Modsecurity configuration with base rules on Centos 7.2 and Apache01 Apr 2016
Finally I made base rules from modsecurity CRS (Core Rule Set) to work with Apache on CentOS 7 install (previous steps here). Here's some notes based on that install:
Note I'm performing all the changes as root becuse I constant sudo is giving me a headache :)
Configuration template (
modsecuirty.conf-recommended) is provided with modsecurity installation package. I've unpacked it during installation in this direcotory
/root/modsecurity-2.9.1. You can just copy that file to a directory where you keep your apache config to get you started:
First thing that I did was restarting httpd and I got this error:
unicode.mapping file is also included in modsecurity installation directory. I just copied it over to
After that change modsecurity and apache are starting up.
I'm leaving the configuration as default for now with modsecurity in detection mode (don't want to block anything yet):
So that was the first part. Now I had to get to rules in place.
Adding OWASP ModSecurity Core Rule Set (CRS):
Core Rule Set can be downloaded from CSR github project
Get the link from the page and download it:
and unpack it:
you will get you rules in
I've placed it like this just to have a chance to look around it before I put it in some more reasonable place.
So the destination directory I choose for my crs config files is
Rules are located in 4 directories:
base_rules experimental_rules optional_rules slr_rules
I didn't have a chance to look closely at the specific rules. I can only judge by the names of the directories that there are: base rules, experimental (so might be extra cautios when using these), optional (some special features) and slr (special rules provided by SpiderLabs).
I'm going to implement base rules first and then look closely at other.
I'm going to use
activated_rules directory to manage my active rules.
So the basic idea is to get configuration that you want to be active sym linked to activated_rules directory.
So for this I found this one lined in README that did the trick for basic rules:
After that this is how your activated_rules directory should look like:
# ls -al activated_rules/ razem 8 drwxr-xr-x. 2 root root 4096 03-29 23:40 . drwxr-xr-x. 9 root root 4096 03-30 01:33 .. lrwxrwxrwx. 1 root root 63 03-18 11:04 modsecurity_35_bad_robots.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_35_bad_robots.data lrwxrwxrwx. 1 root root 61 03-18 11:04 modsecurity_35_scanners.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_35_scanners.data lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_40_generic_attacks.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_40_generic_attacks.data lrwxrwxrwx. 1 root root 61 03-18 11:04 modsecurity_50_outbound.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_50_outbound.data lrwxrwxrwx. 1 root root 69 03-18 11:04 modsecurity_50_outbound_malware.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_50_outbound_malware.data lrwxrwxrwx. 1 root root 51 03-18 11:03 modsecurity_crs_10_setup.conf -> /etc/httpd/conf.d/crs/modsecurity_crs_10_setup.conf lrwxrwxrwx. 1 root root 76 03-18 11:04 modsecurity_crs_20_protocol_violations.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_20_protocol_violations.conf lrwxrwxrwx. 1 root root 75 03-18 11:04 modsecurity_crs_21_protocol_anomalies.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf lrwxrwxrwx. 1 root root 71 03-18 11:04 modsecurity_crs_23_request_limits.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_23_request_limits.conf lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_crs_30_http_policy.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_30_http_policy.conf lrwxrwxrwx. 1 root root 67 03-18 11:04 modsecurity_crs_35_bad_robots.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_35_bad_robots.conf lrwxrwxrwx. 1 root root 72 03-18 11:04 modsecurity_crs_40_generic_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_40_generic_attacks.conf lrwxrwxrwx. 1 root root 78 03-18 11:04 modsecurity_crs_41_sql_injection_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_crs_41_xss_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_41_xss_attacks.conf lrwxrwxrwx. 1 root root 71 03-18 11:04 modsecurity_crs_42_tight_security.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_42_tight_security.conf lrwxrwxrwx. 1 root root 64 03-18 11:04 modsecurity_crs_45_trojans.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_45_trojans.conf lrwxrwxrwx. 1 root root 74 03-18 11:04 modsecurity_crs_47_common_exceptions.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_47_common_exceptions.conf lrwxrwxrwx. 1 root root 81 03-18 11:04 modsecurity_crs_48_local_exceptions.conf.example -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example lrwxrwxrwx. 1 root root 73 03-18 11:04 modsecurity_crs_49_inbound_blocking.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf lrwxrwxrwx. 1 root root 65 03-18 11:04 modsecurity_crs_50_outbound.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_50_outbound.conf lrwxrwxrwx. 1 root root 74 03-18 11:04 modsecurity_crs_59_outbound_blocking.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_crs_60_correlation.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_60_correlation.conf
The last thing to do is to make apache read configuration from this directory and for this we need to add this line on the bottom of httpd.conf:
and restart apache:
systemctl restart httpd
Next step is to test this setup and generate some events.