Difference between revisions of "Securing OpenEMR - Apache"

From OpenEMR Project Wiki
Line 1: Line 1:
[under review]


$$$ Change page name to ""Apache Security"
1. SSL
<code>
#0 General Security Settings
#1 Enable Mod_Security
</code>
2. INSTALL WAF


Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
2. INSTALL WAF / ENABLE MOD_SECURITY
Install WAF
 
sudo apt-get install libapache2-modsecurity
* Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
Might have to run: sudo dpkg --configure -a
* Install WAF
Check Installation
** <code>sudo apt-get install libapache2-modsecurity </code>
apachectl -M | grep security
** Might have to run: <code>sudo dpkg --configure -a </code>
Rename rules
* Check Installation
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
** <code>apachectl -M | grep security</code>
Turn rules on
* Rename rules
sudo vi /etc/modsecurity/modsecurity.conf
** <code>mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf </code>
change SecRuleEngine on
* Turn rules on
** <code>sudo vi /etc/modsecurity/modsecurity.conf </code>
** make sure it reads <code>SecRuleEngine on </code>
Remove default rules
Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
sudo rm -rf /usr/share/modsecurity-crs

Revision as of 19:13, 9 September 2018

1. SSL

2. INSTALL WAF / ENABLE MOD_SECURITY

Remove default rules sudo rm -rf /usr/share/modsecurity-crs Download github rules sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs Rename setup file cd /usr/share/modsecurity-crs sudo mv crs-setup.conf.example crs-setup.conf Add all new rules sudo vi /etc/apache2/mods-enabled/security2.conf <IfModule security2_module>

    SecDataDir /var/cache/modsecurity 
    IncludeOptional /etc/modsecurity/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf 
</IfModule>

Restart apache systemctl restart apache2 Raise paranoia level to 2 out of 5 sudo vi /usr/share/modsecurity-crs/crs-setup.conf Edit this line to be 2 instead of 1: setvar:tx.paranoia_level=2 Test WAF http://34.205.87.51/?q="><script>alert(1)</script> http://34.205.87.51/?q='1 OR 1=1

  1. 2 Enable Mod_Evasive