Login forbidden&errors ...



  • Just don't install Naxsi 👍

    Dear friends,

    I have a problem with my nodebb Installation. After switching to a new Server I can't login anymore. Error: Forbidden

    Debian 8.0 x64
    nginx 1.9.4
    npm 3.3.4
    redis 2.8.17
    node 0.10.29

    My nginx Configuration:

    server {
    			listen 80 default_server;
    			server_name sondorsforum.com;
    			return 301 https://sondorsforum.com$request_uri;
    }
    
    server {
    			listen 80;
    			server_name 5.189.143.37;
    			return 503;
    }
    
    server {
    			listen 443;
    			server_name 5.189.143.37;
    			return 503;
    }
    
    server {
    			listen 443 ssl spdy default deferred;
    			server_name sondorsforum.com;
    
    			location / {
    		    include /etc/nginx/naxsi.rules;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
    
                proxy_pass http://0.0.0.0:4567/;
                proxy_redirect off;
                # Socket.IO Support
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header Host $host;
    		    }
    
    			ssl_certificate 	ssl/sondorsforum.com.pem;
    			ssl_certificate_key ssl/sondorsforum.com.key;
    			#ssl_trusted_certificate ssl/trustedbundle.pem;
    			ssl_dhparam	     	ssl/dh.pem;
    			ssl_ecdh_curve		secp384r1;
    			ssl_session_cache   shared:SSL:10m;
    			ssl_session_timeout 10m;
    			ssl_session_tickets off;
    			ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    			ssl_prefer_server_ciphers on;
    
    			#ssl_stapling on;
    			#ssl_stapling_verify on;
    			#resolver 8.8.8.8 8.8.4.4 valid=300s;
    			#resolver_timeout 5s;
    
    			ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    			
    			# HSTS - uncomment if you have a valid SSL certificate
    			#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    			add_header X-Frame-Options DENY;
    			add_header Alternate-Protocol  443:npn-spdy/2;
    			add_header X-Content-Type-Options nosniff;
    			add_header X-XSS-Protection "1; mode=block";
    			#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
    
    			pagespeed on;
    			pagespeed FetchHttps enable,allow_self_signed;
    			pagespeed FileCachePath /var/lib/nginx/nps_cache;
    			pagespeed RewriteLevel PassThrough;
    			pagespeed EnableFilters collapse_whitespace;
    			pagespeed EnableFilters canonicalize_javascript_libraries;
    			pagespeed EnableFilters combine_css;
    			pagespeed EnableFilters combine_javascript;
    			pagespeed EnableFilters elide_attributes;
    			pagespeed EnableFilters extend_cache;
    			pagespeed EnableFilters flatten_css_imports;
    			pagespeed CssFlattenMaxBytes 5120;
    			pagespeed EnableFilters lazyload_images;
    			pagespeed EnableFilters rewrite_javascript;
    			pagespeed EnableFilters rewrite_images;
    			pagespeed EnableFilters insert_dns_prefetch;
    			pagespeed EnableFilters prioritize_critical_css;
    
    			# This will correctly rewrite your subresources with https:// URLs and thus avoid mixed content warnings.
    			# Note, that you should only enable this option if you are behind a load-balancer that will set this header,
    			# otherwise your users will be able to set the protocol PageSpeed uses to interpret the request.
    			#
    			pagespeed RespectXForwardedProto on;
    
    			auth_basic_user_file htpasswd/.htpasswd;
    
    			include /etc/nginx/sites-custom/*.conf;
    
    			location ~ \.php$ {
    				try_files $uri =404;
    				fastcgi_split_path_info ^(.+\.php)(/.+)$;
    				fastcgi_pass unix:/var/run/php5-fpm.sock;
    				fastcgi_index index.php;
    				include fastcgi.conf;
    				fastcgi_intercept_errors on;
    				fastcgi_ignore_client_abort off;
    				fastcgi_buffers 256 16k;
    				fastcgi_buffer_size 128k;
    				fastcgi_connect_timeout 3s;
    				fastcgi_send_timeout 120s;
    				fastcgi_read_timeout 120s; 
    				fastcgi_busy_buffers_size 256k;
    				fastcgi_temp_file_write_size 256k;
    			}
    
    		
    
    			location ~ /\. {
    				deny all;
    				access_log off;
    				log_not_found off;
    			}
    
    			location = /robots.txt {
    				allow all;
    				log_not_found off;
    				access_log off;
    			}
    
    			# Uncomment, if you need to remove index.php from the
    			# URL. Usefull if you use Codeigniter, Zendframework, etc.
    			# or just need to remove the index.php
    			#
    			#location / {
    			#   try_files $uri $uri/ /index.php?$args;
    			#}
    
    			location ~* ^.+\.(css|js)$ {
    				rewrite ^(.+)\.(\d+)\.(css|js)$ $1.$3 last;
    				expires 30d;
    				access_log off;
    				log_not_found off;
    				add_header Pragma public;
    				add_header Cache-Control "max-age=2592000, public";
    			}
    
    			location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
    				expires 30d;
    				access_log off;
    				log_not_found off;
    				add_header Pragma public;
    				add_header Cache-Control "max-age=2592000, public";
    			}
    
