我怎样才能在 modsecurity 上将我的 IP 地址列入白名单或完全忽略响应主体以使其不再出现这样的错误?
我的 wordpress 网站位于 cloudflare 后面。我的网站还使用缓存插件。
这是我在 vhost 配置文件上的配置。
<IfModule mod_security3.c>
modsecurity on
modsecurity_rules_file '/etc/httpd/conf.d/modsecurity.d/rules.conf'
modsecurity_rules 'SecAuditLog /var/log/httpd/example.net-modsecurity.log'
modsecurity_rules 'SecAuditLogParts ABCEFHZ'
modsecurity_rules 'SecDefaultAction "phase:1,nolog,auditlog,pass"'
modsecurity_rules 'SecDefaultAction "phase:2,nolog,auditlog,pass"'
modsecurity_rules 'SecResponseBodyAccess Off'
modsecurity_rules 'SecAuditEngine RelevantOnly'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410001,phase:1,nolog,allow,ctl:ruleEngine=Off"'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410002,phase:2,nolog,allow,ctl:ruleEngine=Off"'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410003,phase:3,nolog,allow,ctl:ruleEngine=Off"'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410004,phase:4,nolog,allow,ctl:ruleEngine=Off"'
</IfModule>
这部分
modsecurity_rules 'SecResponseBodyAccess Off'
modsecurity_rules 'SecAuditEngine RelevantOnly'
似乎被忽略了,因为它仍然在跳闸
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?:\x1f\x8b\x08|\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|r(?:ar!|iff)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\b|gif)|B(?:%pdf|\.ra)\b|^wOF[F2])' against variable `RESPONSE_BODY' (Value: `\xff\xcd!>}\xbbG\xf1\x1cN'\xb6I\x0e\xa6\xfas\x0e2Z\x8e\xf9\xf29\x0a\x0e\x84a|\xac\xd4Vo\xd6\x99n\xd0 (23587 characters omitted)' ) [file "/usr/local/coreruleset/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf"] [line "83"] [id "953120"] [rev ""] [msg "PHP source code leakage"] [data "Matched Data: <? found within RESPONSE_BODY: \xff\xcd!>}\xbbG\xf1\x1cN'\xb6I\x0e\xa6\xfas\x0e2Z\x8e\xf9\xf29\x0a\x0e\x84a|\xac\xd4Vo\xd6\x99n\xd0 (7941 characters omitted)"] [severity "3"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-disclosure"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/118/116"] [tag "PCI/6.5.6"] [hostname "example.net"] [uri "/wp-admin/post.php"] [unique_id "1618055573"] [ref "o4271,2v2196,8096v2196,8096"]
ModSecurity: Access denied with code 200 (phase 4). Matched "Operator `Ge' with parameter `4' against variable `TX:OUTBOUND_ANOMALY_SCORE' (Value: `4' ) [file "/usr/local/coreruleset/rules/RESPONSE-959-BLOCKING-EVALUATION.conf"] [line "68"] [id "959100"] [rev ""] [msg "Outbound Anomaly Score Exceeded (Total Score: 4)"] [data ""] [severity "0"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname "example.net"] [uri "/wp-admin/post.php"] [unique_id "1618055573"] [ref ""]
这些规则
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410001,phase:1,nolog,allow,ctl:ruleEngine=Off"'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410002,phase:2,nolog,allow,ctl:ruleEngine=Off"'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410003,phase:3,nolog,allow,ctl:ruleEngine=Off"'
modsecurity_rules 'SecRule REMOTE_ADDR "@ipMatch <MY_IP_ADDRESS>" "id:20210410004,phase:4,nolog,allow,ctl:ruleEngine=Off"'
也无法正常工作,因为正如我所说,modsecurity 对我来说仍然有问题。
我正在使用Apache/2.4.6 (CentOS)和ModSecurity v3和ModSecurity-apache connectorOWASP's CoreRuleSet
答案1
看起来“规则”ID被设置为某些日期代码20210410001。
如果您只需要将两条规则列入白名单,那么您只需要其中两行。
一个的“id:”参数应该是953120,第二个“id:”应该是959100。
这些是您发布的 mod_security 日志中的规则的 ID。
我可能误解了您的规则,您在哪里创建这些规则?
解释一下,mod_security 中的大多数“白名单”都是通过与ID您要列入白名单的规则的值相关联来完成的。[id "959100"]日志行中告诉您正在调用什么规则的部分也是如此。
例如,您可以编辑whitelist.conf。我不确定您的安装,但类似于:
vim /etc/apache2/conf.d/whitelist.conf
或者更可能更接近于这样:
vim /etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_10_whitelist.conf
(但无论你的 modsec 配置在哪里)
添加如下规则:
SecRule REMOTE_ADDR "^192\.168\.0\.1" "phase:1,nolog,allow,ctl:ruleEngine=off,id:959100"
SecRule REMOTE_ADDR "^192\.168\.0\.1" "phase:1,nolog,allow,ctl:ruleEngine=off,id:953120"