Apache2
ModSecurity 阻止合法的客戶端請求
隨機地,modsecurity 會阻止合法客戶端請求,給出錯誤 403。這是 modsec_audit.log 的段落:
---d6e99f36-A-- [21/Jun/2020:07:14:45 +0100] Xu761X8AAAEAADI1YrAAAABQ xxx.xxx.xxx.xxx 60036 xxx.xxx.xxx.xxx 443 --d6e99f36-B-- GET /s/p.json?eyJ0IjoyLjksImYiOnsiZmxpX3BsIjoiYXNwZXJzb3IiLCJmbGlfZyI6LTEsImZsaV9jIjotMSwiZmxpX20iOjAsImZsaV9hIjoyMDE1fSwiY3NyZiI6ImE5MDMwMDkxLTBlZjg$ Host: fneon.eu User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: */* Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3 Accept-Encoding: gzip, deflate, br Referer: https://example.com/ Content-Type: application/json,charset=UTF-8 DNT: 1 Connection: keep-alive Cookie: jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIyYzMwOGQwYTc5NGEyZWU2MjMxYzI2M2EyYWMzNjkwMCIsImV4cCI6MTU5MzY0NDQwMCwiaWF0IjoxNTkyNzE5ODg1$ Pragma: no-cache Cache-Control: no-cache --d6e99f36-F-- HTTP/1.1 403 Forbidden X-FRAME-OPTIONS: DENY X-Content-Type-Options: nosniff Content-Length: 199 Keep-Alive: timeout=5, max=89 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 --d6e99f36-E-- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html> --d6e99f36-H-- Apache-Error: [file "mod_evasive20.c"] [line 259] [level 3] client denied by server configuration: %s Apache-Handler: proxy-server Stopwatch: 1592720085355364 815 (- - -) Stopwatch2: 1592720085355364 815; combined=42, p1=35, p2=0, p3=1, p4=0, p5=5, sr=0, sw=1, l=0, gc=0 Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.9.0 (http://www.modsecurity.org/). Server: Apache Engine-Mode: "ENABLED" --d6e99f36-Z--
這是我的配置(僅更改):
/etc/modsecurity/modsecurity.conf SecRuleEngine On SecResponseBodyAccess Off SecRequestBodyLimit 5242880 (15Mb) /etc/apache2/mods-enabled/evasive.conf <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 10 DOSSiteCount 75 DOSPageInterval 5 DOSSiteInterval 1 DOSBlockingPeriod 3000 DOSWhitelist 127.0.0.1 DOSWhitelist xxx.xxx.xxx.xxx DOSWhitelist xxx.xxx.xxx.xxx DOSWhitelist xxx.xxx.xxx.xxx DOSLogDir "/var/log/mod_evasive" </IfModule> /etc/apache2/conf-enabled/security.conf ServerTokens Prod
重現問題的一種方法是當客戶端發出此類請求時:
https://example.com/s/p.json?eyJ0IjoyLjksImYiOnsiZmxpX3BsIjoiYXNwZXJzb3IiLCJmbGlfZyI6LTEsImZsaV9jIjotMSwiZmxpX20iOjAsImZsaV9hIjoyMDExfSwiY3NyZiI6ImE5MDMwMDkxLTBlZjgtNDcyOC05YjQ1LTU1MWY3M2U5YjQ5MCJ9
…在我的情況下這是一個合法的請求。誰能告訴我如何解決這個問題?謝謝你。
在啟用所有預設規則的情況下,ModSecurity 導致誤報是正常的。這就是為什麼您應該禁用導致問題的規則,最好只針對那些不禁用它們就無法工作的 URL。由於您從日誌中引用的內容缺少規則 ID,因此很難給出準確的答案,但這裡有一個過程範例:
- 首先找到導致問題的規則。例如,如果合法客戶端的 IP 地址是
198.51.100.123
,您可以:grep "198.51.100.123" /var/log/apache2/example.com-error.log
將搜尋限制在已知的良好 IP 上很重要;否則你最終會允許一些真正惡意的東西! 2. 查看
ModSecurity: Warning
線條並專注於[id ""]
和[uri ""]
。假設您找到了具有[uri "/s/p.json"]
並且它們是觸發規則的行,[id "941100"]
並且[id "941120"]
. 3. 配置您的 Apache 全域或基於虛擬主機以禁用這些規則,例如<LocationMatch "/s/p.json"> SecRuleRemoveById 941100 941120 </LocationMatch>
關於 ModSecurity 和處理誤報的一些文章:
- OWASP CRS 文件:添加異常和調整 CRS
- Nikhil Kumar:通過白名單避免 Mod 安全誤報
- Christian Folini:使用 OWASP ModSecurity 核心規則集處理誤報