Difference between revisions of "Securing OpenEMR - Apache"
From OpenEMR Project Wiki
| Line 48: | Line 48: | ||
3 Enable Mod_Evasive | 3 Enable Mod_Evasive | ||
Prevents brute force attempts, spidering, Burp Suite, Nikto, etc | * Prevents brute force attempts, spidering, Burp Suite, Nikto, etc | ||
This module limits you to X amount of page requests site-wide per interval | * This module limits you to X amount of page requests site-wide per interval | ||
… | … | ||
Install mod_evasive | * Install mod_evasive | ||
apt-get install libapache2-mod-evasive | ** <code>apt-get install libapache2-mod-evasive</code> | ||
Create Log | * Create Log | ||
sudo mkdir /var/log/mod_evasive | ** <code>sudo mkdir /var/log/mod_evasive</code> | ||
chown -R www-data:www-data /var/log/mod_evasive | ** <code>chown -R www-data:www-data /var/log/mod_evasive</code> | ||
Create blocking script | * Create blocking script | ||
sudo mkdir /etc/apache2/scripts | ** <code>sudo mkdir /etc/apache2/scripts</code> | ||
vi /etc/apache2/scripts/ban_ip.sh | ** <code>vi /etc/apache2/scripts/ban_ip.sh</code> | ||
<pre> | <pre> | ||
#!/bin/sh | |||
IP=$1 | |||
IPTABLES=/sbin/iptables | |||
$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP | $IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP | ||
| Line 76: | Line 76: | ||
** <code>vi /etc/apache2/mods-enabled/evasive.conf </code> | ** <code>vi /etc/apache2/mods-enabled/evasive.conf </code> | ||
<IfModule mod_evasive20.c> | <IfModule mod_evasive20.c> | ||
DOSHashTableSize 3097 | DOSHashTableSize 3097 | ||
DOSPageCount 5 | DOSPageCount 5 | ||
Revision as of 19:28, 9 September 2018
0. NOTES
- this tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
- this tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.
1. SSL
2. INSTALL WAF / ENABLE MOD_SECURITY
- Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
- Install WAF
sudo apt-get install libapache2-modsecurity- Might have to run:
sudo dpkg --configure -a
- Check Installation
apachectl -M | grep security
- Rename rules
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- Turn rules on
sudo vi /etc/modsecurity/modsecurity.conf- make sure it reads
SecRuleEngine on
- Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
- Download github rules
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
- Rename setup file
cd /usr/share/modsecurity-crssudo mv crs-setup.conf.example crs-setup.conf
- Add all new rules
sudo vi /etc/apache2/mods-enabled/security2.conf- place the following block in the document
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>
- Restart apache
systemctl restart apache2
- Raise paranoia level to 2 out of 5
sudo vi /usr/share/modsecurity-crs/crs-setup.conf- Edit this line to be 2 instead of 1:
setvar:tx.paranoia_level=2
- Test WAF
- http://<your IP or domain name>/?q="><script>alert(1)</script>
- http://<your IP or domain name>/?q='1 OR 1=1
- You should get a 403 error
3 Enable Mod_Evasive
- Prevents brute force attempts, spidering, Burp Suite, Nikto, etc
- This module limits you to X amount of page requests site-wide per interval
…
- Install mod_evasive
apt-get install libapache2-mod-evasive
- Create Log
sudo mkdir /var/log/mod_evasivechown -R www-data:www-data /var/log/mod_evasive
- Create blocking script
sudo mkdir /etc/apache2/scriptsvi /etc/apache2/scripts/ban_ip.sh
#!/bin/sh IP=$1 IPTABLES=/sbin/iptables $IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP $IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes
- sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh
- sudo chmod 550 /etc/apache2/scripts/ban_ip.sh
- Create mod_evasive config file
vi /etc/apache2/mods-enabled/evasive.conf
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 10
DOSBlockingPeriod 180
#DOSEmailNotify email@yourdomain.com
DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'"
DOSLogDir "/var/log/mod_evasive"
</IfModule>
- Restart Apache
sudo apache2 stopsudo apache2 start
