LINUX.ORG.RU
ФорумAdmin

mod_security apache2

 ,


0

1

Всем доброго времени.

Пожалуйста, помогите с настройкой модуля mod_security в apache2 на ubuntu 14.04.4 x64, нашел кучу ссылок и статей по этому поводу, но все либо 2012-2015 годов, либо совсем не точная информация... А именно, к примеру у меня ставится libapache2_modsecurity2, соответственно ставится ни mod_security, а модуль: secutiry2, отсюда многие конфиги не работают... Но это еще пол беды. Все же удалось настроить модуль, но в итоге при использовании OWASP ModSecurity правил, получаю кучу ошибок о блокировке всего и вся. Использовал как base_rules, так и active_rules. В общем нужен нормальный мануал, если кто то может написать или дать нормальную ссылку как полностью настроить этот модуль, с разъяснениями и примерами? Заранее очень благодарен.

Конкретно результаты моей установки (включенные опции): /etc/apache2/mods-enabled/security2.conf:

SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/base_rules/*.conf

Файл /etc/apache2/mods-enabled/security2.load:

LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so.2
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

Файл /etc/modsecurity/modsecurity.conf:

#SecRuleEngine DetectionOnly
SecRuleEngine On
SecServerSignature FreeOSHTTP
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
#SecRequestBodyLimit 13107200
SecRequestBodyLimit 16384000
#SecRequestBodyNoFilesLimit 131072
SecRequestBodyNoFilesLimit 16384000
#SecRequestBodyInMemoryLimit 131072
SecRequestBodyInMemoryLimit 16384000
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000
SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
SecResponseBodyLimit 524288
SecResponseBodyLimitAction ProcessPartial
SecTmpDir /tmp/
SecDataDir /tmp/
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecUnicodeMapFile unicode.mapping 20127

Файл /etc/modsecurity/modsecurity_crs_10_setup.conf: стандартный из OWSAP

Файл /etc/apache2/mods-enabled/mpm_prefork.conf:

<IfModule mpm_prefork_module>
	StartServers			5
	MinSpareServers		5
	MaxSpareServers		10
	MaxRequestWorkers		200
	ServerLimit			200
	MaxClients				200
	MaxConnectionsPerChild	2000
	MaxRequestsPerChild		2000
</IfModule>

Соответственно в папке /etc/modsecurity 2 файла *.conf: modsecurity.conf и modsecurity_crs_10_setup.conf ВОПРОС 1: стоит ли грузить оба конфиг файла или достаточно modsecurity.conf, что значит: modsecurity_crs_10_setup.conf это сетап файл настройки или он должен работать всегда?

ВОПРОС 2: Какие правила точно будут работать и какие использовать base_rules или activated_rules?

ВОПРОС 3: В файле /etc/apache2/apache2.conf есть настройка, скрыть информацию об Апаче, конкретно ServerTokens Prod, но при этой настройке при запуске mod_security ругается на то что длина токена не полная, включите полную длину токена, соответственно: ServerTokens Full, но отсюда Апач будет показывать информацию о себе, что мне не нужно, как с этим жить?

ВОПРОС 4: В файле /etc/apache2/mods-enabled/security2.load запись для загрузки LoadFile libxml2.so.2 оставить так или прописать полностью LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so.2?

ВОПРОС 5: Как найти информацию о версии mod_security, а также о базе правил OWSAP? Вопрос совместимости версий, чтобы небыло как в одной из статей что версия OWSAP правила не подходят по версию mod_security? (я ставил все с репозитория по ману).

