Difference between revisions of "Securing OpenEMR - Apache"
From OpenEMR Project Wiki
(→Basic) |
|||
(24 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== NOTES == | |||
* This tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi | |||
* This tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar. | |||
== BASIC == | |||
* Make Apache disclose less information | |||
** <code>sudo vi /etc/apache2/conf-enabled/security.conf</code> | |||
<pre> | |||
ServerTokens Prod | |||
ServerSignature Off | |||
</pre> | |||
== SSL == | |||
* Follow this tutorial: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04 | |||
== INSTALL WAF / ENABLE MOD_SECURITY == | |||
* Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/ | * Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/ | ||
Line 23: | Line 39: | ||
* Add all new rules | * Add all new rules | ||
**<code>sudo vi /etc/apache2/mods-enabled/security2.conf</code> | **<code>sudo vi /etc/apache2/mods-enabled/security2.conf</code> | ||
<IfModule security2_module> | ** place the following block in the document | ||
<IfModule security2_module> | |||
SecDataDir /var/cache/modsecurity | SecDataDir /var/cache/modsecurity | ||
IncludeOptional /etc/modsecurity/*.conf | IncludeOptional /etc/modsecurity/*.conf | ||
Line 35: | Line 53: | ||
** Edit this line to be 2 instead of 1: | ** Edit this line to be 2 instead of 1: | ||
*** <code>setvar:tx.paranoia_level=2 </code> | *** <code>setvar:tx.paranoia_level=2 </code> | ||
* Test WAF | * Test WAF by entering these URLs | ||
** http://<your IP or domain name>/?q="><script>alert(1)</script> | ** <code><nowiki>http://www.<your IP or domain name>/?q="><script>alert(1)</script></nowiki></code> | ||
** http://<your IP or domain name>/?q='1 OR 1=1 | ** <code><nowiki>http://www.<your IP or domain name>/?q='1 OR 1=1''</nowiki></code> | ||
** You should get a 403 error | ** You should get a 403 error | ||
== Enable Mod_Evasive == | |||
* Prevents brute force attempts, spidering, Burp Suite, Nikto, etc | |||
* This module limits you to X amount of page requests site-wide per interval | |||
* Install mod_evasive | |||
** <code>apt-get install libapache2-mod-evasive</code> | |||
* Create Log | |||
** <code>sudo mkdir /var/log/mod_evasive</code> | |||
** <code>chown -R www-data:www-data /var/log/mod_evasive</code> | |||
* Create blocking script | |||
** <code>sudo mkdir /etc/apache2/scripts</code> | |||
** <code>vi /etc/apache2/scripts/ban_ip.sh</code> | |||
<pre> | |||
#!/bin/sh | |||
IP=$1 | |||
IPTABLES=/sbin/iptables | |||
$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP | |||
$IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP | |||
echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes | |||
echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes | |||
</pre> | |||
* Adjust properties of script | |||
** <code>sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh</code> | |||
** <code>sudo chmod 550 /etc/apache2/scripts/ban_ip.sh</code> | |||
* Create mod_evasive config file | |||
** <code>vi /etc/apache2/mods-enabled/evasive.conf </code> | |||
<IfModule mod_evasive20.c> | |||
DOSHashTableSize 3097 | |||
DOSPageCount 5 | |||
DOSSiteCount 50 | |||
DOSPageInterval 1 | |||
DOSSiteInterval 10 | |||
DOSBlockingPeriod 180 | |||
#DOSEmailNotify email@yourdomain.com | |||
DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'" | |||
DOSLogDir "/var/log/mod_evasive" | |||
</IfModule> | |||
* Restart Apache | |||
** <code>sudo apache2 stop</code> | |||
** <code>sudo apache2 start</code> |
Latest revision as of 19:52, 9 September 2018
NOTES
- This tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
- This tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.
BASIC
- Make Apache disclose less information
sudo vi /etc/apache2/conf-enabled/security.conf
ServerTokens Prod ServerSignature Off
SSL
- Follow this tutorial: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
INSTALL WAF / ENABLE MOD_SECURITY
- Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
- Install WAF
sudo apt-get install libapache2-modsecurity
- Might have to run:
sudo dpkg --configure -a
- Check Installation
apachectl -M | grep security
- Rename rules
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- Turn rules on
sudo vi /etc/modsecurity/modsecurity.conf
- make sure it reads
SecRuleEngine on
- Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
- Download github rules
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
- Rename setup file
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
- Add all new rules
sudo vi /etc/apache2/mods-enabled/security2.conf
- place the following block in the document
<IfModule security2_module> SecDataDir /var/cache/modsecurity IncludeOptional /etc/modsecurity/*.conf IncludeOptional "/usr/share/modsecurity-crs/*.conf IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf </IfModule>
- Restart apache
systemctl restart apache2
- Raise paranoia level to 2 out of 5
sudo vi /usr/share/modsecurity-crs/crs-setup.conf
- Edit this line to be 2 instead of 1:
setvar:tx.paranoia_level=2
- Test WAF by entering these URLs
http://www.<your IP or domain name>/?q="><script>alert(1)</script>
http://www.<your IP or domain name>/?q='1 OR 1=1''
- You should get a 403 error
Enable Mod_Evasive
- Prevents brute force attempts, spidering, Burp Suite, Nikto, etc
- This module limits you to X amount of page requests site-wide per interval
- Install mod_evasive
apt-get install libapache2-mod-evasive
- Create Log
sudo mkdir /var/log/mod_evasive
chown -R www-data:www-data /var/log/mod_evasive
- Create blocking script
sudo mkdir /etc/apache2/scripts
vi /etc/apache2/scripts/ban_ip.sh
#!/bin/sh IP=$1 IPTABLES=/sbin/iptables $IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP $IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes
- Adjust properties of script
sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh
sudo chmod 550 /etc/apache2/scripts/ban_ip.sh
- Create mod_evasive config file
vi /etc/apache2/mods-enabled/evasive.conf
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 10 DOSBlockingPeriod 180 #DOSEmailNotify email@yourdomain.com DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'" DOSLogDir "/var/log/mod_evasive" </IfModule>
- Restart Apache
sudo apache2 stop
sudo apache2 start