This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

mod_security howto

3 posts / 0 new

Topic locked

Last post

#1 Fri, 09/26/2014 - 07:17

jimdunn

mod_security howto

Does anyone have a "mod_security howto" which allows us to install mod_security step by step, so we don't take down all functionality?

I have mod_security installed, but when trying to use the canned modsecurity_crs_20_* rules, I end up turning my server into a toaster.

I'm hoping someone could provide some answers on how to protect, without breaking usefulness.

#2 Fri, 09/26/2014 - 12:30

jimdunn

Here's what I have so far:

[code]How to install MOD_SECURITY on Debian 7 with Virtualmin
(mod_security info at https://github.com/SpiderLabs/owasp-modsecurity-crs/)

mkdir /root/work/modsecurity
cd /root/work/modsecurity
apt-get install libapache2-modsecurity

(configure mod_security)

vim /etc/apache2/mods-available/mod-security.conf

(add the following)

# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity

# Include all the *.conf files in /etc/modsecurity.
# Keeping your local configuration in that directory
# will allow for an easy upgrade of THIS file and
# make your life easier
Include "/etc/modsecurity/*.conf"

(enable mod_security)

ln -s /etc/apache2/mods-available/mod-security.conf /etc/apache2/mods-enabled/mod-security.conf
ln -s /etc/apache2/mods-available/mod-security.load /etc/apache2/mods-enabled/mod-security.load
service apache2 restart

(set/capture conf file)

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
cp /etc/modsecurity/modsecurity.conf .
a2enmod mod-security
a2enmod headers

(test current apache configuration)

apachectl configtest

(reload apache2)

service apache2 reload

(download owasp rules)

rm -f crs.zip
wget -O crs.zip https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/v2.2.5
unzip crs.zip
rm -fr previous-owasp
mv owasp previous-owasp
mv Spider* owasp

rm -fr /etc/modsecurity/*
cp modsecurity.conf /etc/modsecurity

cp -f /root/work/modsecurity/owasp/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

STOP HERE UNLESS YOU KNOW WHICH RULES TO ENABLE WITHOUT BREAKING VIRTUALMIN!!!

(enables rules)

#cd /root/work/modsecurity/owasp/base_rules/
#for f in * ; do ln -s /root/work/modsecurity/owasp/base_rules/$f /etc/modsecurity/$f;done

#cd /root/work/modsecurity/owasp/optional_rules/
#for f in * ; do ln -s /root/work/modsecurity/owasp/optional_rules/$f /etc/modsecurity/$f; done

#cd /root/work/modsecurity/owasp/slr_rules/
#for f in * ; do ln -s /root/work/modsecurity/owasp/slr_rules/$f /etc/modsecurity/$f; done

(some housekeeping)

cd /etc/modsecurity
rm -f modsecurity_crs_50_outbound.conf

(test current apache configuration)

apachectl configtest

(restart apache2)

service apache2 restart[/code]

#3 Wed, 10/01/2014 - 09:15

jimdunn

Really? No one else using mod_security?

I did get it to install without breaking virtualmin, but many of my clients have php code that doesn't like the mod_security rules. I had to remove them to get everyone working.

Very disappointing that mod_security logs are so hard to read...

Topic locked