Securing OpenEMR - Apache
From OpenEMR Project Wiki
Revision as of 19:20, 9 September 2018 by Daniel Ehrlich (talk | contribs)
0. NOTES
- this tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
- this tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.
1. SSL
2. INSTALL WAF / ENABLE MOD_SECURITY
- Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
- Install WAF
sudo apt-get install libapache2-modsecurity
- Might have to run:
sudo dpkg --configure -a
- Check Installation
apachectl -M | grep security
- Rename rules
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- Turn rules on
sudo vi /etc/modsecurity/modsecurity.conf
- make sure it reads
SecRuleEngine on
- Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
- Download github rules
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
- Rename setup file
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
- Add all new rules
sudo vi /etc/apache2/mods-enabled/security2.conf
- place the following block in the document
<IfModule security2_module> SecDataDir /var/cache/modsecurity IncludeOptional /etc/modsecurity/*.conf IncludeOptional "/usr/share/modsecurity-crs/*.conf IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf </IfModule>
- Restart apache
systemctl restart apache2
- Raise paranoia level to 2 out of 5
sudo vi /usr/share/modsecurity-crs/crs-setup.conf
- Edit this line to be 2 instead of 1:
setvar:tx.paranoia_level=2
- Test WAF
- http://<your IP or domain name>/?q="><script>alert(1)</script>
- http://<your IP or domain name>/?q='1 OR 1=1
- You should get a 403 error
3 Enable Mod_Evasive