Re: [mod-security-users] How to configure ModSecurity on CentOS 8?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] How to configure ModSecurity on CentOS 8?
|
From: Jason L. <hac...@ya...> - 2021-03-03 11:53:42
|
Hello, I added below line to "/etc/httpd/conf.d/mod_security.conf" file: IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf An when I restarted my Apache then I got an error: AH00526: Syntax error on line 829 of /etc/httpd/modsecurity.d/owasp-modsecur... And line 829 of that file is: SecAction \ "id:900990,\ phase:1,\ nolog,\ pass,\ t:none,\ setvar:tx.crs_setup_version=330" ==> Line 829 How to solve it? On Wednesday, March 3, 2021, 12:52:27 AM GMT+3:30, Jason Long via mod-security-users <mod...@li...> wrote: Hi Ervin, Thank you again. I created a "owasp-modsecurity-crs" directory in the "/etc/httpd/modsecurity.d" directory, then downloaded OWASP ModSecurity Rules from "https://coreruleset.org/installation/" and extracted it in the "owasp-modsecurity-crs" directory. I renamed "crs-setup.conf.example" file to "crs-setup.conf". In the "rules" directory, I renamed below files too: # mv REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf # mv RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf I have other questions: 1- I must add below lines to the "/etc/httpd/conf.d/mod_security.conf" file: IncludeOptional modsecurity.d/owasp-modsecurity-crs/*.conf IncludeOptional modsecurity.d/owasp-modsecurity-crs/rules/*.conf ? 2- I must not add anything to "httpd.conf" file to enable ModSecurity? On Tuesday, March 2, 2021, 11:50:25 PM GMT+3:30, Ervin Hegedüs <ai...@gm...> wrote: Hi Jason, On Tue, Mar 02, 2021 at 06:55:51PM +0000, Jason Long wrote: > I found two files: > > 1- /etc/httpd/conf.modules.d/10-mod_security.conf > 2- /etc/httpd/conf.d/mod_security.conf > > The content of the first file is : > > $ cat /etc/httpd/conf.modules.d/10-mod_security.conf > LoadModule security2_module modules/mod_security2.so > > <IfModule !mod_unique_id.c> > LoadModule unique_id_module modules/mod_unique_id.so > </IfModule> > > And the content of the second file is : > https://paste.ubuntu.com/p/Rtz6jRrwzT/ > > I don't know the difference between of the two files :( I assume these directories came from default installation, which means the Apache had set up that reads the necessary modules from the directory /etc/httpd/conf.modules.d/, and the configuration files from /etc/httpd/conf.d/. There must be two directives which reads these directories, eg: IncludeOptional /etc/httpd/conf.modules.d/*.conf IncludeOptional /etc/httpd/conf.d/*.conf or something similar... /etc/httpd/conf.modules.d/10-mod_security.conf - this files loads the mod_security Apache module. By this Apache will be able to work as a WAF. /etc/httpd/conf.d/mod_security.conf - this file is a configuration file, in other words, this file sets up mod_security module, tells to module how should it works. The first 49 lines contains the general settings - for more info, please check this page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x) Take a look to these lines: 52. IncludeOptional modsecurity.d/*.conf 53. IncludeOptional modsecurity.d/activated_rules/*.conf 54. IncludeOptional modsecurity.d/local_rules/*.conf These lines loads the rule set. On the last link I given you can find so many usefull information about rules. The Apache's IncludeOptional directive tells to Apache that read the directory given that name, load the files with name the given pattern (*.conf) - if there isn't any file with name *.conf, it's no problem. I think I think I think the parent modsecurity.d/ directory above should be under /etc/httpd, or /etc/httpd/conf.d/ - just try it. If Apache doesn't found the files, you will see in the error.log. The order of loading of files is very important. You have to copy the CRS rules/ directory content into the activated_rules/ directory. I think the crs-setup.conf must be copied under modsecurity.d/ directly. The local_rules/ can be empty. Because the SecRuleEngine is On in your setup (10-mod_security.conf), and audit.log had configured, you have to see any attack in that log, and in your error.log. Hope this helps. a. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
