No access to data: nextcloud and mod_security2

ℹ️ Support
,
1

Nextcloud: 15.0.5
OS: Debian Stretch
Apache: 2.4.25
PHP: 7.0

My apache is configured to use mod_security2. I installed nextcloud alongside the instruction manual. Then user and group permissions were customized due to the domain space provided by ispconfig.

As soon as I log in with admin or user account the data of that user can’t be accessed and the browser console drops 403 errors resulting in endless spinners.

Here’s a snippet of modsec_debug.log and it looks like several rules apply to various nextcloud calls:

[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][2] Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "PROPFIND"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][3] Rule 7fb02d900828 [id "932100"][file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "124"] - Execution error - PCRE limits exceeded (-8): (null).
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][3] Rule 7fb02d8d8868 [id "932105"][file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "162"] - Execution error - PCRE limits exceeded (-8): (null).
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][3] Rule 7fb02d8ac748 [id "932110"][file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "261"] - Execution error - PCRE limits exceeded (-8): (null).
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][3] Rule 7fb02d8a07c0 [id "932115"][file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "302"] - Execution error - PCRE limits exceeded (-8): (null).
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][3] Rule 7fb02e617c48 [id "932150"][file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"][line "479"] - Execution error - PCRE limits exceeded (-8): (null).
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/files/][1] Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
[08/Apr/2019:10:18:33 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php][2] Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Method is not allowed by policy; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]
[08/Apr/2019:10:22:35 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/firstrunwizard/wizard][2] Warning. Match of "within %{tx.allowed_methods}" against "REQUEST_METHOD" required. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-911-METHOD-ENFORCEMENT.conf"] [line "46"] [id "911100"] [msg "Method is not allowed by policy"] [data "DELETE"] [severity "CRITICAL"] [ver "OWASP_CRS/3.1.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [tag "OWASP_CRS/POLICY/METHOD_NOT_ALLOWED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "OWASP_AppSensor/RE1"] [tag "PCI/12.1"]
[08/Apr/2019:10:22:35 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php/apps/firstrunwizard/wizard][1] Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"]
[08/Apr/2019:10:22:35 +0200] [cloud.domain.de/sid#123456789abc][rid#123456789abc][/nextcloud/index.php][2] Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/owasp-modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "86"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Method is not allowed by policy; individual paranoia level scores: 5, 0, 0, 0"] [tag "event-correlation"]

Is there any list, which rules to switch off? Or does anyone know how to deal with exceptions in mod_security? Because I don’t want to live without mod_sec2.

I very much appreciate your help.

The only entry in Admin > Logging:

is_readable(): open_basedir restriction in effect. File(/proc/meminfo) is not within the allowed path(s):

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '...',
  'passwordsalt' => '...',
  'secret' => '...',
  'trusted_domains' => 
  array (
    0 => 'cloud.domain.de',
  ),
  'datadirectory' => '/path/to/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '15.0.5.3',
  'overwrite.cli.url' => 'https://cloud.domain.de/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => '...',
  'installed' => true,
);
2

I got it to run

  1. by activating / uncommenting this exclusion
    SecAction \ "id:900130,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_exclusions_nextcloud=1"
    in crs-setup.conf

and

  1. by moving
    modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf
    into non-active state

(not fully tested though)

1 Like
3

also found you need to add:

SecRule REMOTE_ADDR "@contains your-ip-address" "id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"

in /etc/modsecurity/modsecurity.conf