Modsecurity configuration with base rules on Centos 7.2 and Apache
01 Apr 2016Finally I made base rules from modsecurity CRS (Core Rule Set) to work with Apache on CentOS 7 install (previous steps here). Here's some notes based on that install:
How to:
Note I'm performing all the changes as root becuse I constant sudo is giving me a headache :)
Configuration template (modsecuirty.conf-recommended
) is provided with modsecurity installation package. I've unpacked it during installation in this direcotory /root/modsecurity-2.9.1
. You can just copy that file to a directory where you keep your apache config to get you started:
cp /root/modsecurity-2.9.1/modsecuirty.conf-recommended /etc/httpd/conf.d/modsecuirty.conf
First thing that I did was restarting httpd and I got this error:
httpd[3070]: Could not open unicode map file "/etc/httpd/conf.d/unicode.mapping": No such file or directory
unicode.mapping
file is also included in modsecurity installation directory. I just copied it over to /etc/httpd/conf.d/
cp /root/modsecurity-2.9.1/unicode.mapping /etc/httpd/conf.d/
After that change modsecurity and apache are starting up.
I'm leaving the configuration as default for now with modsecurity in detection mode (don't want to block anything yet):
SecRuleEngine DetectionOnly
(from modsecurity.conf)
So that was the first part. Now I had to get to rules in place.
Adding OWASP ModSecurity Core Rule Set (CRS):
Core Rule Set can be downloaded from CSR github project
Get the link from the page and download it:
wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz
and unpack it:
tar -zxvf 2.2.9.tar.gz -C /root/
you will get you rules in /root/owasp-modsecurity-crs-2.2.9
I've placed it like this just to have a chance to look around it before I put it in some more reasonable place.
mv /root/owasp-modsecurity-crs-2.2.9 /etc/httpd/conf.d/crs
So the destination directory I choose for my crs config files is /etc/httpd/conf.d/crs
Rules are located in 4 directories:
base_rules
experimental_rules
optional_rules
slr_rules
I didn't have a chance to look closely at the specific rules. I can only judge by the names of the directories that there are: base rules, experimental (so might be extra cautios when using these), optional (some special features) and slr (special rules provided by SpiderLabs).
I'm going to implement base rules first and then look closely at other.
I'm going to use activated_rules
directory to manage my active rules.
cd /etc/httpd/conf.d/crs
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
ln -s /etc/httpd/conf.d/crs/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf
So the basic idea is to get configuration that you want to be active sym linked to activated_rules directory.
So for this I found this one lined in README that did the trick for basic rules:
for f in `ls base_rules/` ; do ln -s /etc/httpd/conf.d/crs/base_rules/$f activated_rules/$f ; done
After that this is how your activated_rules directory should look like:
# ls -al activated_rules/
razem 8
drwxr-xr-x. 2 root root 4096 03-29 23:40 .
drwxr-xr-x. 9 root root 4096 03-30 01:33 ..
lrwxrwxrwx. 1 root root 63 03-18 11:04 modsecurity_35_bad_robots.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_35_bad_robots.data
lrwxrwxrwx. 1 root root 61 03-18 11:04 modsecurity_35_scanners.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_35_scanners.data
lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_40_generic_attacks.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_40_generic_attacks.data
lrwxrwxrwx. 1 root root 61 03-18 11:04 modsecurity_50_outbound.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_50_outbound.data
lrwxrwxrwx. 1 root root 69 03-18 11:04 modsecurity_50_outbound_malware.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_50_outbound_malware.data
lrwxrwxrwx. 1 root root 51 03-18 11:03 modsecurity_crs_10_setup.conf -> /etc/httpd/conf.d/crs/modsecurity_crs_10_setup.conf
lrwxrwxrwx. 1 root root 76 03-18 11:04 modsecurity_crs_20_protocol_violations.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxrwxrwx. 1 root root 75 03-18 11:04 modsecurity_crs_21_protocol_anomalies.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxrwxrwx. 1 root root 71 03-18 11:04 modsecurity_crs_23_request_limits.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_23_request_limits.conf
lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_crs_30_http_policy.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_30_http_policy.conf
lrwxrwxrwx. 1 root root 67 03-18 11:04 modsecurity_crs_35_bad_robots.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxrwxrwx. 1 root root 72 03-18 11:04 modsecurity_crs_40_generic_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxrwxrwx. 1 root root 78 03-18 11:04 modsecurity_crs_41_sql_injection_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_crs_41_xss_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxrwxrwx. 1 root root 71 03-18 11:04 modsecurity_crs_42_tight_security.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_42_tight_security.conf
lrwxrwxrwx. 1 root root 64 03-18 11:04 modsecurity_crs_45_trojans.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_45_trojans.conf
lrwxrwxrwx. 1 root root 74 03-18 11:04 modsecurity_crs_47_common_exceptions.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxrwxrwx. 1 root root 81 03-18 11:04 modsecurity_crs_48_local_exceptions.conf.example -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxrwxrwx. 1 root root 73 03-18 11:04 modsecurity_crs_49_inbound_blocking.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxrwxrwx. 1 root root 65 03-18 11:04 modsecurity_crs_50_outbound.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_50_outbound.conf
lrwxrwxrwx. 1 root root 74 03-18 11:04 modsecurity_crs_59_outbound_blocking.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxrwxrwx. 1 root root 68 03-18 11:04 modsecurity_crs_60_correlation.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_60_correlation.conf
The last thing to do is to make apache read configuration from this directory and for this we need to add this line on the bottom of httpd.conf:
IncludeOptional conf.d/crs/activated_rules/*.conf
and restart apache:
systemctl restart httpd
Next step is to test this setup and generate some events.