Ways to protect Web-server, there are so many. Starting with the need to protect and hide the update versions of the used software. Then you can set the WAF ( the Web the Application the Firewall ) – firewall for Web applications. ModSecurity – firewall is designed as a module for the Apache , which allows it easily install and use. Protection using ModSecurity can be from:

  • SQL-injection;
  • XSS;
  • Trojans;
  • bots;
  • capture session;
  • and many other attacks and break-ins.

To begin the installation of ModSecurity .
First we need to install the required module:

apt-get install libapache2-mod-security2

and turn it on:

a2enmod security2

By default filtering rules are not included, and the rules themselves have the extension .conf and loaded from the directory / etc / ModSecurity / (location is specified in the rules file /etc/apache2/mods-available/security2.conf ) and is as follows:

IncludeOptional /etc/modsecurity/*.conf

The list can be several directories from which the rules are loaded.

Add a new directory, which will be based on our rules.

crs – for a basic set of rules;
custom – to its rules.

Add a directory to further expand the list of rules:

IncludeOptional /etc/modsecurity/rules/crs/*.conf
IncludeOptional /etc/modsecurity/rules/custom/*.conf

and create the required directories:

mkdir /etc/modsecurity/rules/crs
mkdir /etc/modsecurity/rules/custom

Then turn on the basic configuration. To do this, copy or rename the default configuration file (located in the directory / etc / ModSecurity / ) modsecurity.conf-recommended file modsecurity.conf

cp /etc/modsecurity/modsecurity.conf{-recommended,}

little change it:

replace the first Directive SecRuleEngine DetectionOnly on

SecRuleEngine On

including blocking, not just otslezhivanie.Vse available settings: the On , Off , DetectionOnly .

Allowed to scan the contents of the request body:

SecRequestBodyAccess On

Limit the size of POST query parameter SecRequestBodyLimit . If no file download mechanism at the server, it is possible to severely limit the transmitted data. We are limited to 15MB . The number of bytes it will be 1024 * 1024 * 15 = 15728640

SecRequestBodyLimit 15728640

Restrict stored in memory POST request when sending a file (except for the size of the file), the surplus will swap to disk, which slows things down a bit, but it does not overwhelm the memory under any circumstances. This is done in parameter SecRequestBodyInMemoryLimit . Restrict 128Kb .

SecRequestBodyInMemoryLimit 131072

The basic rules are set, and advanced set can be downloaded from the official page of OWASP ModSecurity Core Rule Set and put the * .conf files in the previously specified directory / etc / ModSecurity / the rules / crs , where our additional rules.

The Debian additional rules are already included in the package and is located at / usr / this content share / ModSecurity-crs / .
Turn them into a folder by creating symlinks crs :

ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/rules/crs/modsecurity_crs_10_setup.conf

Also required for some sets of rules * .data files. Therefore, they also need to make symlinks.
I’ve included a basic setting modsecurity_crs_10_setup.conf and some of the rules in the folder base_rules .
It is not necessary to include all the rules at once. With great probability it will block the Web server.

It now remains only to exclude directories that ModSecurity well need or thwarted.
This is done by exclusion from the list of monitored hosts to configure Apache Web-server . To exclude the entire virtual host use the following code:

<ifmodule security2_module>
SecRuleEngine Off
</ifmodule>

this code can be used to exclude specific directories:

<directory “/var/www/noModSecurity”>
<ifmodule security2_module>
SecRuleEngine Off
</ifmodule>
</directory>

You can also disable the specific rules for a particular directory or file, such as WordPress bad friends with the rules of 981,231 , 950,901 and 981,172 (albeit with many others, too, but the article is not about that).

<locationmatch “/test-wp/up.php”>
<ifmodule security2_module>
SecRuleRemoveById 960015 950901
SecRuleRemoveById 960015
</ifmodule>
</locationmatch>

As an example, turn off the ModSecurity for Import Import phpMyAdmin .

To disable the ModSecurity open the Apache configuration file for Import Import phpMyAdmin .
The Debian configuration of phpMyAdmin is available at /etc/phpmyadmin/apache.conf and has a bunch of symbolic links in the directory itself the Apache .

Open it, and in section add block tripping ModSecurity .

<directory /usr/share/phpmyadmin>


<ifmodule security2_module>
SecRuleEngine Off
</ifmodule>


</directory>

It only remains to restart the Apache .

service apache2 restart

Now a few words about the proper implementation. Many of the rules can cause a denial of work Web applications. Due to the fact that ModSecurity deemed malicious requests. Therefore it is better to include only first detection mode ( SecRuleEngine DetectionOnly ) and watch what kind of rules and when to apply.
See what rules can be practiced in the log file. By default, it is at /var/log/apache2/modsec_audit.log . This file is written all information about the work of ModSecurity .