Difference between revisions of "Securing OpenEMR - Apache"
From OpenEMR Project Wiki
| Line 1: | Line 1: | ||
1. SSL | |||
Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/ | 2. INSTALL WAF / ENABLE MOD_SECURITY | ||
Install WAF | |||
sudo apt-get install libapache2-modsecurity | * Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/ | ||
Might have to run: sudo dpkg --configure -a | * Install WAF | ||
Check Installation | ** <code>sudo apt-get install libapache2-modsecurity </code> | ||
apachectl -M | grep security | ** Might have to run: <code>sudo dpkg --configure -a </code> | ||
Rename rules | * Check Installation | ||
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf | ** <code>apachectl -M | grep security</code> | ||
Turn rules on | * Rename rules | ||
sudo vi /etc/modsecurity/modsecurity.conf | ** <code>mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf </code> | ||
* Turn rules on | |||
** <code>sudo vi /etc/modsecurity/modsecurity.conf </code> | |||
** make sure it reads <code>SecRuleEngine on </code> | |||
Remove default rules | Remove default rules | ||
sudo rm -rf /usr/share/modsecurity-crs | sudo rm -rf /usr/share/modsecurity-crs | ||
Revision as of 19:13, 9 September 2018
1. SSL
2. INSTALL WAF / ENABLE MOD_SECURITY
- Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
- Install WAF
sudo apt-get install libapache2-modsecurity- Might have to run:
sudo dpkg --configure -a
- Check Installation
apachectl -M | grep security
- Rename rules
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- Turn rules on
sudo vi /etc/modsecurity/modsecurity.conf- make sure it reads
SecRuleEngine on
Remove default rules sudo rm -rf /usr/share/modsecurity-crs Download github rules sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs Rename setup file cd /usr/share/modsecurity-crs sudo mv crs-setup.conf.example crs-setup.conf Add all new rules sudo vi /etc/apache2/mods-enabled/security2.conf <IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>
Restart apache systemctl restart apache2 Raise paranoia level to 2 out of 5 sudo vi /usr/share/modsecurity-crs/crs-setup.conf Edit this line to be 2 instead of 1: setvar:tx.paranoia_level=2 Test WAF http://34.205.87.51/?q="><script>alert(1)</script> http://34.205.87.51/?q='1 OR 1=1
- 2 Enable Mod_Evasive
