Difference between revisions of "Securing OpenEMR - Apache"

From OpenEMR Project Wiki
Line 1: Line 1:
1. SSL
1. SSL


Line 15: Line 14:
** <code>sudo vi /etc/modsecurity/modsecurity.conf </code>
** <code>sudo vi /etc/modsecurity/modsecurity.conf </code>
** make sure it reads <code>SecRuleEngine on </code>
** make sure it reads <code>SecRuleEngine on </code>
Remove default rules
* Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
** <code>sudo rm -rf /usr/share/modsecurity-crs</code>
Download github rules
* Download github rules
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
** <code>sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs </code>
Rename setup file
* Rename setup file
cd /usr/share/modsecurity-crs  
** <code>cd /usr/share/modsecurity-crs </code>
sudo mv crs-setup.conf.example crs-setup.conf
** <code>sudo mv crs-setup.conf.example crs-setup.conf</code>
Add all new rules
* Add all new rules
sudo vi /etc/apache2/mods-enabled/security2.conf
**<code>sudo vi /etc/apache2/mods-enabled/security2.conf</code>
<IfModule security2_module>  
**<code><IfModule security2_module>  
     SecDataDir /var/cache/modsecurity  
     SecDataDir /var/cache/modsecurity  
     IncludeOptional /etc/modsecurity/*.conf  
     IncludeOptional /etc/modsecurity/*.conf  
     IncludeOptional "/usr/share/modsecurity-crs/*.conf  
     IncludeOptional "/usr/share/modsecurity-crs/*.conf  
     IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf  
     IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf  
  </IfModule>
  </IfModule></code>
Restart apache
* Restart apache
systemctl restart apache2
** <code>systemctl restart apache2 </code>
Raise paranoia level to 2 out of 5
* Raise paranoia level to 2 out of 5
sudo vi /usr/share/modsecurity-crs/crs-setup.conf
** <code>sudo vi /usr/share/modsecurity-crs/crs-setup.conf </code>
Edit this line to be 2 instead of 1:
** Edit this line to be 2 instead of 1:
setvar:tx.paranoia_level=2
*** <code>setvar:tx.paranoia_level=2 </code>
Test WAF
* Test WAF
http://34.205.87.51/?q="><script>alert(1)</script>
** http://<your IP or domain name>/?q="><script>alert(1)</script>
http://34.205.87.51/?q='1 OR 1=1
** http://<your IP or domain name>/?q='1 OR 1=1
** You should get a 403 error


#2 Enable Mod_Evasive
3 Enable Mod_Evasive

Revision as of 19:16, 9 September 2018

1. SSL

2. INSTALL WAF / ENABLE MOD_SECURITY

  • Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
  • Install WAF
    • sudo apt-get install libapache2-modsecurity
    • Might have to run: sudo dpkg --configure -a
  • Check Installation
    • apachectl -M | grep security
  • Rename rules
    • mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
  • Turn rules on
    • sudo vi /etc/modsecurity/modsecurity.conf
    • make sure it reads SecRuleEngine on
  • Remove default rules
    • sudo rm -rf /usr/share/modsecurity-crs
  • Download github rules
  • Rename setup file
    • cd /usr/share/modsecurity-crs
    • sudo mv crs-setup.conf.example crs-setup.conf
  • Add all new rules
    • sudo vi /etc/apache2/mods-enabled/security2.conf
    • <IfModule security2_module>
    SecDataDir /var/cache/modsecurity 
    IncludeOptional /etc/modsecurity/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf 
</IfModule>
  • Restart apache
    • systemctl restart apache2
  • Raise paranoia level to 2 out of 5
    • sudo vi /usr/share/modsecurity-crs/crs-setup.conf
    • Edit this line to be 2 instead of 1:
      • setvar:tx.paranoia_level=2
  • Test WAF
    • http://<your IP or domain name>/?q="><script>alert(1)</script>
    • http://<your IP or domain name>/?q='1 OR 1=1
    • You should get a 403 error

3 Enable Mod_Evasive