06月14, 2023
0 comments

modsecuity禁用指定规则解除403返回

1.modsecuity默认日志路径,/var/log/modsec_audit.log 查看日志,违反了哪条规则,然后禁用,比如:

ModSecurity: Warning. Matched "Operator Rx' with parameter^[\d.:]+$' against variable REQUEST_HEADERS:Host' (Value:IP:PORT' ) [file "/etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "722"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "IP:PORT"] [severity "4"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "192.168.22.163"] [uri "/common/js/vue.min.js"] [unique_id "16566542606.086001"] [ref "o0,18v41,18"]

上述日志表示 IP:PORT 这个ip端口的请求违反了 /etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf 配置文件中的 id 为 920350 的规则,位于配置文件722行,

规则描述:请求头中的host为ip地址

---lIGbRidu---H-- ModSecurity: Warning. Matched "Operator Rx' with parameter^[\w/.+-]+(?:\s?;\s?(?:action|boundary|charset|type|start(?:-info)?)\s?=\s?['"\w.()+,/:=?<>@-]+)*$' against variable REQUEST_HEADERS:Content-Type' (Value:application/json;' ) [file "/etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "901"] [id "920470"] [rev ""] [msg "Illegal Content-Type header"] [data "application/json;"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/CONTENT_TYPE"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "192.168.22.163"] [uri "/2fa/getQRCode"] [unique_id "16566557539.331352"] [ref "v301,17t:lowercase"] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator Ge' with parameter5' against variable TX:ANOMALY_SCORE' (Value:5' ) [file "/etc/nginx/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.22.163"] [uri "/2fa/getQRCode"] [unique_id "16566557539.331352"] [ref ""]

---lIGbRidu---Z--

上述日志表示这个请求违反了 /etc/nginx/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf 配置文件中的 id 为 920470 的规则,位于配置文件901行,以及

/etc/nginx/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf 配置文件中的 id 为 949110 的规则,位于配置文件80行,

规则描述:Inbound Anomaly Score Exceeded (Total Score: 5)

2.禁用指定id的规则: 全局禁用:

在/etc/nginx/modsecurity/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf配置文件中加上配置:

#禁用ID为920350、920470/949110的规则 SecRuleRemoveById 920350 920470 949110

本文链接:https://587v5.com/post/modsecuity-jin-yong-zhi-ding-gui-ze-jie-chu-403-fan-hui.html

作者 xiaoyierle 发表于 2023-06-14 16:31:18 ,并被添加「 Nginx 」标签 ,最后修改于 2023-06-14 16:31:36

Comments