我在我的一个服务器中的一个子域“pma”和一个名为“app”的目录中有一个 phpMyAdmin 的副本(从 zip 存档手动安装,而不是通过 yum),我将其用于与数据库相关的管理并且它正在工作好几个月。几天前,我的本地 IP 在尝试登录时被阻止,并且经过大量挖掘在 /var/log/apache2/error_log 中找到的以下日志(出于明显的原因,用 <PLACEHOLDER_TEXT> 替换了我的本地 IP 和服务器域)
[Fri Jan 07 11:37:54.198143 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/themes/pmahomme/img/ajax_clock_small.gif"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.198701 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Access denied with code 403 (phase 2). Pattern match "[\\\\x22'\\\\/`]on[a-z]{1,}?\\\\/{0,}=" at REQUEST_COOKIES:pmaAuth-1. [file "/var/cpanel/cwaf/rules/07_XSS_XSS.conf"] [line "162"] [id "212760"] [rev "2"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.pma.<DOMAIN_NAME>|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.pma.<DOMAIN_NAME>"] [uri "/app/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.215776 2022] [core:error] [pid 60361] [client <IP_ADDRESS>:60532] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.235059 2022] [core:error] [pid 60364] [client <IP_ADDRESS>:60535] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.
[Fri Jan 07 11:37:54.238782 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.238830 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to lock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
[Fri Jan 07 11:37:54.244507 2022] [:error] [pid 60364] [client <IP_ADDRESS>:60535] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1kjnCs4t3VK1sKGhIPAAAAAE"]
[Fri Jan 07 11:37:54.244559 2022] [:error] [pid 60361] [client <IP_ADDRESS>:60532] [client <IP_ADDRESS>] ModSecurity: Audit log: Failed to unlock global mutex: Permission denied [hostname "www.pma.<DOMAIN_NAME>"] [uri "/home/<USER_NAME>/public_html/index.php"] [unique_id "Yde1ktSwsuOu5OLfWtOp8QAAAAA"], referer: http://www.pma.<DOMAIN_NAME>/app/themes/pmahomme/css/theme.css?v=5.1.1&nocache=1161605458ltr&server=1
虽然我对 SSH 和 CLI 没问题,但我不是核心服务器管理员,我花了一些时间和 ISP 和托管服务提供商的帮助来解决 CSF/LFD 中的 IP 禁令问题,但我正在尝试了解实际问题,以便将来避免。任何人都可以破译原因吗?谢谢!
我想我已经找到了解决这个问题的方法。我正在寻找详细信息所在的“日志”文件位于以下文件中: