LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-19-2019, 01:37 PM   #1
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Rep: Reputation: Disabled
Modsecurity nginx keep blocking /phpmyadmin/index.php


I have this nginx on Centos 7

Code:
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
I am trying to run my phpmyadmin/index.php page I keep getting 403 error and when I check the error log I found this.

Code:
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "*******"] [uri "/phpmyadmin/index.php"] [unique_id "155829038166.316903"] [ref ""], client: ******, server: _, request: "GET /phpmyadmin/index.php HTTP/1.1", host: "*******"
My other application could run smoothly without any problem. Only issue is the phpmyadmin.
 
Old 05-19-2019, 02:16 PM   #2
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
Obviously the request for the phpMyAdmin page is triggering a modsecurity rule which results in an anomaly score sufficient to block access.

The error message tells you that it occurs in phase 2, Request Body evaluation, and gives you the rule file and rule number.

You will need to configure modsecurity differently to not apply certain rules in phpMyAdmin context, or possibly modify or remove one or more rules.

See your modsecurity and OWASP reference docs for details, and look carefully at the comments in the rules files as they are often helpful.
 
Old 05-19-2019, 02:21 PM   #3
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Astrogek,
Yes I went into the rules page .conf I have seen this.

Quote:
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \
"id:949110,\
phase:2,\
deny,\
t:none,\
log,\
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.ANOMALY_SCORE})',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-generic',\
severity:'CRITICAL',\
setvar:'tx.inbound_tx_msg=%{tx.msg}',\
setvar:'tx.inbound_anomaly_score=%{tx.anomaly_score}'"
A temporary workaround I google and added this

SecRuleRemoveById 949110 into the modesecurity.conf file. But I think this is not a good solution.
 
Old 05-19-2019, 02:40 PM   #4
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
Quote:
Originally Posted by newbie14 View Post
A temporary workaround I google and added this

SecRuleRemoveById 949110 into the modesecurity.conf file. But I think this is not a good solution.
No, that is probably not good. If I am reading that correctly, that rule calculates the total anomaly score generated by other rules, so that really disables your whole block by score setup.

You can look through the modsecurity debug logs (which must of course be enabled) to see every matched rule and try to identify the one that is triggering on the phpMyAdmin page. I think you can also set the anomaly threshold higher for specific contexts like phpMyAdmin, but I am not sure how that is done at the moment. Perhaps someone else can suggest a better method.

You are on the right track though - read the errors produced by modsecurity, compare the matched rules with the necessary request data, add/modify/delete as appropriate.

If debug logging is not enabled, enable it with the SecDebugLogLevel directive to see more messages for that request.

In the end, it really comes down to understanding your overall configuration and rules, then adjusting them to allow the desired access without opening additional holes. I know, that is obvious, but you will have to do it as no one else can see your environment.
 
Old 05-19-2019, 03:52 PM   #5
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Astrogeek,
Yes first this SecDebugLogLevel was commented and now enabled as SecDebugLogLevel 3. Next I remove the disabled rule and try to capture more logs. Below is what I captured in the modsec folder for modsecurity.

By reading further the logs it says

Quote:
SQL Injection Attack Detected via libinjection"] [data "Matched Data: s1nc found within ARGS:token: vD8/#HM"1Dh#~C./"]
and I saw few line above it says this
Quote:
---kmoOrvf4---C--
type=config-get&server=1&key=NavigationWidth&_nocache=1558298395477737599&token=vD8%2F%23HM%221Dh%23~C.%2F

---kmoOrvf4---F--
So I guess the token from phpmyadmin is the issue which is suspected to be sql injection?


Quote:
ModSecurity: Warning. Matched "Operator `Rx' with parameter `^[\d.:]+$' against variable `REQUEST_HEADERS:Host' (Value: `*.*.*.*' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "762"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "*.*.*.*"] [severity "4"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "*.*.*.*"] [uri "/phpmyadmin/ajax.php"] [unique_id "155829839395.287834"] [ref "o0,14v40,14"]
ModSecurity: Warning. detected SQLi using libinjection. [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "43"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: s1nc found within ARGS:token: vD8/#HM"1Dh#~C./"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [hostname "*.*.*.*"] [uri "/phpmyadmin/ajax.php"] [unique_id "155829839395.287834"] [ref "v1055,16"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 8)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "*.*.*.*"] [uri "/phpmyadmin/ajax.php"] [unique_id "155829839395.287834"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `8' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 8 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): SQL Injection Attack Detected via libinjection; individual paranoia level scores: 8, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "*.*.*.*"] [uri "/phpmyadmin/ajax.php"] [unique_id "155829839395.287834"] [ref ""]
 
Old 05-19-2019, 05:37 PM   #6
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
OK, so that let's you identify one (or more) rules which are contributing to the total score. Debug logging is always helpful.

Now you will need to decide for yourself how you want to adjust to allow phpMyAdmin (unfortunately there is no AllowPhpMyAdminToPass directive!).

Again, I think that you can change the score threshold per directory, which would be an easy method. Or you can enable/disable rules per directory.

