Mod_security - Syntax error
Solution 1
I would say that an action unique ID is mandatory.
Try :
SecRule IP:bf_block "@eq 1" "phase:2,deny,id:'1234',msg:'IP address blocked because of suspected brute-forceattack'"
For id
use any number you want, just ensure to not use the same twice (or more).
Solution 2
ModSecurity: No action id present within the rule
The error above is encountered with rules setup and working well with older mod_security module versions (like before v. 2.7.x). Starting with ModSecurity 2.7 a unique ID needs to be assigned to the rule or chain in which it appears, "this action is mandatory and must be numeric".
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id
So the error shows up after moving the rules to servers with newer versions of mod_security module or, after in place mod_security updates /upgrades, like from 2.6.x to 2.7.x etc.
Related videos on Youtube
Matt
Updated on September 18, 2022Comments
-
Matt over 1 year
I have a password protected directory on my web server. To protect that from brute force attack, I tried to add the IP-Based BLocking config as below in the apache2 config file.
But everytime I restart Apache2 I get syntax error. Does anyone know how to resolve this? Thanks
Apache version: 2.2
Mod Security CRS - 2.2.8-1Error when restart Apache
/etc/init.d/apache2 restart * Restarting web server apache2 [fail] * The apache2 configtest failed. Output of config test was: AH00526: Syntax error on line 252 of /etc/apache2/apache2.conf: ModSecurity: No action id present within the rule Action 'configtest' failed. The Apache error log may have more information.
Here is the apache config file content:
232 Alias /shared /var/shared 233 <Directory /var/shared> 234 Options Indexes MultiViews FollowSymLinks 235 AllowOverride AuthConfig 236 Order allow,deny 237 Allow from all 238 </Directory> 239 240 <IfModule security2_module> 241 Include /usr/share/modsecurity-crs/*.conf 242 Include /usr/share/modsecurity-crs/base_rules/*.conf 243 </IfModule> 244 <LocationMatch /shared> 245 # Uncomment to troubleshoot 246 SecDebugLogLevel 9 247 SecDebugLog /tmp/troubleshooting.log 248 249 # Enforce an existing IP address block 250 SecRule IP:bf_block "@eq 1" \ 251 "phase:2,deny,\ 252 msg:'IP address blocked because of suspected brute-forceattack'" 253 254 # Check that this is a POST 255 SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass" 256 # AND Check for authentication failure and increment counters 257 # NOTE this is for a Rails application, you probably need to customize this 258 SecRule RESPONSE_STATUS "^200" \ 259 "setvar:IP.bf_counter=+1" 260 261 # Check for too many failures from a single IP address. Block for 10 minutes. 262 SecRule IP:bf_counter "@ge 3" \ 263 "phase:5,pass,t:none, \ 264 setvar:IP.bf_block,\ 265 setvar:!IP.bf_counter,\ 266 expirevar:IP.bf_block=600" 267 </LocationMatch>
There is nothing in the error logs except that it was shutting down while I initiated restart command.
-
Matt almost 10 yearsSorry! That is throwing the same error too..
-
krisFR almost 10 yearsI've edited : try
id:'1234'
(replace=
by:
and add'
) -
Matt almost 10 yearsOkay i gave id to line 252 and 255 as well. But now the last second line has syntax error expirevar:IP.bf_block=600" See anything wrong here? And is there any way to add 2 locations in LocationMatch? Like <LocationMatch /shared /private> ??? Or should I duplicate the code again for the second location?