mini howto: modsecurity-crs 3.0 on debian jessie

Discussion in 'Tips/Tricks/Mods' started by Jesse Norell, Dec 1, 2016.

  1. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    This is a quick howto for getting modsecurity crs 3 running with ispconfig 3.1 on apache in debian 8 (jessie). Written 11/30/2016, and likely things will change in the future. Modsecurity can be installed on all web server nodes in a multi-server installation, including the ispconfig control panel.

    Start with installing the OS and ISPConfig according to the Perfect Server guide:

    Add the jessie-backports repository if you haven't already done so:
    # cat <<EOF >/etc/apt/sources.list.d/jessie-backports.list
    deb jessie-backports main
    deb-src jessie-backports main
    # apt-get update
    Install the apache module:
    # apt-get install libapache2-mod-security2
    You can install modsecurity with nginx as well, but I don't have any experience there. Maybe someone else can post that bit?

    Now install modsecurity-crs:
    # apt-get -t jessie-backports install modsecurity-crs
    Configure modsecurity-crs rules to be included by apache. This is right from /usr/share/doc/modsecurity-crs/README.Debian:
    # cd /usr/share/modsecurity-crs/rules
    # cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \
    # cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example \
    # cat <<EOF > /etc/modsecurity/ispconfig.conf
    <IfModule security2_module>
            Include /usr/share/modsecurity-crs/owasp-crs.load
    And this part is based on ongoing discussion at
    # cat <<EOF >> /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS
    <Directory /usr/local/ispconfig/interface/web/client/>
      # put "/etc/passwd' in client notes field
      SecRuleRemoveById 932160
      # edit Server Config > Web > PHP Settings (path names)
      SecRuleRemoveById 930120
      # edit Server Config > Jailkit
      SecRuleRemoveById 932150
      # php injection/attack hits seen by Bicet
      SecRuleRemoveById 933150
      SecRuleRemoveById 959100
      # modify a site Custom Php.ini
      # POST /sites/web_vhost_domain_edit.php
      # ARGS:custom_php_ini
      SecRuleRemoveById 933120
    <Directory /usr/share/phpmyadmin>
      # mod_security rules (crs3) that hit on legitimate phpmyadmin use
      SecRuleRemoveById 942100
      SecRuleRemoveById 941120
    Now create a modsecurity.conf file and configure settings as needed; what I'm using right now is:
    # mkdir /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # chown www-data /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # chmod 700 /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/
    # cd /etc/modsecurity/
    # cp modsecurity.conf-recommended modsecurity.conf
    # sed -i 's/^SecRequestBodyLimit .*$/SecRequestBodyLimit 134217728/g' modsecurity.conf
    # sed -i 's/^SecPcreMatchLimit .*$/SecPcreMatchLimit 150000/g' modsecurity.conf
    # sed -i 's/^SecPcreMatchLimitRecursion .*$/SecPcreMatchLimitRecursion 150000/g' modsecurity.conf
    # sed -i 's|^SecTmpDir .*$|SecTmpDir /var/cache/modsecurity/tmp/|g' modsecurity.conf
    # sed -i 's|^SecDataDir .*$|SecDataDir /var/cache/modsecurity/|g' modsecurity.conf
    # sed -i 's|^#SecUploadDir .*$|SecUploadDir /var/cache/modsecurity/upload/|g' modsecurity.conf
    # sed -i 's/^#SecUploadFileMode .*$/SecUploadFileMode 0600/g' modsecurity.conf
    # sed -i 's/^SecAuditLogParts .*$/SecAuditLogParts ABIFHZ/g' modsecurity.conf
    ISPConfig disables ModSecurity out of the box, we're going to enable it. You could run in detection mode if you want to make sure everything works (in particular, the remote API has not been tested with modsecurity at this time!). This only needs done on the ISPConfig control panel node, not slave webservers if you have those:
    # sed -i 's/SecRuleEngine Off/SecRuleEngine On/g' /etc/apache2/sites-available/ispconfig.vhost
    Now enable modsecurity, restart apache:
    # a2enmod security2
    # apachectl restart
    Once you've made sure apache is running, you can watch modsecurity's log:
    # tail -f /var/log/apache2/modsec_audit.log
    ModSecurity is now running in DetectionOnly mode for all vhosts except the control panel itself, so there is no additional security for your websites at this point. Watch the log, and when you're ready to enable it, set 'SecRuleEngine On' in /etc/modsecurity/modsecurity.conf.

    When you have a site hitting false positives (and that will happen at times), you can set 'SecRuleEngine DetectionOnly' for the specific website that is affected, not for the entire server, and then work on the rules that are hitting as false-positive. Once you've identified rules that false-positive for a site, you can disable them for just that site in apache config.

    More info on CRS at including 'Handling False Positives' links.
    Last edited: Jan 30, 2017
    till likes this.
  2. Bicet

    Bicet Member

    Thank you for your great tutorial!
    It works like a charm.
    I didn't get how to disable the security mod on some sites.
  3. Bicet

    Bicet Member

    There were some other exception to add.

      SecRuleRemoveById 953110
        SecRuleRemoveById 980140
        SecRuleRemoveById 959100
        SecRuleRemoveById 949110
        SecRuleRemoveById 933150
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    980140, 949110 and 959100 are rules to block when exceeding anomaly scores - you don't want to disable those; in the log just above the lines for those will be the real rule number(s) that hit and caused you to exceed/block which might need removed.

    959100 and 933150 look likely to FP in some places in ispconfig, I'll add those in the config above. If you'd like to take note of exactly when those hit (eg. probably editing php.ini snippets or similar), it might be useful later on if we ever write more specific rules (eg. disable rule 959100 for url A and B, but not anywhere else).

    I'm also working a little on roundcube, there are a number of hits there. Right now I'm just running in DetectionOnly mode for that.
    Last edited: Dec 14, 2016
  5. Christian Roth

    Christian Roth New Member

    This is a very good tutorial. Thank you.

    I have written a more general tutorial for the handling of false positives with CRS3. It also covers the process to move from detectiononly to a strict blocking mode (which is more than a technical problem with a single switch):

    @jesse : The rule exclusions to run CRS3 with ISPConfig would fit nicely into the default CRS3 rule exclusions that we package together with the rules. You may have noticed, that we deliver rule exclusions for WordPress and Drupal and doing the same for ISPConfig would be neat. If you are interested to contribute this, then please get in touch.
    Bicet likes this.
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Yes, I'd prefer that as we could tighten the rules down more and not have to worry about rule number collisions with other local rules.
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Note a recent change to modsecurity-crs package changes how the ruleset should be included, I've updated the instructions above, but the change to note is the /etc/modsecurity/ispconfig.conf file.
    till likes this.
  8. budgierless

    budgierless Member HowtoForge Supporter

    Any backports for Ubuntu to use for this?
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    budgierless likes this.
  10. budgierless

    budgierless Member HowtoForge Supporter

    the files are not in the same place (base_rules instead of rules), also I don't even think its the same file names.
    will uninstall for now, as I don't know what I'm doing.

    UPDATE: I did try to install manually from git clone /usr/share/modsecurity-crs but could not complete the activation. is anyone who uses Ubuntu knows how to set this up let me know, thanks.
    Last edited: Sep 20, 2017
  11. concept21

    concept21 Active Member

    modSecurity is useless if you don't subscribe a commercial rule set or at least a free outdated rule set. :(

    The Ubuntu package rule set will block most activities. :confused:

Share This Page