Difference between revisions of "Securing OpenEMR - Apache"
From OpenEMR Project Wiki
| Line 1: | Line 1: | ||
1. SSL | 1. SSL | ||
| Line 15: | Line 14: | ||
** <code>sudo vi /etc/modsecurity/modsecurity.conf </code> | ** <code>sudo vi /etc/modsecurity/modsecurity.conf </code> | ||
** make sure it reads <code>SecRuleEngine on </code> | ** make sure it reads <code>SecRuleEngine on </code> | ||
Remove default rules | * Remove default rules | ||
sudo rm -rf /usr/share/modsecurity-crs | ** <code>sudo rm -rf /usr/share/modsecurity-crs</code> | ||
Download github rules | * Download github rules | ||
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs | ** <code>sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs </code> | ||
Rename setup file | * Rename setup file | ||
cd /usr/share/modsecurity-crs | ** <code>cd /usr/share/modsecurity-crs </code> | ||
sudo mv crs-setup.conf.example crs-setup.conf | ** <code>sudo mv crs-setup.conf.example crs-setup.conf</code> | ||
Add all new rules | * Add all new rules | ||
sudo vi /etc/apache2/mods-enabled/security2.conf | **<code>sudo vi /etc/apache2/mods-enabled/security2.conf</code> | ||
<IfModule security2_module> | **<code><IfModule security2_module> | ||
SecDataDir /var/cache/modsecurity | SecDataDir /var/cache/modsecurity | ||
IncludeOptional /etc/modsecurity/*.conf | IncludeOptional /etc/modsecurity/*.conf | ||
IncludeOptional "/usr/share/modsecurity-crs/*.conf | IncludeOptional "/usr/share/modsecurity-crs/*.conf | ||
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf | IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf | ||
</IfModule> | </IfModule></code> | ||
Restart apache | * Restart apache | ||
systemctl restart apache2 | ** <code>systemctl restart apache2 </code> | ||
Raise paranoia level to 2 out of 5 | * Raise paranoia level to 2 out of 5 | ||
sudo vi /usr/share/modsecurity-crs/crs-setup.conf | ** <code>sudo vi /usr/share/modsecurity-crs/crs-setup.conf </code> | ||
Edit this line to be 2 instead of 1: | ** Edit this line to be 2 instead of 1: | ||
setvar:tx.paranoia_level=2 | *** <code>setvar:tx.paranoia_level=2 </code> | ||
Test WAF | * Test WAF | ||
http:// | ** http://<your IP or domain name>/?q="><script>alert(1)</script> | ||
http:// | ** http://<your IP or domain name>/?q='1 OR 1=1 | ||
** You should get a 403 error | |||
3 Enable Mod_Evasive | |||
Revision as of 19:16, 9 September 2018
1. SSL
2. INSTALL WAF / ENABLE MOD_SECURITY
- Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
- Install WAF
sudo apt-get install libapache2-modsecurity- Might have to run:
sudo dpkg --configure -a
- Check Installation
apachectl -M | grep security
- Rename rules
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- Turn rules on
sudo vi /etc/modsecurity/modsecurity.conf- make sure it reads
SecRuleEngine on
- Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
- Download github rules
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
- Rename setup file
cd /usr/share/modsecurity-crssudo mv crs-setup.conf.example crs-setup.conf
- Add all new rules
sudo vi /etc/apache2/mods-enabled/security2.conf<IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>
- Restart apache
systemctl restart apache2
- Raise paranoia level to 2 out of 5
sudo vi /usr/share/modsecurity-crs/crs-setup.conf- Edit this line to be 2 instead of 1:
setvar:tx.paranoia_level=2
- Test WAF
- http://<your IP or domain name>/?q="><script>alert(1)</script>
- http://<your IP or domain name>/?q='1 OR 1=1
- You should get a 403 error
3 Enable Mod_Evasive
