[英]Apache2 ModSecurity2 does not work (Ubuntu 14.04)
我遵循wiki.ubuntuusers.de上的官方文档,但是我的test.php文件仍然允许恶意访问,例如test.php?secret_file = my / secret / file.txt。 想法为什么?
test.php的:
<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>
test.php?secret_file = my / secret / file.txt的预期结果是HTTP 403-访问被拒绝,但是我的Web服务器仍显示包含文件的内容。
我的安装步骤:
sudo apt-get install libapache2-mod-security2
sudo a2enmod security2
sudo a2enmod headers
Configuration
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
#SecRuleEngine DetectionOnly
#
SecRuleEngine On
Include /usr/share/modsecurity-crs/*.conf
Include /usr/share/modsecurity-crs/base_rules/*.conf
Include /usr/share/modsecurity-crs/optional_rules/*.conf
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 5
sudo service apache2 restart
sudo service apache2 force-reload
这是我的modsec_debug.log文件: modsec_debug.log
当我致电恶意test.php?secret_file = my / secret / file.txt时,它说:
[Sun Jan 25 13:21:51.773188 2015] [:error] [pid 14993] [client x.x.x.x] ModSecurity: Warning. Match of "eq 1" against "&ARGS:CSRF_TOKEN" required. [file "/usr/share/modsecurity-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf"] [line "31"] [id "981143"] [msg "CSRF Attack Detected - Missing CSRF Token."] [hostname "example.com"] [uri "/test.php"] [unique_id "VMTf31XWGY4AADqRE00AAAAB"]
[Sun Jan 25 13:21:51.777069 2015] [:error] [pid 14993] [client x.x.x.x] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/usr/share/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Request from Known SPAM Source (Previous RBL Match)"] [hostname "example.com"] [uri "/test.php"] [unique_id "VMTf31XWGY4AADqRE00AAAAB"]
[Sun Jan 25 13:21:51.777133 2015] [:error] [pid 14993] [client x.x.x.x] ModSecurity: Warning. Match of "rx (?i:(<meta.*?(content|value)=\\"text/html;\\\\s?charset=|<\\\\?xml.*?encoding=))" against "RESPONSE_BODY" required. [file "/usr/share/modsecurity-crs/optional_rules/modsecurity_crs_55_application_defects.conf"] [line "23"] [id "981220"] [msg "[Watcher Check] No charset was specified in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "APP_DEFECT/MISCONFIGURATION"] [tag "http://code.google.com/p/browsersec/wiki/Part2#Content_handling_mechanisms"] [hostname "example.com"] [uri "/test.php"] [unique_id "VMTf31XWGY4AADqRE00AAAAB"]
[Sun Jan 25 13:21:51.777193 2015] [:error] [pid 14993] [client x.x.x.x] ModSecurity: Warning. Match of "rx (<meta.*?(content|value)=\\"text/html;\\\\s?charset=utf-8|<\\\\?xml.*?encoding=\\"utf-8\\")" against "RESPONSE_BODY" required. [file "/usr/share/modsecurity-crs/optional_rules/modsecurity_crs_55_application_defects.conf"] [line "36"] [id "981222"] [msg "[Watcher Check] The charset specified was not utf-8 in the HTTP Content-Type header nor the HTML content's meta tag."] [data "Content-Type Response Header: text/html"] [tag "WASCTC/WASC-15"] [tag "MISCONFIGURATION"] [tag "http://websecuritytool.codeplex.com/wikipage?title=Checks#charset-not-utf8"] [hostname "example.com"] [uri "/test.php"] [unique_id "VMTf31XWGY4AADqRE00AAAAB"]
modsecurity_crs_43_csrf_protection.conf上的规则正在查找CSRF攻击,但是,您尝试执行的规则不是CSRF。
你可以试试看
/etc/apache2/mods-enabled/security2.conf
删除Include /usr/share/modsecurity-crs/base_rules/*.conf
和Include /usr/share/modsecurity-crs/optional_rules/*.conf
/etc/apache2/mods-enabled/security2.conf
(我猜您正在使用Ubuntu)。 /etc/modsecurity/modsecurity_crs_15_customrules.conf
创建规则集 SecRule REQUEST_URI "secret" "phase:1,t:none,log,deny,id:'9000070001',msg:'Malicious content blocked'"
sudo service apache2 restart
尝试从浏览器中访问相同的URL,观看/var/log/apache2/modsec_audit.log,让我知道它的运行方式。
谢谢,
丹尼尔
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.