Не удается найти идентификатор правила для внесения IP-адреса в белый список в ModSecurity
У меня есть локальный IP-адрес, который явно был забанен. Я хотел бы внести его в белый список. Подсеть уже есть в моем файле /etc/modsecurity/modsecurity.conf :
SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/19" "id: 20190108, phase: 2, pass, nolog, allow , ctl: ruleEngine = Off "
Однако я понятия не имею, какое другое правило запрещает IP. В /var/log/apache2/modsec_audit.log я вижу:
[Mon Feb 01 12:31:34.627591 2021] [evasive20:error] [pid 29339] [client 192.168.2.59:55696] client denied by server configuration: proxy:balancer://ssl.somedomain.com/images/SomeLogo.png
И в журнале ошибок apache ( /var/log/apache2/somedomain.error.log ) :
--7610ee77-A--
[02/Feb/2021:12:31:34 --0600] YBmahlOps3DcdHy1-g@TPgAAAFE 192.168.2.59 55696 192.168.64.181 8104
--7610ee77-B--
GET /images/SomeLogo.png HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Microsoft Outlook 14.0.7261; ms-office; MSOffice
Accept-Encoding: gzip, deflate
Host: www.somedomain.com
If-Modified-Since: Tue, 28 Jan 2020 13:36:14 GMT
If-None-Match: "57a2-59d334ec55bb1"
Connection: Keep-Alive
Cookie: BID=.webserver01
--7610ee77-F--
HTTP/1.1 403 Forbidden
Content-Length: 199
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--7610ee77-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>
--7610ee77-H--
Apache-Error: [file "mod_evasive20.c"] [line 259] [level 3] client denied by server configuration: proxy:balancer://ssl.somedomain.com/images/SomeLogo.png
Apache-Handler: proxy-server
Stopwatch: 1612290694506716 122091 (- - -)
Stopwatch2: 1612290694506716 122091; combined=1392, p1=740, p2=0, p3=145, p4=421, p5=86, sr=112, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"
--7610ee77-Z--
Я не вижу идентификатора правила, поэтому могу внести этот IP-адрес в белый список, используя этот номер. Что мне здесь не хватает?
Вот пример клиента, пойманного определенным правилом:
--0740b112-H--
Message: Warning. Pattern match "^$" at REQUEST_HEADERS:user-agent. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "740"] [id "920330"] [rev "1"] [msg "Empty User Agent Hea
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 47.90.211.109] ModSecurity: Warning. Pattern match "^$" at REQUEST_HEADERS:user-agent. [file "/usr/share/modsecurity-crs/rules/REQUEST-920-PROTO
Apache-Handler: proxy-server
Stopwatch: 1612220768423003 54456 (- - -)
Stopwatch2: 1612220768423003 54456; combined=19332, p1=771, p2=1350, p3=100, p4=16996, p5=114, sr=116, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: Apache
Engine-Mode: "ENABLED"
А вот /etc/modsecurity/modsecurity.conf :
# -- Rule engine initialization ----------------------------------------------
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
# SecRuleEngine DetectionOnly
SecRuleEngine On
# -- Request body handling ---------------------------------------------------
# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
#
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
#
SecRequestBodyLimit 10485760
SecRequestBodyNoFilesLimit 10485760
# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072
# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction Reject
# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
#
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
#
## SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
## "id:'200002',phase:2,t:none,log,deny,status:44, \
## msg:'Multipart request body failed strict validation: \
## PE %{REQBODY_PROCESSOR_ERROR}, \
## BQ %{MULTIPART_BOUNDARY_QUOTED}, \
## BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
## DB %{MULTIPART_DATA_BEFORE}, \
## DA %{MULTIPART_DATA_AFTER}, \
## HF %{MULTIPART_HEADER_FOLDING}, \
## LF %{MULTIPART_LF_LINE}, \
## SM %{MULTIPART_MISSING_SEMICOLON}, \
## IQ %{MULTIPART_INVALID_QUOTING}, \
## IP %{MULTIPART_INVALID_PART}, \
## IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
## FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
# Did we see anything that might be a boundary?
#
## SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
## "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
#SecPcreMatchLimit 1000
SecPcreMatchLimit 250000
#SecPcreMatchLimitRecursion 1000
SecPcreMatchLimitRecursion 250000
# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
#
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
#
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# -- Response body handling --------------------------------------------------
# Allow ModSecurity to access response bodies.
# You should have this directive enabled in order to identify errors
# and data leakage issues.
#
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
#
SecResponseBodyAccess On
# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
#
SecResponseBodyMimeType text/plain text/html text/xml
# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288
# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
#
SecResponseBodyLimitAction ProcessPartial
# -- Filesystem configuration ------------------------------------------------
# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
#
# This default setting is chosen due to all systems have /tmp available however,
# this is less than ideal. It is recommended that you specify a location that's private.
#
SecTmpDir /tmp/
# The location where ModSecurity will keep its persistent data. This default setting
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
#
SecDataDir /tmp/
# -- File uploads handling configuration -------------------------------------
# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#
#SecUploadDir /opt/modsecurity/var/upload/
# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#
#SecUploadKeepFiles RelevantOnly
# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#
#SecUploadFileMode 0600
# -- Debug log configuration -------------------------------------------------
# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3
# -- Audit log configuration -------------------------------------------------
# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ
# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/
# -- Miscellaneous -----------------------------------------------------------
# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
#
SecArgumentSeparator &
# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
#
SecCookieFormat 0
# Specify your Unicode Code Point.
# This mapping is used by the t:urlDecodeUni transformation function
# to properly map encoded data to your language. Properly setting
# these directives helps to reduce false positives and negatives.
#
SecUnicodeMapFile unicode.mapping 20127
# SecRule REMOTE_ADDR "^***\.***\.***\***$" phase:1,nolog,allow,ctl:ruleEngine=Off
# SecRule REMOTE_ADDR "^***\.xxx\.xxx\.103$" phase:1,nolog,allow,ctl:ruleEngine=Off
SecRule REMOTE_ADDR "@ipMatch ***.***.0.0/16" "id:26091975,phase:2,pass,nolog,allow,ctl:ruleEngine=Off"
SecRule REMOTE_ADDR "@ipMatch 192.168.0.0/19" "id:20190108,phase:2,pass,nolog,allow,ctl:ruleEngine=Off"
0
задан DevOpsSauce
3 February 2021 в 16:15
Ссылка
1 ответ
Из того, что я вижу в опубликованном вами правиле с id:20190108, возможно, вы используете правило на неправильном этапе.
Если вам нужно принять решение об управлении доступом на основе заголовков (а не тела), используйте фазу:1. В противном случае вы можете быть заблокированы правилом в фазе:1 до того, которое вы добавили.
Кроме того, для исключения OWASP CRS рекомендуется использовать ctl:ruleRemoveByTag=OWASP_CRS в действиях вашего правила вместо ctl:ruleEngine=Off.
1
ответ дан Community
14 July 2021 в 13:32
Ссылка