Mod_security - Syntax error

apache-2.2 mod-security

10,128

Solution 1

I would say that an action unique ID is mandatory.

Try :

SecRule IP:bf_block "@eq 1" "phase:2,deny,id:'1234',msg:'IP address blocked because of suspected brute-forceattack'"

For id use any number you want, just ensure to not use the same twice (or more).

Solution 2

ModSecurity: No action id present within the rule

The error above is encountered with rules setup and working well with older mod_security module versions (like before v. 2.7.x). Starting with ModSecurity 2.7 a unique ID needs to be assigned to the rule or chain in which it appears, "this action is mandatory and must be numeric".

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id

So the error shows up after moving the rules to servers with newer versions of mod_security module or, after in place mod_security updates /upgrades, like from 2.6.x to 2.7.x etc.

10,128

Matt

Updated on September 18, 2022

Comments

Matt over 1 year

I have a password protected directory on my web server. To protect that from brute force attack, I tried to add the IP-Based BLocking config as below in the apache2 config file.

But everytime I restart Apache2 I get syntax error. Does anyone know how to resolve this? Thanks

Apache version: 2.2
Mod Security CRS - 2.2.8-1

Error when restart Apache

/etc/init.d/apache2 restart
 * Restarting web server apache2                     [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 252 of /etc/apache2/apache2.conf:
ModSecurity: No action id present within the rule
Action 'configtest' failed.
The Apache error log may have more information.

Here is the apache config file content:

232 Alias /shared /var/shared
233 <Directory /var/shared>
234         Options Indexes MultiViews FollowSymLinks
235         AllowOverride AuthConfig
236         Order allow,deny
237         Allow from all
238 </Directory>
239
240 <IfModule security2_module>
241     Include /usr/share/modsecurity-crs/*.conf
242     Include /usr/share/modsecurity-crs/base_rules/*.conf
243 </IfModule>
244 <LocationMatch /shared>
245         # Uncomment to troubleshoot
246        SecDebugLogLevel 9
247        SecDebugLog /tmp/troubleshooting.log
248
249        # Enforce an existing IP address block
250        SecRule IP:bf_block "@eq 1" \
251                "phase:2,deny,\
252                msg:'IP address blocked because of suspected brute-forceattack'"
253
254        # Check that this is a POST
255        SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass"
256             # AND Check for authentication failure and increment counters
257             # NOTE this is for a Rails application, you probably need to customize this
258                SecRule RESPONSE_STATUS "^200" \
259                        "setvar:IP.bf_counter=+1"
260
261        # Check for too many failures from a single IP address. Block for 10 minutes.
262        SecRule IP:bf_counter "@ge 3" \
263                "phase:5,pass,t:none, \
264                setvar:IP.bf_block,\
265                setvar:!IP.bf_counter,\
266                expirevar:IP.bf_block=600"
267 </LocationMatch>

There is nothing in the error logs except that it was shutting down while I initiated restart command.

Matt almost 10 years

Sorry! That is throwing the same error too..
krisFR almost 10 years

I've edited : try id:'1234' (replace = by : and add ')
Matt almost 10 years

Okay i gave id to line 252 and 255 as well. But now the last second line has syntax error expirevar:IP.bf_block=600" See anything wrong here? And is there any way to add 2 locations in LocationMatch? Like <LocationMatch /shared /private> ??? Or should I duplicate the code again for the second location?