Modsecurity - "Host header is a numeric IP address" 错误的重定向循环
Modsecurity - redirect loop for "Host header is a numeric IP address" error
看起来有一个 ModSecurity OWASP 规则,当它检测到有人通过 IP 地址而不是 DNS 名称访问您的站点时,它不会拒绝 4xx 错误,它只是重定向回 "homepage".问题是它重定向回 IP 地址,这会导致再次触发相同的错误,并且您会遇到重定向循环。
有没有办法指定针对特定规则采取的操作?
规则如下。我没有看到任何重定向选项,甚至没有看到任何指定特定错误的选项。
SecRule REQUEST_HEADERS:Host "^[\d.:]+$" \
"msg:'Host header is a numeric IP address',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
t:none,\
block,\
logdata:'%{matched_var}',\
severity:'WARNING',\
id:'920350',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
和错误日志...
--46372f1f-A--
[04/Jun/2016:19:10:43 --0500] V1NuA38AAAEAACCaOHwAAAAR xxx.xxx.xxx.xxx 60414 172.31.41.204 80
--46372f1f-B--
GET / HTTP/1.1
Host: 52.24.56.241
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
--46372f1f-F--
HTTP/1.1 302 Found
Location: http://52.24.56.241/
Content-Length: 204
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--46372f1f-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>iT LOO
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://52.24.56.241/">here</a>.</p>
</body></html>
--46372f1f-H--
Message: Access denied with redirection to http://52.24.56.241/ using status 302 (phase 2). Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity/activated_rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "840"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "52.24.56.241"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: 52.24.56.241"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1465085443076841 1107 (- - -)
Stopwatch2: 1465085443076841 1107; combined=684, p1=288, p2=198, p3=0, p4=0, p5=153, sr=69, sw=45, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "ENABLED"
- ModSecurity 如何决定采取何种行动?
- 如何告诉 ModSecurity 停止针对此错误的重定向循环?
在拒绝或 "block" 规则的情况下,ModSecurity 将在 modsecurity_crs_10_setup.conf 文件中查找 SecDefaultAction 指令。对于 OWASP_CRS 3.0.0-rc1,此指令从
SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"
到
SecDefaultAction "phase:1,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
SecDefaultAction "phase:2,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
这就是导致重定向的原因,规则说阻止,所以它寻找默认操作,默认操作是重定向到主机...在这种情况下,这只是 IP 已经正在指定...还有重定向循环...
请注意,此规则将在 Apache 有机会提供适当的虚拟主机以响应此请求之前触发。
要覆盖此规则(对于 3.0.0-rc1),您需要修改 RESPONSE-99-EXCEPTIONS.conf 文件并添加一些内容......
SecRuleUpdateActionById 920350 "deny,status:403"
这将拒绝该请求。或者如果你愿意允许它..
SecRuleUpdateActionById 920350 "pass"
看起来有一个 ModSecurity OWASP 规则,当它检测到有人通过 IP 地址而不是 DNS 名称访问您的站点时,它不会拒绝 4xx 错误,它只是重定向回 "homepage".问题是它重定向回 IP 地址,这会导致再次触发相同的错误,并且您会遇到重定向循环。
有没有办法指定针对特定规则采取的操作?
规则如下。我没有看到任何重定向选项,甚至没有看到任何指定特定错误的选项。
SecRule REQUEST_HEADERS:Host "^[\d.:]+$" \
"msg:'Host header is a numeric IP address',\
phase:request,\
rev:'2',\
ver:'OWASP_CRS/3.0.0',\
maturity:'9',\
accuracy:'9',\
t:none,\
block,\
logdata:'%{matched_var}',\
severity:'WARNING',\
id:'920350',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST',\
tag:'WASCTC/WASC-21',\
tag:'OWASP_TOP_10/A7',\
tag:'PCI/6.5.10',\
tag:'http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx',\
setvar:'tx.msg=%{rule.msg}',\
setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},\
setvar:tx.%{rule.id}-OWASP_CRS/POLICY/IP_HOST-%{matched_var_name}=%{matched_var}"
和错误日志...
--46372f1f-A--
[04/Jun/2016:19:10:43 --0500] V1NuA38AAAEAACCaOHwAAAAR xxx.xxx.xxx.xxx 60414 172.31.41.204 80
--46372f1f-B--
GET / HTTP/1.1
Host: 52.24.56.241
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
--46372f1f-F--
HTTP/1.1 302 Found
Location: http://52.24.56.241/
Content-Length: 204
Keep-Alive: timeout=5, max=80
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--46372f1f-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>iT LOO
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://52.24.56.241/">here</a>.</p>
</body></html>
--46372f1f-H--
Message: Access denied with redirection to http://52.24.56.241/ using status 302 (phase 2). Pattern match "^[\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/modsecurity/activated_rules/REQUEST-20-PROTOCOL-ENFORCEMENT.conf"] [line "840"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "52.24.56.241"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "Host: 52.24.56.241"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client %s] ModSecurity: %s%s [uri "%s"]%s
Action: Intercepted (phase 2)
Stopwatch: 1465085443076841 1107 (- - -)
Stopwatch2: 1465085443076841 1107; combined=684, p1=288, p2=198, p3=0, p4=0, p5=153, sr=69, sw=45, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/); OWASP_CRS/3.0.0.
Server: Apache
Engine-Mode: "ENABLED"
- ModSecurity 如何决定采取何种行动?
- 如何告诉 ModSecurity 停止针对此错误的重定向循环?
在拒绝或 "block" 规则的情况下,ModSecurity 将在 modsecurity_crs_10_setup.conf 文件中查找 SecDefaultAction 指令。对于 OWASP_CRS 3.0.0-rc1,此指令从
SecDefaultAction "phase:1,deny,log"
SecDefaultAction "phase:2,deny,log"
到
SecDefaultAction "phase:1,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
SecDefaultAction "phase:2,log,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
这就是导致重定向的原因,规则说阻止,所以它寻找默认操作,默认操作是重定向到主机...在这种情况下,这只是 IP 已经正在指定...还有重定向循环...
请注意,此规则将在 Apache 有机会提供适当的虚拟主机以响应此请求之前触发。
要覆盖此规则(对于 3.0.0-rc1),您需要修改 RESPONSE-99-EXCEPTIONS.conf 文件并添加一些内容......
SecRuleUpdateActionById 920350 "deny,status:403"
这将拒绝该请求。或者如果你愿意允许它..
SecRuleUpdateActionById 920350 "pass"