mod_security howto

Virtualmin
1

Does anyone have a “mod_security howto” which allows us to install mod_security step by step, so we don’t take down all functionality?

I have mod_security installed, but when trying to use the canned modsecurity_crs_20_* rules, I end up turning my server into a toaster.

I’m hoping someone could provide some answers on how to protect, without breaking usefulness.

2

Here’s what I have so far:

[code]How to install MOD_SECURITY on Debian 7 with Virtualmin
(mod_security info at https://github.com/SpiderLabs/owasp-modsecurity-crs/)

mkdir /root/work/modsecurity
cd /root/work/modsecurity
apt-get install libapache2-modsecurity

(configure mod_security)

vim /etc/apache2/mods-available/mod-security.conf

(add the following)

# Default Debian dir for modsecurity's persistent data SecDataDir /var/cache/modsecurity 
# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
Include "/etc/modsecurity/*.conf"

(enable mod_security)

ln -s /etc/apache2/mods-available/mod-security.conf /etc/apache2/mods-enabled/mod-security.conf
ln -s /etc/apache2/mods-available/mod-security.load /etc/apache2/mods-enabled/mod-security.load
service apache2 restart

(set/capture conf file)

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
cp /etc/modsecurity/modsecurity.conf .
a2enmod mod-security
a2enmod headers

(test current apache configuration)

apachectl configtest

(reload apache2)

service apache2 reload

(download owasp rules)

rm -f crs.zip
wget -O crs.zip https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/v2.2.5
unzip crs.zip
rm -fr previous-owasp
mv owasp previous-owasp
mv Spider* owasp

rm -fr /etc/modsecurity/*
cp modsecurity.conf /etc/modsecurity

cp -f /root/work/modsecurity/owasp/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

STOP HERE UNLESS YOU KNOW WHICH RULES TO ENABLE WITHOUT BREAKING VIRTUALMIN!!!

(enables rules)

#cd /root/work/modsecurity/owasp/base_rules/
#for f in * ; do ln -s /root/work/modsecurity/owasp/base_rules/$f /etc/modsecurity/$f;done

#cd /root/work/modsecurity/owasp/optional_rules/
#for f in * ; do ln -s /root/work/modsecurity/owasp/optional_rules/$f /etc/modsecurity/$f; done

#cd /root/work/modsecurity/owasp/slr_rules/
#for f in * ; do ln -s /root/work/modsecurity/owasp/slr_rules/$f /etc/modsecurity/$f; done

(some housekeeping)

cd /etc/modsecurity
rm -f modsecurity_crs_50_outbound.conf

(test current apache configuration)

apachectl configtest

(restart apache2)

service apache2 restart[/code]
3

Really? No one else using mod_security?

I did get it to install without breaking virtualmin, but many of my clients have php code that doesn’t like the mod_security rules. I had to remove them to get everyone working.

Very disappointing that mod_security logs are so hard to read