mini howto: modsecurity-crs 3.0 on debian jessie

Discussion in 'Tips/Tricks/Mods' started by Jesse Norell, Dec 1, 2016.

  1. Jesse Norell

    Jesse Norell Active Member

    This is a quick howto for getting modsecurity crs 3 running with ispconfig 3.1 on apache in debian 8 (jessie). Written 11/30/2016, and likely things will change in the future. Modsecurity can be installed on all web server nodes in a multi-server installation, including the ispconfig control panel.

    Start with installing the OS and ISPConfig according to the Perfect Server guide: https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/

    Add the jessie-backports repository if you haven't already done so:
    Code:
    # cat <<EOF >/etc/apt/sources.list.d/jessie-backports.list
    deb http://http.debian.net/debian jessie-backports main
    deb-src http://http.debian.net/debian jessie-backports main
    EOF
    
    # apt-get update
    Install the apache module:
    Code:
    # apt-get install libapache2-mod-security2
    You can install modsecurity with nginx as well, but I don't have any experience there. Maybe someone else can post that bit?

    Now install modsecurity-crs:
    Code:
    # apt-get -t jessie-backports install modsecurity-crs
    Configure modsecurity-crs rules to be included by apache. This is right from /usr/share/doc/modsecurity-crs/README.Debian:
    Code:
    # cd /usr/share/modsecurity-crs/rules
    # cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \
        /etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
    # cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example \
        /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
    
    # cat <<EOF > /etc/modsecurity/ispconfig.conf
    <IfModule security2_module>
            Include /usr/share/modsecurity-crs/*.conf
            Include /etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS
            Include /usr/share/modsecurity-crs/rules/*.conf
            Include /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
    </IfModule>
    EOF
    And this part is based on ongoing discussion at https://www.howtoforge.com/community/threads/mod_security-with-ispconfig-vhost.74833/:
    Code:
    # cat <<EOF >> /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
    
    <Directory /usr/local/ispconfig/interface/web/client/>
      # put "/etc/passwd' in client notes field
      SecRuleRemoveById 932160
    
      # edit Server Config > Web > PHP Settings (path names)
      SecRuleRemoveById 930120
    
      # edit Server Config > Jailkit
      SecRuleRemoveById 932150
    
      # php injection/attack hits seen by Bicet
      SecRuleRemoveById 933150
      SecRuleRemoveById 959100
    
      # modify a site Custom Php.ini
      # POST /sites/web_vhost_domain_edit.php
      # ARGS:custom_php_ini
      SecRuleRemoveById 933120
    
    </Directory>
    
    <Directory /usr/share/phpmyadmin>
      # mod_security rules (crs3) that hit on legitimate phpmyadmin use
      SecRuleRemoveById 942100
      SecRuleRemoveById 941120
    </Directory>
    EOF
    
    Now create a modsecurity.conf file and configure settings as needed; what I'm using right now is:
    Code:
    # mkdir /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # chown www-data /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # chmod 700 /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # cd /etc/modsecurity/
    # cp modsecurity.conf-recommended modsecurity.conf
    # sed -i 's/^SecRequestBodyLimit .*$/SecRequestBodyLimit 134217728/g' modsecurity.conf
    # sed -i 's/^SecPcreMatchLimit .*$/SecPcreMatchLimit 150000/g' modsecurity.conf
    # sed -i 's/^SecPcreMatchLimitRecursion .*$/SecPcreMatchLimitRecursion 150000/g' modsecurity.conf
    # sed -i 's|^SecTmpDir .*$|SecTmpDir /var/cache/modsecurity/tmp/|g' modsecurity.conf
    # sed -i 's|^SecDataDir .*$|SecDataDir /var/cache/modsecurity/|g' modsecurity.conf
    # sed -i 's|^#SecUploadDir .*$|SecUploadDir /var/cache/modsecurity/upload/|g' modsecurity.conf
    # sed -i 's/^#SecUploadFileMode .*$/SecUploadFileMode 0600/g' modsecurity.conf
    # sed -i 's/^SecAuditLogParts .*$/SecAuditLogParts ABIFHZ/g' modsecurity.conf
    
    ISPConfig disables ModSecurity out of the box, we're going to enable it. You could run in detection mode if you want to make sure everything works (in particular, the remote API has not been tested with modsecurity at this time!). This only needs done on the ISPConfig control panel node, not slave webservers if you have those:
    Code:
    # sed -i 's/SecRuleEngine Off/SecRuleEngine On/g' /etc/apache2/sites-available/ispconfig.vhost
    
    Now enable modsecurity, restart apache:
    Code:
    # a2enmod security2
    # apachectl restart
    
    Once you've made sure apache is running, you can watch modsecurity's log:
    Code:
    # tail -f /var/log/apache2/modsec_audit.log
    
    ModSecurity is now running in DetectionOnly mode for all vhosts except the control panel itself, so there is no additional security for your websites at this point. Watch the log, and when you're ready to enable it, set 'SecRuleEngine On' in /etc/modsecurity/modsecurity.conf.

    When you have a site hitting false positives (and that will happen at times), you can set 'SecRuleEngine DetectionOnly' for the specific website that is affected, not for the entire server, and then work on the rules that are hitting as false-positive. Once you've identified rules that false-positive for a site, you can disable them for just that site in apache config.

    More info on CRS at https://modsecurity.org/crs/ including 'Handling False Positives' links.
     
    Last edited: Dec 29, 2016
    till likes this.
  2. Bicet

    Bicet Member

    Thank you for your great tutorial!
    It works like a charm.
    I didn't get how to disable the security mod on some sites.
     
  3. Bicet

    Bicet Member

    EDIT.
    There were some other exception to add.

    Code:
      SecRuleRemoveById 953110
        SecRuleRemoveById 980140
        SecRuleRemoveById 959100
        SecRuleRemoveById 949110
        SecRuleRemoveById 933150
    
     
  4. Jesse Norell

    Jesse Norell Active Member

    980140, 949110 and 959100 are rules to block when exceeding anomaly scores - you don't want to disable those; in the log just above the lines for those will be the real rule number(s) that hit and caused you to exceed/block which might need removed.

    959100 and 933150 look likely to FP in some places in ispconfig, I'll add those in the config above. If you'd like to take note of exactly when those hit (eg. probably editing php.ini snippets or similar), it might be useful later on if we ever write more specific rules (eg. disable rule 959100 for url A and B, but not anywhere else).

    I'm also working a little on roundcube, there are a number of hits there. Right now I'm just running in DetectionOnly mode for that.
     
    Last edited: Dec 14, 2016
  5. Christian Roth

    Christian Roth New Member

    This is a very good tutorial. Thank you.

    I have written a more general tutorial for the handling of false positives with CRS3. It also covers the process to move from detectiononly to a strict blocking mode (which is more than a technical problem with a single switch): https://www.netnea.com/cms/apache-tutorials/

    @jesse : The rule exclusions to run CRS3 with ISPConfig would fit nicely into the default CRS3 rule exclusions that we package together with the rules. You may have noticed, that we deliver rule exclusions for WordPress and Drupal and doing the same for ISPConfig would be neat. If you are interested to contribute this, then please get in touch.
     
    Bicet likes this.
  6. Jesse Norell

    Jesse Norell Active Member

    Yes, I'd prefer that as we could tighten the rules down more and not have to worry about rule number collisions with other local rules.
     

Share This Page