yes Barry
            May 24 at 16:06






          • 1





            No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

            – Barry Pollard
            May 24 at 16:28






          • 1





            In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

            – Barry Pollard
            May 24 at 16:42






          • 1





            And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

            – Barry Pollard
            May 24 at 17:00







          • 1





            Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

            – Barry Pollard
            May 24 at 17:08











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968610%2fmod-security-x-forwarded-for-not-being-blocked%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          The first part of your linked suggestion has this



          SecAction "phase:1,nolog,pass,initcol:IP=%REQUEST_HEADERS.x-forwarded-for"


          As you can see it specifies that x-forwarded-for is part of REQUEST_HEADERS but that is missing from your version of this.



          Do be aware that just logging the IP will not cause blocking. It is used to persist data that can be used in subsequent rules (e.g. log a counter against an IP and iterate it with each request, and then block if it goes above a certain limit for basic DoS protection). So make sure you’ve got some rules configured to DO something with that IP address!



          Also, as discussed in the comments, ModSecurity logs collections in a disk based file. This causes contention when lots of Apache processes try to access it at the same time. And the cleanup that ModSecurity does also can fail meaning the file grows and grows until it eats up all disk space or slows Apache to a crawl. I am not a fan of using them, especially on a site with an volume. I see them as a proof of concept of what ModSecurity could do to expand its single request rules based engine to a cross request one, but it’s not production ready IMHO. For more on this see here: https://sourceforge.net/p/mod-security/mailman/message/34393121/



          The double client_ip logging is a remnant of when ModSecurity used to use a non-standard way of logging. They moved to Apache native logging (which has more features - like the ability to log HTTP Headers like x-forwarded-for) but only noticed late the double client_ip (as both Apache standing logging module and ModSecurity is now logging this). They left as is to avoid breaking anyone who depended on the original client_ip logging. See here for more details: https://github.com/SpiderLabs/ModSecurity/pull/840






          share|improve this answer

























          • Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

            – Yes Barry
            May 24 at 16:06






          • 1





            No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

            – Barry Pollard
            May 24 at 16:28






          • 1





            In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

            – Barry Pollard
            May 24 at 16:42






          • 1





            And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

            – Barry Pollard
            May 24 at 17:00







          • 1





            Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

            – Barry Pollard
            May 24 at 17:08















          1














          The first part of your linked suggestion has this



          SecAction "phase:1,nolog,pass,initcol:IP=%REQUEST_HEADERS.x-forwarded-for"


          As you can see it specifies that x-forwarded-for is part of REQUEST_HEADERS but that is missing from your version of this.



          Do be aware that just logging the IP will not cause blocking. It is used to persist data that can be used in subsequent rules (e.g. log a counter against an IP and iterate it with each request, and then block if it goes above a certain limit for basic DoS protection). So make sure you’ve got some rules configured to DO something with that IP address!



          Also, as discussed in the comments, ModSecurity logs collections in a disk based file. This causes contention when lots of Apache processes try to access it at the same time. And the cleanup that ModSecurity does also can fail meaning the file grows and grows until it eats up all disk space or slows Apache to a crawl. I am not a fan of using them, especially on a site with an volume. I see them as a proof of concept of what ModSecurity could do to expand its single request rules based engine to a cross request one, but it’s not production ready IMHO. For more on this see here: https://sourceforge.net/p/mod-security/mailman/message/34393121/



          The double client_ip logging is a remnant of when ModSecurity used to use a non-standard way of logging. They moved to Apache native logging (which has more features - like the ability to log HTTP Headers like x-forwarded-for) but only noticed late the double client_ip (as both Apache standing logging module and ModSecurity is now logging this). They left as is to avoid breaking anyone who depended on the original client_ip logging. See here for more details: https://github.com/SpiderLabs/ModSecurity/pull/840






          share|improve this answer

























          • Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

            – Yes Barry
            May 24 at 16:06






          • 1





            No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

            – Barry Pollard
            May 24 at 16:28






          • 1





            In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

            – Barry Pollard
            May 24 at 16:42






          • 1





            And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

            – Barry Pollard
            May 24 at 17:00







          • 1





            Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

            – Barry Pollard
            May 24 at 17:08













          1












          1








          1







          The first part of your linked suggestion has this



          SecAction "phase:1,nolog,pass,initcol:IP=%REQUEST_HEADERS.x-forwarded-for"


          As you can see it specifies that x-forwarded-for is part of REQUEST_HEADERS but that is missing from your version of this.



          Do be aware that just logging the IP will not cause blocking. It is used to persist data that can be used in subsequent rules (e.g. log a counter against an IP and iterate it with each request, and then block if it goes above a certain limit for basic DoS protection). So make sure you’ve got some rules configured to DO something with that IP address!



