Forum

Hi hugo,

I have removed my IP from the whilisted list of IP to see what my user are experiencing...
We have 2 application running
1 - Hesk Ticket (hesk.com)
2 - Wordpress

I need to mention that both application are on different domain and behind hiawatha reverse proxy..

When I am in hesk, and try to sort the ticket in cronological date order, I get ban and see the following the exploit.log file

62.30.xxx.xx|Mon 12 Sep 2016 13:28:38 +0100|www.mydomain.co.uk|/support/admin/show_tickets.php?s0=1&s1=1&s2=1&s4=1&s5=1&p0=1&p1=1&p2=1&p3=1&category=0&limit=20&archive=0&s_my=1&s_ot=1&s_un=1&page=1&cot=0&g=&asc=0&sort=dt|SQLi|/support/admin/show_tickets.php?s0=1&s1=1&s2=1&s4=1&s5=1&p0=1&p1=1&p2=1&p3=1&category=0&limit=20&archive=0&s_my=1&s_ot=1&s_un=1&page=1&cot=0&g=&asc=0&sort=dt

When I amin wordpress and try to run the woocommerce wizard, I get ban and see the following the exploit.log file

62.30.xxx.xx|Mon 12 Sep 2016 14:08:43 +0100|www.anotherdoamin.co.uk|/wp-admin/admin.php?page=wc-setup&step=locale|SQLi|store_location=GB&currency_code=GBP&currency_pos=left&thousand_sep=%2C&decimal_sep=.&num_decimals=2&weight_unit=kg&dimension_unit=cm&save_step=Continue&_wpnonce=5c05d365f2&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dwc-setup%26step%3Dlocale

In order to be able to access the sites again, I need to restart the the hiawatha reverse proxy..
Bellow is my setting for the reverse proxy:
Hiawatha.conf

set LOCALHOST = 127.0.0.0/8
#set MyIPv4 = 91.223.xxx.xxx
set MyIPv4 = 10.8.20.13
set TrustedIP_1 = 77.99.xxx.xxx         # Headquater
set TrustedIP_2 = 86.19.xxx.xxx          # Office

# GENERAL SETTINGS
#
ServerString = Apache
ServerId = www:www
ConnectionsTotal = 4096                         # Maximum number of simultaneous connections. Default = 150
ConnectionsPerIP = 25                           # Maximum number of simultaneous connections per IP address. Default = 2
ThreadPoolSize = 128
ThreadKillRate = 8
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
CacheSize = 512                                 #Size of Hiawatha's internal file cache. Maximum is 1024 (megabytes). Default = 10
CacheMaxFilesize = 512                          # Maximum size of a file Hiawatha will store in its internal cache. Default = 256
CacheRProxyExtensions = css, eot, gif, html, htm, ico, jpg, jpeg, js, otf, png, svg, swf, ttf, txt, woff, woff2
#MaxUrlLength = 1200                            # Maximum length of the path of an URL that the webserver accepts as being valid. Default = 1000
MaxUrlLength = 21000
#MinTLSversion = 1.2                            # Specify the minimum TLS version Hiawatha accepts for HTTPS connections. Default = 1.1
MinTLSversion = 1.0
DHsize = 4096                                   # Set the size of the Diffie-Hellman keys. Default = 2048
SocketSendTimeout = 30

LogfileMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2
RequestLimitMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2


# BINDING SETTINGS
# A binding is where a client can connect to.
#
include bindings.conf

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
BanOnWrongPassword = 6:900
BanOnSQLi = 3600
KickOnBan = yes
RebanDuringBan = yes
BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2


# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
CustomHeader = X-Frame-Options: DENY
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
#ErrorHandler = 404:/error.cgi


# VIRTUAL HOSTS
# Use a VirtualHost section to declare the websites you want to host.
#
include domains_enabled

include domains_enabled:

VirtualHost {
   Hostname = www.mydomain.co.uk, mydomain.co.uk, dev.mydomain.co.uk, repo.mydomain.co.uk
   WebsiteRoot = /var/www/empty
   StartFile = index.php
   #RequireTLS = yes,31536000
   TLScertFile = /usr/local/etc/hiawatha/ssl/mydomain.co.uk.key
   TimeForCGI = 60
   ExecuteCGI = no
   PreventXSS = yes
   #PreventCSRF = yes    # can cause problems. Default = no
   PreventSQLi = yes
   RandomHeader = 512
   ReverseProxy .* http://10.20.20.18:80 30 keep-alive
   ReverseProxy .* https://10.20.20.18:443 30 keep-alive
   #LoginMessage = scanner.example.tld
   #PasswordFile = digest:/srv/www/digest/scanner.digest
   AccessLogfile = /var/log/hiawatha/access.mydomain.co.uk.log
   ErrorLogfile = /var/log/hiawatha/error.mydomain.co.uk.log
}
VirtualHost {
   Hostname = www.anotherdoamin.co.uk, anotherdoamin.co.uk, *.anotherdoamin.co.uk
   WebsiteRoot = /var/www/empty
   StartFile = index.php
   RequireTLS = yes,31536000
   TLScertFile = /usr/local/etc/hiawatha/ssl/anotherdoamin.co.uk.key
   ExecuteCGI = no
   PreventXSS = yes
   #PreventCSRF = yes    # can cause problems. Default = no
   PreventSQLi = yes
   RandomHeader = 512
   ReverseProxy .* http://10.8.20.25:80  30000 keep-alive
   ReverseProxy .* https://10.8.20.25:443 30000 keep-alive
   #LoginMessage = scanner.example.tld
   #PasswordFile = digest:/srv/www/digest/scanner.digest
   AccessLogfile = /var/log/hiawatha/access.anotherdoamin.co.uk.log
   ErrorLogfile = /var/log/hiawatha/error.anotherdoamin.co.uk.log
}

Could you please help?

Thank you
Fred

Both bans are due to (falsely) detected SQL injection attempt. Disable the PreventSQLi option and try again.

Hi Hugo,

You are correct, I set

PreventSQLi = detect

did solved the issue..
But now Hiawatha is not longer blocking legetimate SQL injection attempt..
Is there a way I could whitelist such request?
Via toolkit, directory or other mean?

Thank you

No, that's not possible. You should see the PreventSQLi option as an emergency measure, not as something to have enabled all the time. If your application is vulnerable for SQL injection and taking it offline is not really an option and a patch is not available, then you use PreventSQLi.