Firefox Indonesia 501 (Not Implemented) akses ke apache+modsecurity

Seorang bernama Romi Hardiyanto yang mengaku sebagai anggota pelokalan Mozilla Firefox Bahasa Indonesia mengirimkan email yang memberitahukan bahwa web server kami menjawab 501 (Not Implemented) jika diakses dari Firefox Bahasa Indonesia. Menurut beliau ada yang harus dihapus sedikit pada rules modsecurity. Lakukan back up sebelum melakukan perubahan.

Rules yang dimaksud adalah nomer 950006 pada file modsecurity_crs_40_generic_attacks.conf  sebagai berikut:

# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:’/(Cookie|Referer|X-OS-Prefs)/’|REQUEST_COOKIES|REQUEST_COOKIES_NAMES “(?:b(?:(?:n(?:et(?:bW+?blocalgroup|.exe)|(?:map|c).exe)|t(?:racer(?:oute|t)|elnet.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp).exe|echobW*?by+)b|c(?:md(?:(?:32)?.exeb|bW*?/c)|d(?:bW*?[\/]|W*?..)|hmod.{0,40}?+.{0,3}x))|[;|`]W*?b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)b|g(?:++|ccb))|/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:++|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[‘”|;`-s]|$))”
“capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:’System Command Injection. Matched signature <%{TX.0}>’,,id:’950006′,severity:’2′”

Ada 2 bagian yang harus dihapus, yang saya beri cetak tebal dan dicoret (|id) sehingga menjadi :

# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:’/(Cookie|Referer|X-OS-Prefs)/’|REQUEST_COOKIES|REQUEST_COOKIES_NAMES “(?:b(?:(?:n(?:et(?:bW+?blocalgroup|.exe)|(?:map|c).exe)|t(?:racer(?:oute|t)|elnet.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp).exe|echobW*?by+)b|c(?:md(?:(?:32)?.exeb|bW*?/c)|d(?:bW*?[\/]|W*?..)|hmod.{0,40}?+.{0,3}x))|[;|`]W*?b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)b|g(?:++|ccb))|/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:++|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)(?:[‘”|;`-s]|$))”
“capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:’System Command Injection. Matched signature <%{TX.0}>’,,id:’950006′,severity:’2′”

Simpan perubahan tersebut dan restart apache. Terima kasih mas Romi.