          Also, as discussed in the comments, ModSecurity logs collections in a disk based file. This causes contention when lots of Apache processes try to access it at the same time. And the cleanup that ModSecurity does also can fail meaning the file grows and grows until it eats up all disk space or slows Apache to a crawl. I am not a fan of using them, especially on a site with an volume. I see them as a proof of concept of what ModSecurity could do to expand its single request rules based engine to a cross request one, but it’s not production ready IMHO. For more on this see here: https://sourceforge.net/p/mod-security/mailman/message/34393121/



          The double client_ip logging is a remnant of when ModSecurity used to use a non-standard way of logging. They moved to Apache native logging (which has more features - like the ability to log HTTP Headers like x-forwarded-for) but only noticed late the double client_ip (as both Apache standing logging module and ModSecurity is now logging this). They left as is to avoid breaking anyone who depended on the original client_ip logging. See here for more details: https://github.com/SpiderLabs/ModSecurity/pull/840






          share|improve this answer















          The first part of your linked suggestion has this



          SecAction "phase:1,nolog,pass,initcol:IP=%REQUEST_HEADERS.x-forwarded-for"


          As you can see it specifies that x-forwarded-for is part of REQUEST_HEADERS but that is missing from your version of this.



          Do be aware that just logging the IP will not cause blocking. It is used to persist data that can be used in subsequent rules (e.g. log a counter against an IP and iterate it with each request, and then block if it goes above a certain limit for basic DoS protection). So make sure you’ve got some rules configured to DO something with that IP address!



          Also, as discussed in the comments, ModSecurity logs collections in a disk based file. This causes contention when lots of Apache processes try to access it at the same time. And the cleanup that ModSecurity does also can fail meaning the file grows and grows until it eats up all disk space or slows Apache to a crawl. I am not a fan of using them, especially on a site with an volume. I see them as a proof of concept of what ModSecurity could do to expand its single request rules based engine to a cross request one, but it’s not production ready IMHO. For more on this see here: https://sourceforge.net/p/mod-security/mailman/message/34393121/



          The double client_ip logging is a remnant of when ModSecurity used to use a non-standard way of logging. They moved to Apache native logging (which has more features - like the ability to log HTTP Headers like x-forwarded-for) but only noticed late the double client_ip (as both Apache standing logging module and ModSecurity is now logging this). They left as is to avoid breaking anyone who depended on the original client_ip logging. See here for more details: https://github.com/SpiderLabs/ModSecurity/pull/840







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited May 24 at 17:17

























          answered May 23 at 20:53









          Barry PollardBarry Pollard

          3,591822




          3,591822












          • Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

            – Yes Barry
            May 24 at 16:06






          • 1





            No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

            – Barry Pollard
            May 24 at 16:28






          • 1





            In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

            – Barry Pollard
            May 24 at 16:42






          • 1





            And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

            – Barry Pollard
            May 24 at 17:00







          • 1





            Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

            – Barry Pollard
            May 24 at 17:08

















          • Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

            – Yes Barry
            May 24 at 16:06






          • 1





            No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

            – Barry Pollard
            May 24 at 16:28






          • 1





            In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

            – Barry Pollard
            May 24 at 16:42






          • 1





            And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

            – Barry Pollard
            May 24 at 17:00







          • 1





            Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

            – Barry Pollard
            May 24 at 17:08
















          Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

          – Yes Barry
          May 24 at 16:06





          Thanks and good answer, (+1 for the quality info); but after making this change I still see [Timestamp] UNIQUE_ID_HASH 127.0.0.1 XXXXX 127.0.0.1 XX in the audit log.

          – Yes Barry
          May 24 at 16:06




          1




          1





          No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

          – Barry Pollard
          May 24 at 16:28





          No that’s not how it works. IP address is used for specific rules. Look at DOS rules or Brute Force rules which are in the experimental folder if on v2 of the CRS. They are not used to block all messages after a single failed rule. You could write such a rule based on DOS rule but I could imagine that would be quite dangerous as prone to false positives.

          – Barry Pollard
          May 24 at 16:28




          1




          1





          In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

          – Barry Pollard
          May 24 at 16:42





          In general ModSecurity blocks requests and not users. So it interrupts Apache processing if a rules is fired and instead of returning the result it returns a 403. Other requests from that IP still work (assuming they don’t fire rules) as they don’t check IP collections. If you have the DoS rules enabled then they do check the IP collections each time and they pass certain thresholds then it blocks ALL requests from that IP for a period of time. However the DoS limits are typically not set to 1 bad request as it seems you want - though could configure like this I suppose. If collections worked!

          – Barry Pollard
          May 24 at 16:42




          1




          1





          And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

          – Barry Pollard
          May 24 at 17:00






          And yes anomaly scoring requires blocking rules to be above an anomaly score before it blocks. This may be just triggered by one bad rule failure (as I would expect with an obvious SQLi) or it might be lots of little rules fails. Counting separate rules for one request doesn’t require shared storage as all rules for one request are handled by one process so can share in memory. Error log should show anomaly score for each rule that is fired. Which is one reason I dislike anomaly scoring - it’s very noisy! serverfault.com/questions/888168/…

          – Barry Pollard
          May 24 at 17:00





          1




          1





          Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

          – Barry Pollard
          May 24 at 17:08





          Ah so you are on CRSv3. Yeah Paranoia level 1 doesn’t always block when it should. But then also doesn’t usually accidentally block when it shouldn’t. WAFs are very prone to false positives and blocking legitimate requests when they shouldn’t. So need to be tuned to avoid this. As you move up the Paranoia levels you need more tuning based on your site and the requests you get. Paranoia level 1 usually needs no tuning but, as I say, can allow requests that should be blocked.

          – Barry Pollard
          May 24 at 17:08

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968610%2fmod-security-x-forwarded-for-not-being-blocked%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

          Image
          centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
          Read more

          Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

          Image
          AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
          Read more

          What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

          Image
          When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
          Read more