apache

The new policy of google meant that the www.klopt.org site was down and maps could not be drawn anymore.

This coupled with requests from strange ip's let me to believe someone had hacked me out of my quota's.

While that was not true, it remains a fact that when I am really paying for quota someone could really hurt my with a well constructed script.

So there are 2 modules to the rescue for apache2 : mod_security and mod_evasive

mod_security

When you install the module from jessie you will get into trouble with JSON. That is a nice example for this, but if you are in a hurry :

The default version 2.8.0-3 has no json support compiled, use 2.9.1 from jessie-backports instead.

You can install and setup mod_security from this page : visit

But since that also installs mod_evasive here are in short the steps

apt-get install libapache2-modsecurity
sudo a2enmod security2
apachectl -M | grep security # see if the mod is listed
sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
sudo vi /etc/modsecurity/modsecurity.conf
# in vim make sure that : 
SecRuleEngine On
sudo ln -s /usr/share/modsecurity-crs/base_rules/*.conf /usr/share/modsecurity-crs/activated_rules/
# that last line should make links for the needed conf files but
# it forgets some data files so also do :
sudo ln -s /usr/share/modsecurity-crs/base_rules/*.data /usr/share/modsecurity-crs/activated_rules/

In the file security2.conf are some lines including files, but these links we just made have to be included as well :

vim /etc/apache2/mods-enabled/security2.conf
# add these after the other IncludeOptional
IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

And of course :

systemctl restart apache2

backports

A way to prevent this error :

ModSecurity: JSON support was not enabled
ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" requir

This is because jessie ships with a mod-security that has no json support compiled in .. So you need a newer version from backports.

Make a file /etc/apt/sources.list.d/backports.list with :

deb http://ftp.debian.org/debian jessie-backports main

And apt-get update. To install something from backport use one of :

apt-get -t jessie-backports install libapache2-mod-security
aptitude -t jessie-backports

Usage of this module is a bit like selinux. You need to re-enable some bits to get your site working again. I only had a couple of problems at first glance. Most map pages don't work and CTRL-SHIFT i (dev page) says :

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /ws
on this server.<br />
</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at www.klopt.org Port 443</address>
</body></html>

There is also a log file now, that might be a bit more convenient:

tail -f /var/log/apache/modsec_audit.log

It says the same thing , but also shows the headers and error number:

POST /ws HTTP/1.1
Host: www.klopt.org
Connection: keep-alive
Content-Length: 177
Cache-Control: max-age=0
Origin: https://www.klopt.org
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: */*
Referer: https://www.klopt.org/vrpdemo.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8

And maybe more revealing a detailed message after that :

Message: Access denied with code 403 (phase 1). Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:0" required. [file "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [rev "2"] [msg "Request content type is not allowed by policy"] [data "text/plain"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"]
Action: Intercepted (phase 1)
Stopwatch: 1541594517529166 770 (- - -)
Stopwatch2: 1541594517529166 770; combined=299, p1=251, p2=0, p3=0, p4=0, p5=48, sr=15, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.10 (Debian)
Engine-Mode: "ENABLED"

Here you can see that the problem is (960010: Request content type is not allowed by policy). You can browse the webz for this error or just look in the file mentioned : /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf.

In that file there is a short description for this error. It even says it's at line 64. The message is too big for clarity but the gist is that text/plain is not an acceptable Content-Type for application/json.

I added this to the Ajax call :

xmlhttp.setRequestHeader('Content-Type', 'application/json');

Which is not all that easy to get passed the cache.

If you find a definite way to clear the cache for apache enlighten here.

Then this passed at least this error. Subsequent errors are fixed in the same manor.

mod_evasive

Note that this module needs some tweaking. It is aimed at preventing DOS attacks, but that does mean you get shut out for a while rather quickly if .. like me .. tend to hit F5 rapidly in a row to force a fresh page...

The installation is again :

apt-get install libapache2-mod-evasive

After installing, run this command:

sudo a2enmod evasive

Edit the mod-evasive.conf file and configure mod_evasive module:

sudo vi /etc/apache2/mods-available/mod-evasive.conf
DOSHashTableSize 3097
DOSPageCount 10
DOSSiteCount 30
DOSPageInterval 1
DOSSiteInterval 3
DOSBlockingPeriod 3600
DOSLogDir /var/log/apache2/mod_evasive.log

Now these have to be tweaked to the apache limits, its 25000 a day per map refresh, so I think its better to allow more hits per second, but block much longer if you reach that.