bunkerweb [BUG] Whitelisted IP address is banned by the bad behavior feature

[BUG] Whitelisted IP address is banned by the bad behavior feature

Open quentinfougereau opened this issue 3 years ago • 0 comments

Description I added my IP address to WHITELIST_IP variable in order to not be blocked by bunkerized-nginx. But, my IP address has been banned by the "bad behavior" feature.

How to reproduce This is my docker-compose.yml :

version: '3'
services:
  mybunkerized:
    image: bunkerity/bunkerweb:1.4.2
    ports:
      - 80:8080
      - 443:8443
    volumes:
      - ./www:/www:ro
      - ./certs:/etc/letsencrypt
      - ./html:/usr/share/nginx/html
    environment:
      - SERVER_NAME=www.example.com
      #- SERVE_FILES=no
      - USE_REVERSE_PROXY=yes
      - REVERSE_PROXY_URL=/
      - REVERSE_PROXY_HOST=http://myapp/
      - USE_LIMIT_REQ=yes
      - LIMIT_REQ_RATE=10r/s
      - LIMIT_REQ_BURST=5
      - USE_BAD_BEHAVIOR=yes
      - BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
      - BAD_BEHAVIOR_THRESHOLD=10
      - BAD_BEHAVIOR_BAN_TIME=86400
      - BAD_BEHAVIOR_COUNT_TIME=60
      - ALLOWED_METHODS=GET|POST|HEAD|PUT
      - WHITELIST_USER_AGENT=curl/* PostmanRuntime/*
      - WHITELIST_IP=172.19.0.1
  myapp:
    image: nginx

I intentionnally triggered modsecurity (with GET request containing body) to ensure that my IP address is not banned.

Logs As you can see in the logs, the IP address 172.19.0.1 is in the whitelist, but it is banned after triggering modsecurity multiple times.

mybunkerized_1  | 2022/07/18 08:01:01 [notice] 93#93: *209 [ACCESS] whitelist returned status 0 : IP is in whitelist cache (info = ip/net), client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:01:01 +0000] "GET / HTTP/1.1" 200 615 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
mybunkerized_1  | 2022/07/18 08:01:02 [notice] 93#93: *209 [ACCESS] whitelist returned status 0 : IP is in whitelist cache (info = ip/net), client: 172.19.0.1, server: www.example.com, request: "GET /favicon.ico HTTP/1.1", host: "www.example.com", referrer: "http://www.example.com/"
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:01:02 +0000] "GET /favicon.ico HTTP/1.1" 200 615 "http://www.example.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
mybunkerized_1  | 2022/07/18 08:01:10 [warn] 93#93: *216 ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `3' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "GET"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813127081.965711"] [ref "o0,3v0,3v373,1"], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:10 [warn] 93#93: *216 ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Content-Type' (Value: `0' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "687"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813127081.965711"] [ref "v373,1"], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:10 [error] 93#93: *216 [client 172.19.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `7' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 7)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813127081.965711"] [ref ""], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:01:10 +0000] "GET / HTTP/1.1" 403 8488 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
mybunkerized_1  | 2022/07/18 08:01:13 [warn] 93#93: *216 ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `3' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "GET"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813127354.841917"] [ref "o0,3v0,3v373,1"], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:13 [warn] 93#93: *216 ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Content-Type' (Value: `0' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "687"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813127354.841917"] [ref "v373,1"], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:13 [error] 93#93: *216 [client 172.19.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `7' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 7)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813127354.841917"] [ref ""], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
[...]
[...]
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:01:24 +0000] "GET / HTTP/1.1" 403 8488 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
mybunkerized_1  | 2022/07/18 08:01:25 [warn] 93#93: *216 ModSecurity: Warning. Matched "Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `3' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "161"] [id "920170"] [rev ""] [msg "GET or HEAD Request with Body Content"] [data "GET"] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813128543.627655"] [ref "o0,3v0,3v373,1"], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:25 [warn] 93#93: *216 ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:Content-Type' (Value: `0' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "687"] [id "920340"] [rev ""] [msg "Request Containing Content, but Missing Content-Type header"] [data ""] [severity "5"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813128543.627655"] [ref "v373,1"], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:25 [error] 93#93: *216 [client 172.19.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `7' ) [file "/opt/bunkerweb/core/modsecurity/files/coreruleset/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 7)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.19.0.3"] [uri "/"] [unique_id "165813128543.627655"] [ref ""], client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:25 [warn] 93#93: *216 [BAD-BEHAVIOR] IP 172.19.0.1 is banned for 86400s (11/10) while logging request, client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:01:25 +0000] "GET / HTTP/1.1" 403 8488 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
mybunkerized_1  | 2022/07/18 08:01:27 [warn] 93#93: *219 [ACCESS] IP 172.19.0.1 is banned with reason : bad behavior, client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | 2022/07/18 08:01:27 [warn] 93#93: *219 [BAD-BEHAVIOR] IP 172.19.0.1 is banned for 86400s (12/10) while logging request, client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:01:27 +0000] "GET / HTTP/1.1" 403 8488 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
mybunkerized_1  | 2022/07/18 08:02:17 [warn] 93#93: *228 [ACCESS] IP 172.19.0.1 is banned with reason : bad behavior, client: 172.19.0.1, server: www.example.com, request: "GET / HTTP/1.1", host: "www.example.com"
mybunkerized_1  | www.example.com 172.19.0.1 - - [18/Jul/2022:08:02:17 +0000] "GET / HTTP/1.1" 403 8488 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"

Jul 18 '22 08:07 quentinfougereau

Hello @quentinfougereau, it should be fixed in the last v1.4.3 version.

Aug 26 '22 18:08 fl0ppy-d1sk

bunkerweb bunkerweb copied to clipboard

[BUG] Whitelisted IP address is banned by the bad behavior feature

bunkerweb
bunkerweb copied to clipboard