mini howto: modsecurity-crs 3.0 on debian jessie

Discussion in 'Tips/Tricks/Mods' started by Jesse Norell, Dec 1, 2016.

  1. Jesse Norell

    Jesse Norell Active Member

    This is a quick howto for getting modsecurity crs 3 running with ispconfig 3.1 on apache in debian 8 (jessie). Written 11/30/2016, and likely things will change in the future. Modsecurity can be installed on all web server nodes in a multi-server installation, including the ispconfig control panel.

    Start with installing the OS and ISPConfig according to the Perfect Server guide:

    Add the jessie-backports repository if you haven't already done so:
    # cat <<EOF >/etc/apt/sources.list.d/jessie-backports.list
    deb jessie-backports main
    deb-src jessie-backports main
    # apt-get update
    Install the apache module:
    # apt-get install libapache2-mod-security2
    You can install modsecurity with nginx as well, but I don't have any experience there. Maybe someone else can post that bit?

    Now install modsecurity-crs:
    # apt-get -t jessie-backports install modsecurity-crs
    Configure modsecurity-crs rules to be included by apache. This is right from /usr/share/doc/modsecurity-crs/README.Debian:
    # cd /usr/share/modsecurity-crs/rules
    # cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \
    # cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example \
    # cat <<EOF > /etc/modsecurity/ispconfig.conf
    <IfModule security2_module>
            Include /usr/share/modsecurity-crs/*.conf
            Include /etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
            Include /usr/share/modsecurity-crs/rules/*.conf
            Include /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
    And this part is based on ongoing discussion at
    # cat <<EOF >> /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
    <Directory /usr/local/ispconfig/interface/web/client/>
      # put "/etc/passwd' in client notes field
      SecRuleRemoveById 932160
      # edit Server Config > Web > PHP Settings (path names)
      SecRuleRemoveById 930120
      # edit Server Config > Jailkit
      SecRuleRemoveById 932150
    <Directory /usr/share/phpmyadmin>
      # mod_security rules (crs3) that hit on legitimate phpmyadmin use
      SecRuleRemoveById 942100
      SecRuleRemoveById 941120
    Now create a modsecurity.conf file and configure settings as needed; what I'm using right now is:
    # mkdir /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # chown www-data /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # chmod 700 /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # cd /etc/modsecurity/
    # cp modsecurity.conf-recommended modsecurity.conf
    # sed -i 's/^SecRequestBodyLimit .*$/SecRequestBodyLimit 134217728/g' modsecurity.conf
    # sed -i 's/^SecPcreMatchLimit .*$/SecPcreMatchLimit 150000/g' modsecurity.conf
    # sed -i 's/^SecPcreMatchLimitRecursion .*$/SecPcreMatchLimitRecursion 150000/g' modsecurity.conf
    # sed -i 's|^SecTmpDir .*$|SecTmpDir /var/cache/modsecurity/tmp/|g' modsecurity.conf
    # sed -i 's|^SecDataDir .*$|SecDataDir /var/cache/modsecurity/|g' modsecurity.conf
    # sed -i 's|^#SecUploadDir .*$|SecUploadDir /var/cache/modsecurity/upload/|g' modsecurity.conf
    # sed -i 's/^#SecUploadFileMode .*$/SecUploadFileMode 0600/g' modsecurity.conf
    # sed -i 's/^SecAuditLogParts .*$/SecAuditLogParts ABIFHZ/g' modsecurity.conf
    ISPConfig disables ModSecurity out of the box, we're going to enable it. You could run in detection mode if you want to make sure everything works (in particular, the remote API has not been tested with modsecurity at this time!). This only needs done on the ISPConfig control panel node, not slave webservers if you have those:
    # sed -i 's/SecRuleEngine Off/SecRuleEngine On/g' /etc/apache2/sites-available/ispconfig.vhost
    Now enable modsecurity, restart apache:
    # a2enmod security2
    # apachectl restart
    Once you've made sure apache is running, you can watch modsecurity's log:
    # tail -f /var/log/apache2/modsec_audit.log
    ModSecurity is now running in DetectionOnly mode, so there is no additional security for your websites at this point. Watch the log, and when you're ready to enable it, set 'SecRuleEngine On' in /etc/modsecurity/modsecurity.conf.

    When you have a site hitting false positives (and that will happen at times), you can set 'SecRuleEngine DetectionOnly' for the specific website that is affected, not for the entire server, and then work on the rules that are hitting as false-positive. Once you've identified rules that false-positive for a site, you can disable them for just that site in apache config.

    More info on CRS at including 'Handling False Positives' links.
    Last edited: Dec 1, 2016
    till likes this.

Share This Page