我租用了一台准系统服务器,安装了 Centos 7,然后安装了 centos web 面板,服务器设置为仅 apache,使用 apache 2.4.4x 和 php 7。
我在其中一个虚拟主机上建立了一个 wordpress 网站,编辑了一段时间后,当我尝试在手机上查看该网站时,我发现它显示 403 禁止访问。我还在不同的网站上检查了几台不同的电脑,结果奇怪的是,似乎只有我用来编辑网站的浏览器才能查看它。
我使用的是 Chrome,在此过程中我一直使用 Firefox 进行编辑,我再次尝试使用 Firefox,它可以正常工作。但是在我将 Firefox 刷新为出厂设置后,它仍然显示 403,我尝试在隐身模式下使用 Chrome,但问题没有重现。
我已将所有文件设置为 644,将所有目录设置为 755
使用我的手机时,无论我使用的是 wifi 还是移动网络,都是 403
我使用 index.html 中的 meta refresh 将流量重定向到 site/ 上的 wordpress 网站
以下是返回 403 时的日志摘录
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:38 +0800] "GET / HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
==> example.com.error.log <==
[Sat Nov 07 08:31:39.815669 2020] [:error] [pid 18537:tid 140088488527616] [client YYY.YYY.232.181:51246] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq62SIpp9t4B3qVX2@-QAAAMU"]
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:39 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
==> example.com.error.log <==
[Sat Nov 07 08:31:45.131170 2020] [:error] [pid 18537:tid 140088293922560] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/site"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /site HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
==> example.com.error.log <==
[Sat Nov 07 08:31:45.222926 2020] [:error] [pid 18537:tid 140088403027712] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-wAAAMc"]
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:12 +0800] "GET /site/ HTTP/1.1" 200 58190 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
答案1
这与网络浏览器或文件权限无关,而是与 ModSecurity 的误报检测有关Web 应用程序防火墙(WAF)。我刚刚添加了换行符以使其更具可读性:
ModSecurity: Access denied with code 403 (phase 2).
Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}"
at REQUEST_COOKIES:__gads.
[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "157"]
[id "981172"]
[rev "2"]
[msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
[data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"]
[maturity "9"]
[accuracy "8"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[hostname "www.example.com"]
[uri "/site"]
[unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]
像 WordPress 这样的 CMS 系统通常具有一些在 Web 应用程序中通常不需要的功能,但对于更新网页内容却必不可少的功能,例如添加 HTML、JavaScript 甚至 SQL。诀窍是设置例外,使您能够使用此功能而不允许任何人做任何事情。这意味着必须缩小例外范围以防止误报。
过去,这需要[id "???"]
[uri "/?"]
在错误日志中查找对并添加异常,例如:
<LocationMatch "/wp-login.php">
SecRuleRemoveById 950007 950109 950117 950120 950901 981143 981172 981173 970901 970903
</LocationMatch>
<LocationMatch "/wp-content">
SecRuleRemoveById 950007 950120 958231 970903 981172
</LocationMatch>
对于较新的 OWASP CRS,这变得更加简单,因为您只需在以下位置配置例外情况即可crs-setup.conf
:
#
# Modify and uncomment this rule to select which application:
#
#SecAction \
# "id:900130,\
# phase:1,\
# nolog,\
# pass,\
# t:none,\
# setvar:tx.crs_exclusions_drupal=1,\
# setvar:tx.crs_exclusions_wordpress=1,\
# setvar:tx.crs_exclusions_nextcloud=1,\
# setvar:tx.crs_exclusions_dokuwiki=1,\
# setvar:tx.crs_exclusions_cpanel=1"
因此,为了启用 WordPress 排除规则,它将变成:
SecAction \
"id:900130,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:tx.crs_exclusions_wordpress=1" # enable the WordPress exclusion rules