[solved]request filter rule - only allow specific IP to login for usernames

[c0ldshadow]

Hi Team,

I am trying to make it so only a specific IP address 5.5.5.5 can login
with specific usernames (admin or test) in the POST data of a login script on a vbulletin forum:

From .htaccess file:

SecRule REQUEST_URI "^\/login\.php\?do=login" chain
SecRule ARG_vb_login_username ((test)|(admin)) chain
SecRule REMOTE_ADDR !^5\.5\.5\.5$


I have tried the above rule and many other variations but can't seem to
figure out how to accomplish this.



additionally i try this in the Admin panel and removed everything from htaccess. action is

log,deny,status:403,msg:'test'

SecFilterSelective THE_REQUEST "/login\.php" chain
SecFilterSelective ARG_vb_login_username "test" chain
SecFilterSelective REMOTE_ADDR "!^5\.5\.5\.5$"

doesn't work either. i can login with the username test from both the IP in the rule and other IP

i did try gracefully restarting, it didnt fix the nonworking

Please advise.

Best Regards,

-Avery

 

[webizen]

for .htaccess to work, make sure "Disable .htaccess Override" => No/Not Set (Admin CP -> Configuration -> Server -> Request Filter).

 

[c0ldshadow]

hey, i already have that option set but the filter doesn't work

any idea what to try next? is this a bug?

something just isn't right...


SecFilterSelective REQUEST_URI "/login\.php" ### this alone DOES cause a block when i try accessing the script

if i try adding one more line so its

SecFilterSelective REQUEST_URI "/login\.php" chain
SecFilterSelective ARG_vb_login_username "myname"

it doesn't cause a block when i try login with 'myname'.. why is it failing at this point?

 

[webizen]

enable DEBUG logging (Admin CP -> Configuration -> Server -> Logging: Log Level=DEBUG, Debug Level=!NONE) and tail error log (e.g. /usr/local/lsws/logs/error.log) to see what's going on.

 

[c0ldshadow]

hey , still no luck=( the log is not reporting anything about blocks when i try logging in with that username. i see other stuff in the log appearing but nothing related to mod security

i checked the POST data for vbulletin logins and I'm not seeing why this filter isn't catching it

 

[c0ldshadow]

hi team any update on this one? if you want me to share link to my site or any other details that might help solve problem plz let me know

 

[webizen]

Please pm the link so we can verify/reproduce.

 

[c0ldshadow]

thx PM sent

 

[NiteWave]

please force-reinstall 4.1.3, it tried to fix this issue. please update if fix or not.

 

[webizen]

If lsws runs with Apache httpd.conf, rules in request filter (Admin CP -> Configuration -> Server -> Request Filter -> Request Filtering Rule Set) have NO effect. They need to be placed in httpd.conf or .htaccess (with "Disable .htaccess Override" => No/Not Set).

 

[c0ldshadow]

hi, yes i am using the .htaccess method. the .htaccess does work when i just block people from accessing a script (as evidence by error log messages and the page not showing)... but the chaining for the POST data doesn't work.

i will try the force-reinstall, but before i do that, is it safe to do that while my site is live / running a vbulletin forum? plz verify it is safe to do that

 

[webizen]

yes, it is safe to do force-reinstall. the latest 4.1.3 build should be working fine with the chaining for POST data.

 

[c0ldshadow]

after force-reinstall it works!!! so happy

ps. i see u guys located in NJ. i'm from pennington NJ originally. small world