Mod_security-语法错误

tag-icon tag-icon apache-2.2 mod-security
Mod_security-语法错误

我的 Web 服务器上有一个受密码保护的目录。为了防止暴力攻击,我尝试在 apache2 配置文件中添加如下所示的基于 IP 的阻止配置。

但每次我重启 Apache2 时都会出现语法错误。有人知道如何解决这个问题吗?谢谢

Apache 版本:2.2
Mod Security CRS - 2.2.8-1

重启 Apache 时出错

/etc/init.d/apache2 restart
 * Restarting web server apache2                     [fail]
 * The apache2 configtest failed.
Output of config test was:
AH00526: Syntax error on line 252 of /etc/apache2/apache2.conf:
ModSecurity: No action id present within the rule
Action 'configtest' failed.
The Apache error log may have more information.

以下是 apache 配置文件内容:

232 Alias /shared /var/shared
233 <Directory /var/shared>
234         Options Indexes MultiViews FollowSymLinks
235         AllowOverride AuthConfig
236         Order allow,deny
237         Allow from all
238 </Directory>
239
240 <IfModule security2_module>
241     Include /usr/share/modsecurity-crs/*.conf
242     Include /usr/share/modsecurity-crs/base_rules/*.conf
243 </IfModule>
244 <LocationMatch /shared>
245         # Uncomment to troubleshoot
246        SecDebugLogLevel 9
247        SecDebugLog /tmp/troubleshooting.log
248
249        # Enforce an existing IP address block
250        SecRule IP:bf_block "@eq 1" \
251                "phase:2,deny,\
252                msg:'IP address blocked because of suspected brute-forceattack'"
253
254        # Check that this is a POST
255        SecRule REQUEST_METHOD "@streq POST" "phase:5,chain,t:none,nolog,pass"
256             # AND Check for authentication failure and increment counters
257             # NOTE this is for a Rails application, you probably need to customize this
258                SecRule RESPONSE_STATUS "^200" \
259                        "setvar:IP.bf_counter=+1"
260
261        # Check for too many failures from a single IP address. Block for 10 minutes.
262        SecRule IP:bf_counter "@ge 3" \
263                "phase:5,pass,t:none, \
264                setvar:IP.bf_block,\
265                setvar:!IP.bf_counter,\
266                expirevar:IP.bf_block=600"
267 </LocationMatch>

错误日志中没有任何内容,只是在我启动重启命令时它正在关闭。

答案1

我想说的是,动作唯一 ID 是强制性的。

尝试 :

SecRule IP:bf_block "@eq 1" "phase:2,deny,id:'1234',msg:'IP address blocked because of suspected brute-forceattack'"

您可以id使用任意数字,但需确保不要使用相同的数字两次(或更多次)。

答案2

ModSecurity:规则中不存在操作 ID

在设置规则并且与旧版 mod_security 模块(例如 v. 2.7.x 之前)配合使用时会遇到上述错误。从 ModSecurity 2.7 开始,需要为出现的规则或链分配一个唯一的 ID,“此操作是强制性的,必须是数字”。

https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#id

因此,将规则移动到具有较新版本 mod_security 模块的服务器后,或者在 mod_security 更新/升级(如从 2.6.x 到 2.7.x 等)后,会出现错误。

答案3

您必须添加操作的 id,因为 modsecurity 需要 id 号,例如:

SecRule REQUEST_FILENAME "form.php" "***id:'400001'***,chain,deny,log,msg:'Spam detected'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(pills|insurance|rolex))"

相关内容