This is a quick howto for getting modsecurity crs 3 running with ispconfig 3.1 on apache in debian 8 (jessie). Written 11/30/2016, and likely things will change in the future. Modsecurity can be installed on all web server nodes in a multi-server installation, including the ispconfig control panel. Start with installing the OS and ISPConfig according to the Perfect Server guide: https://www.howtoforge.com/tutorial/perfect-server-debian-8-jessie-apache-bind-dovecot-ispconfig-3/ Add the jessie-backports repository if you haven't already done so: Code: # cat <<EOF >/etc/apt/sources.list.d/jessie-backports.list deb http://http.debian.net/debian jessie-backports main deb-src http://http.debian.net/debian jessie-backports main EOF # apt-get update Install the apache module: Code: # apt-get install libapache2-mod-security2 You can install modsecurity with nginx as well, but I don't have any experience there. Maybe someone else can post that bit? Now install modsecurity-crs: Code: # apt-get -t jessie-backports install modsecurity-crs Configure modsecurity-crs rules to be included by apache. This is right from /usr/share/doc/modsecurity-crs/README.Debian: Code: # cd /usr/share/modsecurity-crs/rules # cp REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example \ /etc/modsecurity/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS # cp RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example \ /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS # cat <<EOF > /etc/modsecurity/ispconfig.conf <IfModule security2_module> Include /usr/share/modsecurity-crs/owasp-crs.load </IfModule> EOF And this part is based on ongoing discussion at https://www.howtoforge.com/community/threads/mod_security-with-ispconfig-vhost.74833/: Code: # cat <<EOF >> /etc/modsecurity/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS <Directory /usr/local/ispconfig/interface/web/client/> # put "/etc/passwd' in client notes field SecRuleRemoveById 932160 # edit Server Config > Web > PHP Settings (path names) SecRuleRemoveById 930120 # edit Server Config > Jailkit SecRuleRemoveById 932150 # php injection/attack hits seen by Bicet SecRuleRemoveById 933150 SecRuleRemoveById 959100 # modify a site Custom Php.ini # POST /sites/web_vhost_domain_edit.php # ARGS:custom_php_ini SecRuleRemoveById 933120 </Directory> <Directory /usr/share/phpmyadmin> # mod_security rules (crs3) that hit on legitimate phpmyadmin use SecRuleRemoveById 942100 SecRuleRemoveById 941120 </Directory> EOF Now create a modsecurity.conf file and configure settings as needed; what I'm using right now is: Code: # mkdir /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/ # chown www-data /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/ # chmod 700 /var/cache/modsecurity/tmp/ /var/cache/modsecurity/upload/ # cd /etc/modsecurity/ # cp modsecurity.conf-recommended modsecurity.conf # sed -i 's/^SecRequestBodyLimit .*$/SecRequestBodyLimit 134217728/g' modsecurity.conf # sed -i 's/^SecPcreMatchLimit .*$/SecPcreMatchLimit 150000/g' modsecurity.conf # sed -i 's/^SecPcreMatchLimitRecursion .*$/SecPcreMatchLimitRecursion 150000/g' modsecurity.conf # sed -i 's|^SecTmpDir .*$|SecTmpDir /var/cache/modsecurity/tmp/|g' modsecurity.conf # sed -i 's|^SecDataDir .*$|SecDataDir /var/cache/modsecurity/|g' modsecurity.conf # sed -i 's|^#SecUploadDir .*$|SecUploadDir /var/cache/modsecurity/upload/|g' modsecurity.conf # sed -i 's/^#SecUploadFileMode .*$/SecUploadFileMode 0600/g' modsecurity.conf # sed -i 's/^SecAuditLogParts .*$/SecAuditLogParts ABIFHZ/g' modsecurity.conf ISPConfig disables ModSecurity out of the box, we're going to enable it. You could run in detection mode if you want to make sure everything works (in particular, the remote API has not been tested with modsecurity at this time!). This only needs done on the ISPConfig control panel node, not slave webservers if you have those: Code: # sed -i 's/SecRuleEngine Off/SecRuleEngine On/g' /etc/apache2/sites-available/ispconfig.vhost Now enable modsecurity, restart apache: Code: # a2enmod security2 # apachectl restart Once you've made sure apache is running, you can watch modsecurity's log: Code: # tail -f /var/log/apache2/modsec_audit.log ModSecurity is now running in DetectionOnly mode for all vhosts except the control panel itself, so there is no additional security for your websites at this point. Watch the log, and when you're ready to enable it, set 'SecRuleEngine On' in /etc/modsecurity/modsecurity.conf. When you have a site hitting false positives (and that will happen at times), you can set 'SecRuleEngine DetectionOnly' for the specific website that is affected, not for the entire server, and then work on the rules that are hitting as false-positive. Once you've identified rules that false-positive for a site, you can disable them for just that site in apache config. More info on CRS at https://modsecurity.org/crs/ including 'Handling False Positives' links.
Thank you for your great tutorial! It works like a charm. I didn't get how to disable the security mod on some sites.
EDIT. There were some other exception to add. Code: SecRuleRemoveById 953110 SecRuleRemoveById 980140 SecRuleRemoveById 959100 SecRuleRemoveById 949110 SecRuleRemoveById 933150
980140, 949110 and 959100 are rules to block when exceeding anomaly scores - you don't want to disable those; in the log just above the lines for those will be the real rule number(s) that hit and caused you to exceed/block which might need removed. 959100 and 933150 look likely to FP in some places in ispconfig, I'll add those in the config above. If you'd like to take note of exactly when those hit (eg. probably editing php.ini snippets or similar), it might be useful later on if we ever write more specific rules (eg. disable rule 959100 for url A and B, but not anywhere else). I'm also working a little on roundcube, there are a number of hits there. Right now I'm just running in DetectionOnly mode for that.
This is a very good tutorial. Thank you. I have written a more general tutorial for the handling of false positives with CRS3. It also covers the process to move from detectiononly to a strict blocking mode (which is more than a technical problem with a single switch): https://www.netnea.com/cms/apache-tutorials/ @jesse : The rule exclusions to run CRS3 with ISPConfig would fit nicely into the default CRS3 rule exclusions that we package together with the rules. You may have noticed, that we deliver rule exclusions for WordPress and Drupal and doing the same for ISPConfig would be neat. If you are interested to contribute this, then please get in touch.
Yes, I'd prefer that as we could tighten the rules down more and not have to worry about rule number collisions with other local rules.
Note a recent change to modsecurity-crs package changes how the ruleset should be included, I've updated the instructions above, but the change to note is the /etc/modsecurity/ispconfig.conf file.
Looks like https://launchpad.net/ubuntu/+source/modsecurity-crs should be it, though I've not used that offhand.
the files are not in the same place (base_rules instead of rules), also I don't even think its the same file names. will uninstall for now, as I don't know what I'm doing. UPDATE: I did try to install manually from git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs but could not complete the activation. is anyone who uses Ubuntu knows how to set this up let me know, thanks.
modSecurity is useless if you don't subscribe a commercial rule set or at least a free outdated rule set. The Ubuntu package rule set will block most activities.