我正在使用:
我在worker1上有一个servlet。
在 Plesk 中,ModSecurity 设置为“打开”并使用 Comodo 的免费 ModSecurity 规则。
IP 地址禁止 (Fail2Ban) 入侵检测处于“打开”状态。
当我从客户端向 servlet 发出 5 个(成功)帖子时,客户端 IP 在 Fail2Ban 中设置的时间间隔内被禁止。
这是 modsec_audit.log 报告:
--ffd6be58-A--
[30/Jun/2024:09:37:02.722882 +0000] ZoEnPjdhHHdmdP54dSpN12AAFQ ***banned client IP*** 49290 127.0.0.1 7081
--ffd6be58-B--
POST /tomcat_app/Debate/url_a_servlet_general HTTP/1.0
Host: www.mywebsite.com
X-Real-IP: ***banned client IP***
X-Accel-Internal: /internal-nginx-static-location
Connection: close
Content-Length: 181
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126", "Google Chrome";v="126"
x-gwt-module-base: https://www.mywebsite.com/tomcat_app/Debate/
x-gwt-permutation: A7F24557812452238ACA3ACDA68F4D27
content-type: text/x-gwt-rpc; charset=UTF-8
sec-ch-ua-mobile: ?0
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
accept: */*
origin: https://www.mywebsite.com
sec-fetch-site: same-origin
sec-fetch-mode: cors
sec-fetch-dest: empty
referer: https://www.mywebsite.com/index-booking.html
accept-encoding: gzip, deflate, br, zstd
accept-language: es-ES,es;q=0.9,ar-ES;q=0.8,ar;q=0.7,en-ES;q=0.6,en;q=0.5
priority: u=1, i
cookie: c=Amanamel
--ffd6be58-F--
HTTP/1.1 200 200
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Disposition: attachment
Content-Length: 45
Cache-Control: max-age=1209600
Expires: Sun, 14 Jul 2024 09:37:02 GMT
Connection: close
Content-Type: application/json;charset=utf-8
--ffd6be58-H--
Message: Warning. Match of "pmFromFile userdata_wl_content_type" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "17"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mywebsite.com|F|2"] [data "TX:0=text/x-gwt-rpc"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"]
Message: Warning. Operator GE matched 5 at TX:incoming_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "35"] [id "214930"] [rev "1"] [msg "COMODO WAF: Inbound Points Exceeded|Total Incoming Points: 5|www.mywebsite.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client ***banned client IP***] ModSecurity: Warning. Match of "pmFromFile userdata_wl_content_type" against "TX:0" required. [file "/etc/apache2/modsecurity.d/rules/comodo_free/10_HTTP_HTTP.conf"] [line "17"] [id "210710"] [rev "5"] [msg "COMODO WAF: Request content type is not allowed by policy. Please update file userdata_wl_content_type.||www.mywebsite.com|F|2"] [data "TX:0=text/x-gwt-rpc"] [severity "CRITICAL"] [tag "CWAF"] [tag "HTTP"] [hostname "www.mywebsite.com"] [uri "/tomcat_app/Debate/url_a_servlet_general"] [unique_id "ZoEnPjdhHHdmdP54dSpN12AAFQ"]
Apache-Error: [file "apache2_util.c"] [line 275] [level 3] [client ***banned client IP***] ModSecurity: Warning. Operator GE matched 5 at TX:incoming_points. [file "/etc/apache2/modsecurity.d/rules/comodo_free/20_Outgoing_FiltersEnd.conf"] [line "35"] [id "214930"] [rev "1"] [msg "COMODO WAF: Inbound Points Exceeded|Total Incoming Points: 5|www.mywebsite.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "FiltersEnd"] [hostname "www.mywebsite.com"] [uri "/tomcat_app/Debate/url_a_servlet_general"] [unique_id "ZoEnPjdhHHdmdP54dSpN12AAFQ"]
Apache-Handler: jakarta-servlet
Stopwatch: 1719740222713534 9429 (- - -)
Stopwatch2: 1719740222713534 9429; combined=2313, p1=292, p2=1896, p3=29, p4=23, p5=73, sr=63, sw=0, l=0, gc=0
Producer: ModSecurity for Apache/2.9.7 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"
--ffd6be58-Z--
我想继续使用我的 servlet(来自任何 IP)而不显着降低服务器的安全级别。
我认为我应该在 Plesk->tools&settings->Web Application Firewall->configuration 中添加自定义指令,以接受 application/json。我说得对吗?
我可以在文本框下看到:“在此处输入 ModSecurity 指令。它将覆盖之前指定的指令(规则集、特定规则、预定义值集等)。”
这个规则怎么写?
这可能不是 json 问题,而是 text/x-gwt-rpc。我认为解决方案是:
1- Edit the file userdata_wl_content_type
2- Add the line "text/x-gwt-rpc" at the end
3- Restart apache (e.g. systemctl restart apache2.service)
它有效。我不是专家,所以我不能 100% 确定这不会打开漏洞。但我认为这很好,这个答案可以帮助其他有类似问题的人。