我租了一台准系统服务器,安装了 Centos 7,然后安装了 centos web 面板,服务器设置为仅 apache,使用 apache 2.4.4x 和 php 7。
我在其中一个虚拟主机上建立了一个wordpress站点,经过一段时间的编辑,当我试图在我的手机上查看该站点时,我发现它看到了403禁止。我还检查了不同站点中的一些不同计算机,奇怪的是似乎只有我用来编辑站点的浏览器才能查看它。
我正在使用 Chrome 我一直在使用 firefox 进行编辑,我再次尝试了 firefox,它可以工作。但是在我将firefox刷新为出厂设置后,它也给出了403,我尝试在隐身模式下使用Chrome,它没有重现问题。
我已将所有文件设置为 644,将所有目录设置为 755
并且使用我的手机,无论我使用的是wifi还是移动网络,都是403
我在 index.html 中使用元刷新将流量重定向到 site/ 的 wordpress 网站
以下是返回 403 时的日志摘录
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:38 +0800] "GET / HTTP/1.1" 200 853 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
==> example.com.error.log <==
[Sat Nov 07 08:31:39.815669 2020] [:error] [pid 18537:tid 140088488527616] [client YYY.YYY.232.181:51246] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq62SIpp9t4B3qVX2@-QAAAMU"]
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:39 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
==> example.com.error.log <==
[Sat Nov 07 08:31:45.131170 2020] [:error] [pid 18537:tid 140088293922560] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/site"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-gAAANQ"]
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /site HTTP/1.1" 403 213 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
==> example.com.error.log <==
[Sat Nov 07 08:31:45.222926 2020] [:error] [pid 18537:tid 140088403027712] [client YYY.YYY.232.181:51273] [client YYY.YYY.232.181] ModSecurity: Access denied with code 403 (phase 2). Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:__gads. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: = found within REQUEST_COOKIES:__gads: ID=27dbb135f45c1fd9-22c5888d8fc4000e:T=1604709099:RT=1604709099:S=ALNI_MaW2UgLrOqyys2zp1yt_idCh-PXJg"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "www.example.com"] [uri "/favicon.ico"] [unique_id "X6Xq8WSIpp9t4B3qVX2@-wAAAMc"]
==> example.com.log <==
YYY.YYY.232.181 - - [07/Nov/2020:08:31:45 +0800] "GET /favicon.ico HTTP/1.1" 403 220 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:06 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
YYY.YYY.232.181 - - [07/Nov/2020:08:32:12 +0800] "GET /site/ HTTP/1.1" 200 58190 "https://www.example.com/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36"
这与 Web 浏览器或文件权限无关,而是与 ModSecurity Web 应用程序防火墙(WAF)的误报检测有关。我刚刚添加了换行符以使其更具可读性:
像 WordPress 这样的 CMS 系统通常具有在 Web 应用程序中通常不需要的功能,但对于更新网页内容是必需的,例如添加 HTML、JavaScript 甚至 SQL。诀窍是创建例外,使您能够使用此功能而不允许任何人做任何事情。这意味着必须缩小例外范围以防止误报。
过去,这需要在错误日志中查找
[id "???"][uri "/?"]对并添加异常,例如:随着最近的 OWASP CRS,这变得更加简单,因为您可以在以下位置配置异常
crs-setup.conf:因此,为了启用 WordPress 排除规则,这将变为: