Difference between revisions of "Securing OpenEMR - Apache"
m (moved Securing OpenEMR - Advanced to Securing OpenEMR - Apache) |
|||
| Line 5: | Line 5: | ||
#0 General Security Settings | #0 General Security Settings | ||
#1 Enable Mod_Security | #1 Enable Mod_Security | ||
2. INSTALL WAF | |||
Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/ | |||
Install WAF | |||
sudo apt-get install libapache2-modsecurity | |||
Might have to run: sudo dpkg --configure -a | |||
Check Installation | |||
apachectl -M | grep security | |||
Rename rules | |||
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf | |||
Turn rules on | |||
sudo vi /etc/modsecurity/modsecurity.conf | |||
change SecRuleEngine on | |||
Remove default rules | |||
sudo rm -rf /usr/share/modsecurity-crs | |||
Download github rules | |||
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs | |||
Rename setup file | |||
cd /usr/share/modsecurity-crs | |||
sudo mv crs-setup.conf.example crs-setup.conf | |||
Add all new rules | |||
sudo vi /etc/apache2/mods-enabled/security2.conf | |||
<IfModule security2_module> | |||
SecDataDir /var/cache/modsecurity | |||
IncludeOptional /etc/modsecurity/*.conf | |||
IncludeOptional "/usr/share/modsecurity-crs/*.conf | |||
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf | |||
</IfModule> | |||
Restart apache | |||
systemctl restart apache2 | |||
Raise paranoia level to 2 out of 5 | |||
sudo vi /usr/share/modsecurity-crs/crs-setup.conf | |||
Edit this line to be 2 instead of 1: | |||
setvar:tx.paranoia_level=2 | |||
Test WAF | |||
http://34.205.87.51/?q="><script>alert(1)</script> | |||
http://34.205.87.51/?q='1 OR 1=1 | |||
#2 Enable Mod_Evasive | #2 Enable Mod_Evasive | ||
Revision as of 19:02, 9 September 2018
[under review]
$$$ Change page name to ""Apache Security"
- 0 General Security Settings
- 1 Enable Mod_Security
2. INSTALL WAF
Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/ Install WAF sudo apt-get install libapache2-modsecurity Might have to run: sudo dpkg --configure -a Check Installation apachectl -M | grep security Rename rules mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf Turn rules on sudo vi /etc/modsecurity/modsecurity.conf change SecRuleEngine on Remove default rules sudo rm -rf /usr/share/modsecurity-crs Download github rules sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs Rename setup file cd /usr/share/modsecurity-crs sudo mv crs-setup.conf.example crs-setup.conf Add all new rules sudo vi /etc/apache2/mods-enabled/security2.conf <IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>
Restart apache systemctl restart apache2 Raise paranoia level to 2 out of 5 sudo vi /usr/share/modsecurity-crs/crs-setup.conf Edit this line to be 2 instead of 1: setvar:tx.paranoia_level=2 Test WAF http://34.205.87.51/?q="><script>alert(1)</script> http://34.205.87.51/?q='1 OR 1=1
- 2 Enable Mod_Evasive
