Mod_security on weblate
This document is a work in progress description of our mod_sec configuration that is protecting weblate.
How to retrieve the rules and how to investigate whether to keep or remove them
To get a list of the rules that were triggered in the last 2 weeks you can, on translate.lizard, run:
sudo cat /var/log/apache2/error.log{,.1} > /tmp/errors
sudo zcat /var/log/apache2/error.log.{2,3,4,5,6,7,8,9,10,11,12,13,14}.gz >> /tmp/errors
grep '\[id ' /tmp/errors | sed -e 's/^.*\[id //' -e 's/\].*//' | sort | uniq > /tmp/rulesThe file /tmp/rules will now contain all the rules you need to investigate.
Rules
Below is an overview of the mod_sec rules that were triggered when running weblate.
rule nr remove? investigate? reason/comment
"200002" no only triggered on calls to non-valid uri's
"911100" no only triggered by obvious scanners and bots
"913100" no we didn't ask for nmap and openvas scans
"913101" no only weird python scanners looking for svg images and testing for backup logfiles
"913102" no only bots
"913110" no only scanners
"913120" no only triggered on calls to invalid uri's
"920170" no only triggered on calls to invalid uri's
"920180" no the only valid uri was '/' and users shouldn't POST stuff there
"920220" no only triggered on calls to invalid uri's
"920230" yes no this rule triggers on calls to comments, which appear to be valid weblate traffic
"920270" no only malicious traffic
"920271" no only malicious traffic
"920300" no yes this block a call to /git/tails/index/info/refs that happens every minute ??
"920320" no only malicious traffic
"920340" no only bullshit uri's
"920341" no only bullshit uri's
"920420" no only bullshit uri's
"920440" no only scanners
"920450" no only scanners
"920500" no only scanners
"921120" no only bullshit
"921130" no JavaScript injection attempt: var elem = document.getelementbyid("pgp_msg");
"921150" no 480 blocks in < 10min with ARGS_NAMES:<?php exec('cmd.exe /C echo khjnr2ih2j2xjve9rulg',$colm);echo join("\\n",$colm);die();?>
"921151" no only malicious bullshit
"921160" no only malicious bullshit
"930100" no only malicious bullshit
"930110" no only malicious bullshit
"930120" no only malicious bullshit
"930130" no only malicious bullshit
"931130" no only bullshit
"932100" yes no causes false positives on /translate/tails/ip_address_leak_with_icedove/fr/
"932105" no only bullshit
"932110" no only bullshit
"932115" yes no unsure about some calls and we anyway don't need to worry about windows command injection
"932120" yes no again, unsure, but no need to worry about powershell command injection
"932130" yes no multiple false positives
"932150" yes no false positive on /translate/tails/wikisrcsecuritynoscript_disabled_in_tor_browserpo/fr/
"932160" no only bullshit
"932170" no only bullshit
"932171" no only bullshit
"932200" yes no multiple false positives
"933100" no only invalid uri's
"933120" no only invalid uri's
"933140" no only invalid uri's
"933150" no only invalid uri's
"933160" no only malicious bullshit
"933210" yes no multiple false positives
"941100" no only malicious bullshit
"941110" no only malicious bullshit
"941120" yes yes false positive on /translate/tails/faq/ru/
"941150" yes no multiple false positives
"941160" yes yes false positive on /translate/tails/wikisrcnewscelebrating_10_yearspo/fr/
"941170" no only bullshit
"941180" no only bullshit
"941210" no only bullshit
"941310" yes no multiple false positives
"941320" yes no multiple false positives
"941340" yes no multiple false positives
"942100" no only bullshit
"942110" no only bullshit
"942120" yes no multiple false positives
"942130" yes no multiple false positives
"942140" no only bullshit
"942150" yes no multiple false positives
"942160" no only bullshit
"942170" no only bullshit
"942180" yes no multiple false positives
"942190" no only bullshit
"942200" yes no multiple false positives
"942210" yes no multiple false positives
"942240" no only bullshit
"942260" yes no multiple false positives
"942270" no only malicious bullshit
"942280" no only bullshit
"942300" no only bullshit
"942310" no only bullshit
"942330" no only bullshit
"942340" yes no multiple false positives
"942350" no only bullshit
"942360" no only bullshit
"942361" no only bullshit
"942370" yes no multiple false positives
"942380" no only bullshit
"942400" no only bullshit
"942410" yes no multiple false positives
"942430" yes no multiple false positives
"942440" yes no multiple false positives
"942450" no only bullshit
"942470" no only bullshit
"942480" no only bullshit
"942510" yes no multiple false positives
"943120" no only bullshit
"944240" yes no unsure, but we don't need to worry about java serialisation
"949110" yes yes multiple false positives, unsure if this rule can work behind our proxy
"950100" no if weblate returns 500, we shouldn't show error messages to third parties
"951120" yes no Message says that the response body leaks info about Oracle, but we don't use Oracle.
"951240" yes no multiple false positives
"952100" no only bullshit
"953110" no only bullshit
"959100" yes yes multiple false positives, unsure if this rule can work behind our proxy (see 949110)
"980130" yes yes multiple false positives, unsure if this rule can work behind our proxy (see 949110)
"980140" yes yes multiple false positives, unsure if this rule can work behind our proxy (see 949110)