    }
    

    Naxsi.rules file if necessary:

    LearningMode;
    SecRulesEnabled;
    DeniedUrl "/RequestDenied";
    
    # Rules
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    

    naxsi_core.rules

    ##################################
    ## INTERNAL RULES IDS:1-999     ##
    ##################################
    #@MainRule "msg:weird request, unable to parse" id:1;
    #@MainRule "msg:request too big, stored on disk and not parsed" id:2;
    #@MainRule "msg:invalid hex encoding, null bytes" id:10;
    #@MainRule "msg:unknown content-type" id:11;
    #@MainRule "msg:invalid formatted url" id:12;
    #@MainRule "msg:invalid POST format" id:13;
    #@MainRule "msg:invalid POST boundary" id:14;
    #@MainRule "msg:invalid JSON" id:15;
    #@MainRule "msg:empty POST" id:16;
    #@MainRule "msg:libinjection_sql" id:17;
    #@MainRule "msg:libinjection_xss" id:18;
    
    ##################################
    ## SQL Injections IDs:1000-1099 ##
    ##################################
    MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
    MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
    MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
    ## Hardcore rules
    MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
    MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
    MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
    MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
    ## end of hardcore rules
    MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
    MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
    MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
    MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
    MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
    MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
    MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
    MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
    MainRule "str:@@" "msg:double @@" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
    
    ###############################
    ## OBVIOUS RFI IDs:1100-1199 ##
    ###############################
    MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
    MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
    MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
    MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
    MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
    MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
    MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
    MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
    MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
    MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
    
    #######################################
    ## Directory traversal IDs:1200-1299 ##
    #######################################                                          
    MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
    MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
    MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
    MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
    MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
    #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
    
    ########################################
    ## Cross Site Scripting IDs:1300-1399 ##
    ########################################
    MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
    MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
    MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
    MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
    MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
    MainRule "str:`"  "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
    MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
    
    ####################################
    ## Evading tricks IDs: 1400-1500 ##
    ####################################
    MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
    MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
    
    #############################
    ## File uploads: 1500-1600 ##
    #############################
    MainRule "rx:\.ph|\.asp|\.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;
    

    In error log I found this:

    2015/09/27 16:02:22 [error] 20505#0: *1163 NAXSI_FMT: ip=108.xx.221.xx7&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=633&total_blocked=553&block=1&zone0=BODY&id0=11&var_name0=, client: 1x8.1xx.221.xx7, server: sondorsforum.com, request: "POST /socket.io/?EIO=3&transport=polling&t=1443362898342-122709&sid=Z6hgNYilz7n697KEAAAs HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/topic/55/kt-lcd3-display-connector-type-pins/15"
    2015/09/27 16:02:25 [error] 20505#0: *1166 NAXSI_FMT: ip=10x.162.2xx.1x5&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=635&total_blocked=554&block=1&cscore0=$XSS&score0=40&zone0=HEADERS&id0=1315&var_name0=cookie&zone1=BODY&id1=11&var_name1=, client: 10x.162.2xx.1x5, server: sondorsforum.com, request: "POST /socket.io/?EIO=3&transport=polling&t=1443362548069-1547&sid=JdOnEYo8eOjo92KZAAA1 HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/topic/70/kt-lcd3-settings-for-sondors"
    2015/09/27 16:02:25 [error] 20505#0: *1166 NAXSI_FMT: ip=108.12x.2x2.1x5&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=636&total_blocked=555&block=1&cscore0=$XSS&score0=40&zone0=HEADERS&id0=1315&var_name0=cookie, client: 1x8.16x.2x2.1x5, server: sondorsforum.com, request: "GET /socket.io/?EIO=3&transport=polling&t=1443362548905-1548&sid=JdOnEYo8eOjo92KZAAA1 HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/topic/70/kt-lcd3-settings-for-sondors"
    2015/09/27 16:02:29 [error] 20505#0: *1169 NAXSI_FMT: ip=16x.1x8.88.x06&server=sondorsforum.com&uri=/socket.io/&learning=1&vers=0.54&total_processed=637&total_blocked=556&block=1&cscore0=$SQL&score0=40&cscore1=$XSS&score1=200&zone0=HEADERS&id0=1005&var_name0=cookie&zone1=HEADERS&id1=1010&var_name1=cookie&zone2=HEADERS&id2=1011&var_name2=cookie&zone3=HEADERS&id3=1315&var_name3=cookie&zone4=BODY&id4=11&var_name4=, client: x6x.1x8.8x.x06, server: sondorsforum.com, request: "POST /socket.io/?EIO=3&transport=polling&t=1443362548637-13651&sid=uaVLv6IIo-6DDqrCAAA2 HTTP/1.1", host: "sondorsforum.com", referrer: "https://sondorsforum.com/unread"
    

    Thanks for your help


Log in to reply
 


Looks like your connection to NodeBB was lost, please wait while we try to reconnect.