ВОПРОС 6: Собственно логи, при начальной загрузке Апача, получаем в файле /etc/apache2 error.log:

[Mon Aug 08 18:06:25.000070 2016] [:notice] [pid 4771] ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured.
[Mon Aug 08 18:06:25.000169 2016] [:notice] [pid 4771] ModSecurity: APR compiled version="1.5.1-dev"; loaded version="1.5.1-dev"
[Mon Aug 08 18:06:25.000176 2016] [:notice] [pid 4771] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.31 2012-07-06"
[Mon Aug 08 18:06:25.000181 2016] [:notice] [pid 4771] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Aug 08 18:06:25.000185 2016] [:notice] [pid 4771] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Aug 08 18:06:26.006486 2016] [mpm_prefork:notice] [pid 4772] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Mon Aug 08 18:06:26.006590 2016] [core:notice] [pid 4772] AH00094: Command line: '/usr/sbin/apache2'

Что можно сказать по этому начальному логу? Все ли правильно или что то не загружено, по крайней мере модуля: evasive не нашел, хотя ставил параллельно.

ВОПРОС 7: Собственно ошибки при работе mod_security, просто при получении доступа к одному из сайтов (перенаправляется в папку сайта файлом .htaccess):

[Mon Aug 08 18:11:15.017274 2016] [:error] [pid 4777] [client 192.168.0.253] ModSecurity: Warning. Pattern match "\\\\W{4,}" at ARGS:code. [file "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0\\xe5\\xf1 \\xfd\\xeb. \\xef\\xee\\xf7\\xf2\\xfb \\xef\\xee\\xeb\\xf3\\xf7\\xe0\\xf2\\xe5\\xeb\\xff? found within ARGS:code: \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0\\xe5\\xf1 \\xfd\\xeb. \\xef\\xee\\xf7\\xf2\\xfb \\xef\\xee\\xeb\\xf3\\xf7\\xe0\\xf2\\xe5\\xeb\\xff?"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [hostname "site.com"] [uri "/upload.php"] [unique_id "V6ho0sCoAOgAABKpzNoAAAAB"]
[Mon Aug 08 18:11:15.027209 2016] [:error] [pid 4777] [client 192.168.0.253] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [hostname "site.com"] [uri "/box/upload.php"] [unique_id "V6ho0sCoAOgAABKpzNoAAAAB"]

Файл modsec_audit.log получает вот такой лог:

--3694d703-A--
[08/Aug/2016:18:11:15 +0700] V6ho0sCoAOgAABKpzNoAAAAB 192.168.0.253 56540 192.168.0.232 80
--3694d703-B--
POST /upload.php HTTP/1.1
Host: site.com
Connection: keep-alive
Content-Length: 315
Cache-Control: max-age=0
Origin: http://site.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 YaBrowser/16.7.0.3342 Yowser/2.5 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBQhab1BHnSIbcaqP
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Referer: http://site.com/
Accept-Encoding: gzip, deflate
Accept-Language: ru,en;q=0.8
Cookie: __utmz=61650367.1465064573.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=61650367.977473803.1465064573.1465179927.1465184383.3; PHPSESSID=qq0nj7d06rhu2um6tgonsa6ha0

--3694d703-I--
code=%d3%ea%e0%e6%e8%f2%e5+%e0%e4%f0%e5%f1+%fd%eb%2e+%ef%ee%f7%f2%fb+%ef%ee%eb%f3%f7%e0%f2%e5%eb%ff%3f
--3694d703-F--
HTTP/1.1 200 OK
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1228
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

--3694d703-H--
Message: Warning. Pattern match "\\W{4,}" at ARGS:code. [file "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: \xd3\xea\xe0\xe6\xe8\xf2\xe5 \xe0\xe4\xf0\xe5\xf1 \xfd\xeb. \xef\xee\xf7\xf2\xfb \xef\xee\xeb\xf3\xf7\xe0\xf2\xe5\xeb\xff? found within ARGS:code: \xd3\xea\xe0\xe6\xe8\xf2\xe5 \xe0\xe4\xf0\xe5\xf1 \xfd\xeb. \xef\xee\xf7\xf2\xfb \xef\xee\xeb\xf3\xf7\xe0\xf2\xe5\xeb\xff?"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"]
Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"]
Apache-Handler: application/x-httpd-php
Stopwatch: 1470654674970974 56402 (- - -)
Stopwatch2: 1470654674970974 56402; combined=3072, p1=463, p2=2500, p3=0, p4=0, p5=109, sr=100, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--3694d703-J--
2,0,"","<Unknown ContentType>"
Total,0

