Server's Apache Error. Mod security

Posted by Alert Games on Jan. 18, 2011, 6:09 p.m.

So a few months ago I ran intro a problem with my website/games. I never mentioned it on here, but I figured I would ask a bunch of "professionals" such as yourselves.

The issue arose as a 406 error (i think or some number), when a game tried to access the webhost. Basically, the server's security didnt recognise the platform trying to access the site and denied access.

This was caused by the server upgrading its MOD_SECURITY on its Apache. Unfortunately I was unsure how to allow certain clients to access the game files in particular. So, I ended up requesting to disable the security feature altogether in order for my games to be able to connect. And I only allowed the game clients to access the game files.

So what I am asking you guys with experience with this, is if it is a problem to have MOD_SECURITY disabled on my website?

And if it is, then how can I allow my games to still access the site with mod security enabled?

Thanks for any tips! <3

Comments

firestormx 13 years, 11 months ago

Unfortunately I have no experience with this. :(

But it's an interesting question.

MahFreenAmeh 13 years, 11 months ago

It really shouldn't be a problem to disallow mod_security. All it really is is a firewall, but you could always use iptables instead. But, if you were so inclined to continue using mod_sec, then you'd just want to whitelist any ip's that are blocked.

http://www.modsecurity.org/documentation/faq.html#d0e400

basically just add some directives to .htaccess, or your httpd.conf, and, bam, win! if i'm not mistaken, the directive takes regex for matching, so you could do some regular expression magic to match subsets of ip's, etc.

I'd read the docs though! They always help.

Alert Games 13 years, 11 months ago

I read some of the docs, however it is confusing to what is specifically causing the problem with the firewall. I also dont have direct access to using the .htaccess, so I would need to know the exact way to allow everyone's clients(games) to run but still have the mod_security.

But without it, im not sure if people can attack the site in certain ways. So far it wont be an issue but would be good to know for future reference.

firestormx 13 years, 11 months ago

In doing about 10 seconds of research, I know there are a lot of sites that don't use mod_sec, so I'm sure you'll be alright.

MahFreenAmeh 13 years, 11 months ago

@Alert: You just want to get their IP's, then do

SecRule REMOTE_ADDR "their ip here" phase:1,nolog,allow,ctl:ruleEngine=Off

You could just as easily whitelist whole subnets like such:

SecRule REMOTE_ADDR "^192\.168\.1\.\d+$" phase:1,nolog,allow,ctl:ruleEngine=Off

to allow 192.168.1.*,

SecRule REMOTE_ADDR "^192\.168\..+\..+" phase:1,nolog,allow,ctl:ruleEngine=Off

to allow 192.168.*.*

but just as well, there are more criteria for it to match on, you can find that here: http://www.modsecurity.org/documentation/modsecurity-apache/2.0.2/html-multipage/03-configuration-directives.html

Basically, just find a common factor that all the connections share (i.e., accessing a specific file) and whitelist it based on those criteria!

firestormx 13 years, 11 months ago

I think AG wants anyone playing the game to be able to access the server, so all IPs should be white listed…Which would make it useless?

MahFreenAmeh 13 years, 11 months ago

@firestorm understandable, but if you read some of the actual options for the config directive, it isn't just based off of the ip itself. You could, for instance, allow based on user agent, or whatever have you. All he has to do is figure out some common link between all of them (maybe a useragent, maybe the query used, whatever) and use that to allow it through. It's not a problem if he does that, ip's won't be an issue. (Y)

Alert Games 13 years, 10 months ago

Thanks for your help. If I could allow a particular user agent that would be helpful. However, then I would have to re-code some previous games to do that or else they wont have access. :F

Furthermore, I wouldnt know how to change that setting, espcially if i dont have access to making any changes (im not sure if i do). So I would need to know exactly what to put it to do it.

So for the moment I am going to have to deal with it off. :o