mod_security unable to add OWASP CRS - CentOS 7

Question

My website has been under constant attack from hackers since the day I set up the virtual server and installed WordPress. I was able to install mod_security, however, I am unable to add the OWASP CSR. I have been following this tutorial: https://devops.profitbricks.com/tutorials/how-to-configure-modsecurity-and-mod_evasive-for-apache-on-centos-7/

Everything goes fairly smoothly until I am supposed to add the following to the end of my apache config file (httpd.conf):

<IfModule security2_module>
Include /etc/httpd/crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
Include /etc/httpd/crs/owasp-modsecurity-crs/base_rules/*.conf
</IfModule>

When I add the above code to my apache config file and restart my apache server my website only shows the apache test screen - indicating an error of some sort. Any assistance would be greatly appreciated! (I am using Apache 2.4)

mod_security.conf file:

LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
# ModSecurity Core Rules Set configuration
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "text/xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

SecRule TX:/^MSC_/ "!@streq 0" \
        "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

SecResponseBodyAccess Off
SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogParts ABIJDEFHZ
SecAuditLogType Serial
SecAuditLog /var/log/httpd/modsec_audit.log
SecArgumentSeparator &
SecCookieFormat 0
SecTmpDir /var/lib/mod_security
SecDataDir /var/lib/mod_security
</IfModule>

Check out this answer: http://serverfault.com/questions/671173/mod-security-not-working-at-all/672078#672078. Have you enabled mod_unique_id? Have you checked Apache error logs? — Barry Pollard, Feb 21 '16 at 16:34

score 0 · Answer 1 · answered Mar 23 '16 at 14:14

0

What is mod_security.conf? Is that a custom include for your apache?

In any case, I suggest downloading a fresh copy of rules from OWASP - https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project)

Take a look at the following guide: https://www.linode.com/docs/websites/apache-tips-and-tricks/modsecurity-on-apache

answered Mar 23 '16 at 14:14

user117235

1

Ideally your solution would include the bulk of the information necessary; providing only a link is not as useful, because links can change/go stale. Future readers would appreciate if you updated your post to include the bulk of the relevant info. – Castaglia Mar 24 '16 at 03:05

mod_security unable to add OWASP CRS - CentOS 7

1 Answers1