- 运行modsecurity2.93和OWASP ModSecurity核心规则集(CRS)3.3.2。
- 启用
REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf中包含的Nextcloud异常,并且它们正在正常加载。 - Nextcloud更新到最后一个稳定版本,并通过所有检查。
然而,ModSecurity在许多重要方面破坏了它的功能。
我得到了几个假阳性关于同步应用程序的活动在桌面,同步应用程序在移动和webday一般。
这完全是ModSecurity做的。Nextcloud没有报告错误,禁用ModSecurity可以解决问题。
我试图修复这个失败了。特别是,将以下规则添加到REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf中完全破坏了Nextcloud的功能,并且不能解决任何误报。不知道为什么:
SecRule REQUEST_URI "@beginsWith /remote.php/dav/files/admin/"
"id:10000003,
phase:2,
pass,
nolog,
ctl:ruleRemoveTargetById=921110,
ctl:ruleRemoveTargetById=980130,
ctl:ruleRemoveTargetById=949110"
ModSecurity Audit日志中的示例:
Message: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|image/png|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/rules/RESPONSE-980-CORRELATION.conf"] [line "91"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [ver "OWASP_CRS/3.3.2"] [tag "event-correlation"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ip>] ModSecurity: Warning. Match of "within %{tx.allowed_request_content_type}" against "TX:content_type" required. [file "/etc/modsecurity/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "956"] [id "920420"] [msg "Request content type is not allowed by policy"] [data "|image/png|"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153"] [tag "PCI/12.1"] [hostname "<hostname>"] [uri "/index.php/apps/files/"] [unique_id "Y8Yq5sm-7UrRygrbZZNbsgAAABc"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client <ip>] ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "<hostname>"] [uri "/index.php/apps/files/"] [unique_id "Y8Yq5sm-7UrRygrbZZNbsgAAABc"]
Android同步应用程序中的消息通常是"不允许您上传到此文件夹"。一般来说,所有的同步应用都被ModSecurity提供的403错误难住了。我不确定这种情况是否只发生在某些文件类型或某些文件夹中,或者,正如我所认为的,发生在所有文件中。
CRS dev - on -值班你的调优规则似乎有两个问题。
第一个问题是您使用控制语句ctl:ruleRemoveTargetById=921110而没有在规则后指定目标。要么使用ctl:ruleRemoveTargetById=9xxxxx;ARGS:myArg指定目标,要么只使用ruleRemoveById而不是ruleRemoveTargetById来删除规则。
第二个问题:永远不要删除阻塞规则949110或相关规则980130。关闭WAF
为了解决您的问题(除了阻止和关联规则之外,我只看到一个匹配的规则),我认为最好将Content-Type: image/png添加到允许的请求内容类型列表中。这可以通过取消注释cross -setup.conf中的900220规则并添加所需的请求内容类型来实现:https://github.com/coreruleset/coreruleset/blob/v3.3/dev/crs-setup.conf.example L422
如果你需要更多的调优帮助,我强烈推荐我们的CRS联合领导Christian Folini的调优指南,特别是"处理OWASP的误报":https://www.netnea.com/cms/apache-tutorial-8_handling-false-positives-modsecurity-core-rule-set/。
我想我可能找到我的问题了。
我在crs-setup.conf中启用了这个:
SecRule SERVER_NAME "<hostname>"
"id:10000001,
phase:1,
pass,
nolog,
setvar:tx.error_anomaly_score=4"
这是我在MS手册中阅读后,为降低MS灵敏度所做的旧尝试。很明显我犯了严重的错误。现在事情似乎开始起作用了。
顺便说一下:如何正确地改变主机名的异常评分,使MS不那么敏感?正常值是多少?我以为是5…
编辑:我的日志文件中的其他问题,导致与nextcloud同步某些文件类型出现故障,似乎是由于版本25记录的新的nextcloud错误。