额外的敏感mod安全规则给予403禁止错误 [英] Extra sensitive Mod Security rules giving 403 forbidden error

问题描述

我刚才anebledmod安全我们Centos5服务器上，现在我们越来越会在error_log以下内容：

I have just anebled Mod Security on our Centos5 server and we are now getting the following in the error_log:

[Thu Nov 12 16:20:19 2015] [error] [client 88.15.76.8] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){8,}" at REQUEST_COOKIES:_eventqueue. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "169"] [id "981172"] [rev "2.2.5"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "}"] [hostname "www.mydomain.com"] [uri "/company/geodis-uk-limited/general-maintenance-assistant-1485.html"] [unique_id "UbGaGB-esj8AAAa98bEAAAAn"]

什么是阻止这种情况发生的最好方法？

What is the best way to stop this happening?

推荐答案

ModSecurity的规则需要调整和优化针对特定的站点，他们是有用的了。您已经安装了OWASP核心规则集是非常有用的，但会显示误报并阻止合法的流量为所有，但最简单的网站。

ModSecurity rules need tweaking and tuning for your particular site before they are useful. The OWASP Core Rule Set you have installed is very useful but will show false positives and block legitimate traffic for all but the very simplest sites.

所以，首先你应该打开完整的阻塞之前DetectionOnly模式下运行了几个月。在此期间，应定期检查你的提醒和微调的规则来解决任何误报。

So first of all you should run in DetectionOnly mode for a few months before turning on the full blocking. During that time you should regularly check your alerts and fine tune the rules to address any false positives. DetectionOnly mode is enabled by using the following command in your config (it's probably set to On at present rather than DetectionOnly):

SecRuleEngine DetectionOnly

现在来看看您的具体故障。这是由于统治981172哪些块8以上特殊字符的任何请求，因为他们（或更具体地说试图掩盖SQL注入攻击）的SQL注入攻击通常典型的例子

Now to look at your specific failure. This is due to rule 981172 which blocks any request with 8 or more "special characters" as they are often classic examples of SQL injection attacks (or more specifically attempts to mask a SQL injection attack).

此规则已封锁cookie的_eventqueue。所以，第一个问题是：你认识到，饼干和它经常超过8个特殊字符在一排？某些领域和饼干将打破这个规则甚至对合法流量。例如目前的规则不包括检查任何cookie与__utm，或_pk_ref（由分析软件使用）开始，因为他们经常错误地标记

This rule has blocked on cookie _eventqueue. So first question is: do you recognise that cookie and does it regularly have more than 8 special characters in a row? Certain fields and cookies will break this rule even for legitimate traffic. For example the current rule excludes checking any cookies beginning with __utm, or _pk_ref (used by Analytics software) as they often flag incorrectly.

假设这是合法的流量，最简单的方法是通过增加这个配置关闭此规则对于这一领域的：

Assuming this is legitimate traffic, the easiest option is to turn off this rule for this field by adding this config:

SecRuleUpdateTargetById 981172 !ARGS:'_eventqueue'

请注意这个配置必须在配置的在规则被禁用。前pressing其他方式这条规则可能需要的规则定义之前的。所以我通常添加一个0_exceptions_before.conf文件和9999_exceptions_after.conf文件，并填写异常转换成这些文件。

Note this config must be in the config after the rule it is disabling. Other ways of expressing this rule may be required before the rule is defined. So I normally add a "0_exceptions_before.conf" file and a 9999_exceptions_after.conf" file and fill in the exceptions into these files.

添加例外喜欢这比编辑实际规则本身在modsecurity_crs_41_sql_injection_attacks.conf文件，因为这一则可以让你轻松升级规则到最新版本，同时仍保持你的异常的地方好多了。

Adding exceptions like this is a lot better than editing the actual rule itself in the modsecurity_crs_41_sql_injection_attacks.conf file, since this then allows you to upgrade the rules to the latest version easily while still keeping your exceptions in place.

说到升级，我注意到你设置的核心规则2.2.5版本和最新版本是2.2.9，所以你或许应该升级到最新版本，如果重新开始了。

Talking of upgrading I notice you are on version 2.2.5 of the core rule set and the latest version is 2.2.9 so you probably should upgrade to the latest version if starting out afresh.

ModSecurity的可以是相当复杂最初围绕让你的头。我强烈推荐的ModSecurity手册，通过了ModSecurity的原作者写的。这是最新的一个小我们现在，但仍然非常相关的，有助于解释该程序以及如何以及为什么需要对其进行调整。如果你想尝试一下（在安装）第一章是免费的。这本书还包含参考手册这是也可以在网上免费。最后，mod安全用户电子邮件组的 OWASP-ModSecurity的核心规则集电子邮件组是好的地方得到帮助过的有没有关于这个问题在计算器上一个巨大的数额。

ModSecurity can be quite complicated to get your head around initially. I can highly recommend the ModSecurity Handbook, written by the original author of ModSecurity. It's a little our of date now but still very relevant and helps explain the program and how and why you need to tune it. First chapter (on installation) is free if you want to try it out. That book also contains the reference manual which is also available online for free. Finally the mod-security-users e-mail group and owasp-modsecurity-core-rule-set e-mail group are good places to get help too as there's not a huge amount on StackOverflow on the subject.

这篇关于额外的敏感mod安全规则给予403禁止错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！