I would suggest browsing the modsecurity and OWASP rules websites, and also use your search engine of choice to look for additional information.

I found this page, Apache 2.2 Disable modsecurity For a Specific Directory. Although it is focused on disabling modsecurity for a directory, it provides a quick overview of how to modify modsecurity behavior within Location and Directory contexts, which is the first part of what you want.

I also found this page, How to disable a specific mod_security rule in a specific directory, which provides more comments on the same approach.
 
Old 05-20-2019, 05:30 AM   #7
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Astrogeek,
I have been googling mostly I found the disabling of directory for apache. I am looking solution for nginx and found this to be working now.
Quote:
location /phpmyadmin{
modsecurity_rules '
SecRuleRemoveById 949110
';

}
I know this is not good cause i am disabling it as per directory basis. I still cant find a good solution on increasing the score threshold method.
 
Old 05-20-2019, 03:15 PM   #8
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,708

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
I don't know from nginx, but want to add these suggestions:
  • Don't name the phpmyadmin directory phpmyadmin -- use some other completely unrelated name
  • Require a web server login to access the directory.
Yes, has nothing to do with your question, but both will help prevent hacking until you figure out how to adjust the scores.
 
1 members found this post helpful.
Old 05-20-2019, 04:18 PM   #9
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
I should also mention that I am not very up to date on nginx, so my comments should be understood to have an apache bias where appropriate. Even so, I think modsecurity and directory/location syntax are very much similar - but adjust accordingly.

OK, I found this page, Anomaly Scoring Mode, on the Modsecurity website. Down page a little over half way...

Quote:
Now that we have the capability to do anomaly scoring, the next step is to set our thresholds. This is the score value at which, if the current transactional score is above, it will be denied. We have various different anomaly scoring thresholds to set for both specific vulnerability types and generic requests/response levels.
There is a lot to read there but I think this should include basically what you want.

Using a Location/Directory block as discussed in previous posts, you now need to set an appropriate, different threshold such as (not tested, just an example pulled from that page).

Code:
setvar:tx.sql_injection_score_threshold=25
So the idea would be that in the phpMyAdmin directory context you reset the threshold for sql injection rules higher than for default locations. I will have to again leave it to you to work out the exact syntax needed by your setup.

By the way, I agree with scasey - you need to make phpMyAdmin inaccessible to non-authorized users, by obscurity and by authentication other than just the phpMyAdmin login. It is a high value target for assorted spammer/scammers and other sub-human life forms.

Good luck!
 
1 members found this post helpful.
Old 05-22-2019, 03:49 AM   #10
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by scasey View Post
I don't know from nginx, but want to add these suggestions:
  • Don't name the phpmyadmin directory phpmyadmin -- use some other completely unrelated name
  • Require a web server login to access the directory.
Yes, has nothing to do with your question, but both will help prevent hacking until you figure out how to adjust the scores.
Hi Scasey,
1. Yes I always rename into something not related but at time some directories inside still has some named phpmyadmin. Normally I download and unzip and upload the folder to /var/www/html.
2. I have never tried your web server login before will try and read about it.
 
Old 05-22-2019, 03:51 AM   #11
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Astrogeek,
I am taking both your suggestion and scasey and I will go through the links and be back to update you guys soon on how to do it on nginx so that some one else could benefit too.
 
Old 05-22-2019, 10:41 AM   #12
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Scasey,
I have already restricted the directory but the weird part is that when I tried to access http://myip/phpmyadmin then it prompt for user name and password but when I type http://myip/phpmyadmin/index.php it goes in directly.
 
Old 05-22-2019, 10:45 AM   #13
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,708

Rep: Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210Reputation: 2210
Quote:
Originally Posted by newbie14 View Post
Hi Scasey,
I have already restricted the directory but the weird part is that when I tried to access http://myip/phpmyadmin then it prompt for user name and password but when I type http://myip/phpmyadmin/index.php it goes in directly.
Once you’ve logged in you won’t need to log in again until you’ve closed all instances of your browser...assuming you didn’t save the login on your browser, of course.
 
Old 05-23-2019, 06:03 AM   #14
newbie14
Member
 
Registered: Sep 2011
Posts: 646

Original Poster
Rep: Reputation: Disabled
Hi Scacey,
No I havent event logged in but yet I could go directly to this link http://myip/phpmyadmin/index.php but the prompt only come when I click on this link http://myip/phpmyadmin ?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: ModSecurity and nginx LXer Syndicated Linux News 0 09-24-2018 06:11 PM
LXer: Nginx with libmodsecurity and OWASP ModSecurity Core Rule Set on Ubuntu 16.04 LXer Syndicated Linux News 0 06-06-2017 05:45 PM
LXer: How to Install Nginx with ModSecurity on Ubuntu 15.04 LXer Syndicated Linux News 0 10-21-2015 03:22 PM
Apache requires index.php. The requested URL /index.php was not found on this server chefarov Linux - Server 4 07-30-2014 02:29 AM
Apache 404 index.php not Found but index.php exists at document root mark84 Linux - Server 20 07-27-2008 01:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration