Modsecurity configuration with base rules on Centos 7.2 and Apache

Finally I made base rules from modsecurity CRS (Core Rule Set) to work with Apache on CentOS 7 install (previous steps here). Here's some notes based on that install:

How to:

Note I'm performing all the changes as root becuse I constant sudo is giving me a headache :)

Configuration template (modsecuirty.conf-recommended) is provided with modsecurity installation package. I've unpacked it during installation in this direcotory /root/modsecurity-2.9.1. You can just copy that file to a directory where you keep your apache config to get you started:

cp /root/modsecurity-2.9.1/modsecuirty.conf-recommended /etc/httpd/conf.d/modsecuirty.conf

First thing that I did was restarting httpd and I got this error:

httpd[3070]: Could not open unicode map file "/etc/httpd/conf.d/unicode.mapping": No such file or directory

unicode.mapping file is also included in modsecurity installation directory. I just copied it over to /etc/httpd/conf.d/

cp /root/modsecurity-2.9.1/unicode.mapping /etc/httpd/conf.d/

After that change modsecurity and apache are starting up.

I'm leaving the configuration as default for now with modsecurity in detection mode (don't want to block anything yet):

SecRuleEngine DetectionOnly

(from modsecurity.conf)

So that was the first part. Now I had to get to rules in place.

Adding OWASP ModSecurity Core Rule Set (CRS):

Core Rule Set can be downloaded from CSR github project

Get the link from the page and download it:

wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz

and unpack it:

tar -zxvf 2.2.9.tar.gz -C /root/

you will get you rules in /root/owasp-modsecurity-crs-2.2.9

I've placed it like this just to have a chance to look around it before I put it in some more reasonable place.

mv /root/owasp-modsecurity-crs-2.2.9 /etc/httpd/conf.d/crs

So the destination directory I choose for my crs config files is /etc/httpd/conf.d/crs

Rules are located in 4 directories:

base_rules
experimental_rules
optional_rules
slr_rules

I didn't have a chance to look closely at the specific rules. I can only judge by the names of the directories that there are: base rules, experimental (so might be extra cautios when using these), optional (some special features) and slr (special rules provided by SpiderLabs).

I'm going to implement base rules first and then look closely at other.

I'm going to use activated_rules directory to manage my active rules.

cd /etc/httpd/conf.d/crs
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
ln -s /etc/httpd/conf.d/crs/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf

So the basic idea is to get configuration that you want to be active sym linked to activated_rules directory.

So for this I found this one lined in README that did the trick for basic rules:

for f in `ls base_rules/` ; do ln -s /etc/httpd/conf.d/crs/base_rules/$f activated_rules/$f ; done

After that this is how your activated_rules directory should look like:

# ls -al activated_rules/
razem 8
drwxr-xr-x. 2 root root 4096 03-29 23:40 .
drwxr-xr-x. 9 root root 4096 03-30 01:33 ..
lrwxrwxrwx. 1 root root   63 03-18 11:04 modsecurity_35_bad_robots.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_35_bad_robots.data
lrwxrwxrwx. 1 root root   61 03-18 11:04 modsecurity_35_scanners.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_35_scanners.data
lrwxrwxrwx. 1 root root   68 03-18 11:04 modsecurity_40_generic_attacks.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_40_generic_attacks.data
lrwxrwxrwx. 1 root root   61 03-18 11:04 modsecurity_50_outbound.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_50_outbound.data
lrwxrwxrwx. 1 root root   69 03-18 11:04 modsecurity_50_outbound_malware.data -> /etc/httpd/conf.d/crs/base_rules/modsecurity_50_outbound_malware.data
lrwxrwxrwx. 1 root root   51 03-18 11:03 modsecurity_crs_10_setup.conf -> /etc/httpd/conf.d/crs/modsecurity_crs_10_setup.conf
lrwxrwxrwx. 1 root root   76 03-18 11:04 modsecurity_crs_20_protocol_violations.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_20_protocol_violations.conf
lrwxrwxrwx. 1 root root   75 03-18 11:04 modsecurity_crs_21_protocol_anomalies.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
lrwxrwxrwx. 1 root root   71 03-18 11:04 modsecurity_crs_23_request_limits.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_23_request_limits.conf
lrwxrwxrwx. 1 root root   68 03-18 11:04 modsecurity_crs_30_http_policy.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_30_http_policy.conf
lrwxrwxrwx. 1 root root   67 03-18 11:04 modsecurity_crs_35_bad_robots.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_35_bad_robots.conf
lrwxrwxrwx. 1 root root   72 03-18 11:04 modsecurity_crs_40_generic_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_40_generic_attacks.conf
lrwxrwxrwx. 1 root root   78 03-18 11:04 modsecurity_crs_41_sql_injection_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
lrwxrwxrwx. 1 root root   68 03-18 11:04 modsecurity_crs_41_xss_attacks.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_41_xss_attacks.conf
lrwxrwxrwx. 1 root root   71 03-18 11:04 modsecurity_crs_42_tight_security.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_42_tight_security.conf
lrwxrwxrwx. 1 root root   64 03-18 11:04 modsecurity_crs_45_trojans.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_45_trojans.conf
lrwxrwxrwx. 1 root root   74 03-18 11:04 modsecurity_crs_47_common_exceptions.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_47_common_exceptions.conf
lrwxrwxrwx. 1 root root   81 03-18 11:04 modsecurity_crs_48_local_exceptions.conf.example -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_48_local_exceptions.conf.example
lrwxrwxrwx. 1 root root   73 03-18 11:04 modsecurity_crs_49_inbound_blocking.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
lrwxrwxrwx. 1 root root   65 03-18 11:04 modsecurity_crs_50_outbound.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_50_outbound.conf
lrwxrwxrwx. 1 root root   74 03-18 11:04 modsecurity_crs_59_outbound_blocking.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_59_outbound_blocking.conf
lrwxrwxrwx. 1 root root   68 03-18 11:04 modsecurity_crs_60_correlation.conf -> /etc/httpd/conf.d/crs/base_rules/modsecurity_crs_60_correlation.conf

The last thing to do is to make apache read configuration from this directory and for this we need to add this line on the bottom of httpd.conf:

IncludeOptional conf.d/crs/activated_rules/*.conf

and restart apache:

systemctl restart httpd

Next step is to test this setup and generate some events.