--3694d703-Z--
ВОПРОС 8: Как сделать чтобы лог писался по человечески? А не:
\\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0\\xe5\\xf1 \\xfd\\xeb. \\xef\\xee\\xf7\\xf2\\xfb \\xef\\xee\\xeb\\xf3\\xf7\\xe0\\xf2\\xe5\\xeb\\xff? found within ARGS:code: \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0

ВОПРОС 9: Собственно главные проблемы и лог /etc/apache2/error.log думал что это из-за .htaccess и mod_rewrite, но выключив .htaccess все тоже самое:

"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/backend.php"] [unique_id "V6hrisCoAOgAABOCD3UAAAAA"]
[Mon Aug 08 18:22:51.268791 2016] [:error] [pid 4994] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/images/alert.png"] [unique_id "V6hri8CoAOgAABOCD3YAAAAA"]
[Mon Aug 08 18:23:51.907905 2016] [:error] [pid 5003] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/backend.php"] [unique_id "V6hrx8CoAOgAABOLN4QAAAAF"]
[Mon Aug 08 18:23:52.255462 2016] [:error] [pid 5003] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/images/alert.png"] [unique_id "V6hryMCoAOgAABOLN4UAAAAF"]
[Mon Aug 08 18:24:52.915628 2016] [:error] [pid 4998] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/backend.php"] [unique_id "V6hsBMCoAOgAABOGsIgAAAAE"]
[Mon Aug 08 18:24:53.262984 2016] [:error] [pid 4998] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/images/alert.png"] [unique_id "V6hsBcCoAOgAABOGsIkAAAAE"]
[Mon Aug 08 18:25:53.913805 2016] [:error] [pid 5003] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/backend.php"] [unique_id "V6hsQcCoAOgAABOLN4YAAAAF"]
[Mon Aug 08 18:25:54.273085 2016] [:error] [pid 5003] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/images/alert.png"] [unique_id "V6hsQsCoAOgAABOLN4cAAAAF"]
[Mon Aug 08 18:26:54.898572 2016] [:error] [pid 4995] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/backend.php"] [unique_id "V6hsfsCoAOgAABODcZ8AAAAB"]
[Mon Aug 08 18:26:55.265275 2016] [:error] [pid 4995] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/images/alert.png"] [unique_id "V6hsf8CoAOgAABODcaAAAAAB"]
[Mon Aug 08 18:27:55.915363 2016] [:error] [pid 5035] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/backend.php"] [unique_id "V6hsu8CoAOgAABOrrykAAAAG"]
[Mon Aug 08 18:27:56.246379 2016] [:error] [pid 5035] [client 192.168.0.253] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "tt.prodsib.com"] [uri "/images/alert.png"] [unique_id "V6hsvMCoAOgAABOrryoAAAAG"]

Заранее спасибо! За все подсказки и советы!

з.ы. В основе использовал этот ман: https://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

Сколько бы не бадался с mod security, толку нет, последняя попытка, все снес и заново поставил, заново настроил, фильтрация работает, удалил все правила в .htaccess, все сделал чистенько, настроил виртуальные хосты в Апаче, все по фен шую... Все равно НЕ РАБОТАЕТ! К примеру сайт из Яндекс браузера рубит, а из IE и FF, нет ) просто непонятно, как работают правила... Использую последнюю версию и mod security и OWASP баз правил, включаю только базовые и опциональные. Даже при опции в apache2.conf: <Directory /var/www/site> <IfModule security2_module> SecRuleEngine Off </IfModule> </Directory>

Приходится вырубать все: <IfModule security2_module> SecRuleEngine Off </IfModule>

Не помогает! Site.ru все равно, где открывается, где то нет, главная к примеру откроется в IE, затем по ссылке на сайте проходишь = 403, mod security рубит нещадно!

У меня вопрос, на кой ляд такие првила, где самый простой сайт на html рубит за здрасти? Есть хоть кто то, кто может помочь по теме правил и работы mod security?

alexpebody
() автор топика
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.