ghost
commented
5 years ago Do you mind if I take this? I have a good amount of experience with ModSecurity on Debian distributions. @Jsitech
Closed Jsitech closed 5 years ago
ghost
commented
5 years ago Do you mind if I take this? I have a good amount of experience with ModSecurity on Debian distributions. @Jsitech
Jsitech
commented
5 years ago Do you mind if I take this? I have a good amount of experience with ModSecurity on Debian distributions. @Jsitech
Be my Guest! That is Awesome.
ghost
commented
5 years ago @Jsitech Confirming that I'm working on this. Please give me 2 weeks (so finish date of December 10th).
ghost
commented
5 years ago @Jsitech Ok basically have it for Apache now. The hard part is just compiling everything at the beginning, so adding Nginx won't be too difficult. Also this is for 18.04, and have tested and works.
Here is the script:
### Get ModSecurity Prerequisites
apt-get -y update && \
apt-get -y install git \
libtool \
dh-autoreconf \
pkgconf \
libcurl4-gnutls-dev \
libxml2 \
libpcre++-dev \
libxml2-dev \
libgeoip-dev \
libyajl-dev \
liblmdb-dev \
ssdeep \
lua5.2-dev \
apache2 \
apache2-dev
### Get Modsecurity V3 and Build
cd /opt && \
git clone -b v3/master https://github.com/SpiderLabs/ModSecurity
cd /opt/ModSecurity && \
sh build.sh && \
git submodule init && \
git submodule update && \
./configure && \
make && \
make install
ln -s /usr/sbin/apache2 /usr/sbin/httpd
### Get Apache Connector
cd /opt && \
git clone https://github.com/SpiderLabs/ModSecurity-apache
cd /opt/ModSecurity-apache/ && \
./autogen.sh && \
./configure && \
make && \
make install
### Load Module
mkdir -p /etc/apache2/modsecurity.d/ && \
echo "LoadModule security3_module \"$(find /opt/ModSecurity-apache/ -name mod_security3.so)\"" > /etc/apache2/mods-enabled/security.conf && \
echo "modsecurity_rules 'SecRuleEngine On'" >> /etc/apache2/mods-enabled/security.conf && \
echo "modsecurity_rules_file '/etc/apache2/modsecurity.d/include.conf'" >> /etc/apache2/mods-enabled/security.conf
### Get OWASP Rules
cd /etc/apache2/modsecurity.d/ && \
mv /opt/ModSecurity/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf && \
echo include modsecurity.conf >> /etc/apache2/modsecurity.d/include.conf && \
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs owasp-crs && \
mv /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf.example /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf && \
echo include owasp-crs/crs-setup.conf >> /etc/apache2/modsecurity.d/include.conf && \
echo include owasp-crs/rules/\*.conf >> /etc/apache2/modsecurity.d/include.conf
cp /opt/ModSecurity/unicode.mapping /etc/apache2/modsecurity.d/
### Final Edits
source /etc/apache2/envvars
httpd -t
sed -ie 's/setvar:tx.paranoia_level=1/setvar:tx.paranoia_level=2/g' /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf
# remove additional hash signs for paranoia level
sed -ie 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/apache2/modsecurity.d/modsecurity.conf
source /etc/apache2/envvars
apache2ctl -k start@danehrlich1 let me do some testing on this, if everything works out as intended on Jshielder will replace our current apache and modsecurity installs since this seems like a better option.
ghost
commented
5 years ago @Jsitech Sounds good. The only issue I've had with the tests is getting an error message wanting me to define APACHE_RUNTIME_DIR every now and then. Restarting the server then seems to make this go away...
Jsitech
commented
5 years ago Testing Working Deployment of Nginx with ModSecurity. Will be added to JShielder soon.
Jsitech
commented
5 years ago LEMP Deployment with ModSecurity fully functional, https://github.com/Jsitech/JShielder/commit/34ed09cdde2b26197d63317afc59ca7ca5814508
Jsitech
commented
5 years ago LEMP Deployment Tested, Closing issue.
Recent Nginx Deployment with Mod-security for Ubuntu 16.04 and 18.04 .