Difference between revisions of "Securing OpenEMR - Apache"

From OpenEMR Project Wiki
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
[under review]
== NOTES ==


$$$ Change page name to ""Apache Security"
* This tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
* This tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.


#0 General Security Settings
== BASIC ==
#1 Enable Mod_Security
* Make Apache disclose less information
#2 Enable Mod_Evasive
** <code>sudo vi /etc/apache2/conf-enabled/security.conf</code>
<pre>
ServerTokens Prod
ServerSignature Off
</pre>
 
== SSL ==
* Follow this tutorial: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
 
 
== INSTALL WAF / ENABLE MOD_SECURITY ==
 
 
* Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
* Install WAF
** <code>sudo apt-get install libapache2-modsecurity </code>
** Might have to run: <code>sudo dpkg --configure -a </code>
* Check Installation
** <code>apachectl -M | grep security</code>
* Rename rules
** <code>mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf </code>
* Turn rules on
** <code>sudo vi /etc/modsecurity/modsecurity.conf </code>
** make sure it reads <code>SecRuleEngine on </code>
* Remove default rules
** <code>sudo rm -rf /usr/share/modsecurity-crs</code>
* Download github rules
** <code>sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs </code>
* Rename setup file
** <code>cd /usr/share/modsecurity-crs </code>
** <code>sudo mv crs-setup.conf.example crs-setup.conf</code>
* Add all new rules
**<code>sudo vi /etc/apache2/mods-enabled/security2.conf</code>
** place the following block in the document
 
<IfModule security2_module>
    SecDataDir /var/cache/modsecurity
    IncludeOptional /etc/modsecurity/*.conf
    IncludeOptional "/usr/share/modsecurity-crs/*.conf
    IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>
* Restart apache
** <code>systemctl restart apache2 </code>
* Raise paranoia level to 2 out of 5
** <code>sudo vi /usr/share/modsecurity-crs/crs-setup.conf </code>
** Edit this line to be 2 instead of 1:
*** <code>setvar:tx.paranoia_level=2 </code>
* Test WAF by entering these URLs
** <code><nowiki>http://www.<your IP or domain name>/?q="><script>alert(1)</script></nowiki></code>
** <code><nowiki>http://www.<your IP or domain name>/?q='1 OR 1=1''</nowiki></code>
** You should get a 403 error
 
 
== Enable Mod_Evasive ==
 
 
* Prevents brute force attempts, spidering, Burp Suite, Nikto, etc
* This module limits you to X amount of page requests site-wide per interval
 
* Install mod_evasive
** <code>apt-get install libapache2-mod-evasive</code>
* Create Log
** <code>sudo mkdir /var/log/mod_evasive</code>
** <code>chown -R www-data:www-data /var/log/mod_evasive</code>
* Create blocking script
** <code>sudo mkdir /etc/apache2/scripts</code>
** <code>vi /etc/apache2/scripts/ban_ip.sh</code>
<pre>
#!/bin/sh
 
IP=$1
IPTABLES=/sbin/iptables
 
$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP
$IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP
 
echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes
echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes
</pre>
* Adjust properties of script
** <code>sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh</code>
** <code>sudo chmod 550 /etc/apache2/scripts/ban_ip.sh</code>
* Create mod_evasive config file
** <code>vi /etc/apache2/mods-enabled/evasive.conf </code>
 
<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 5
    DOSSiteCount 50
    DOSPageInterval 1
    DOSSiteInterval 10
    DOSBlockingPeriod 180
    #DOSEmailNotify email@yourdomain.com
    DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'"
    DOSLogDir "/var/log/mod_evasive"
</IfModule>
* Restart Apache
** <code>sudo apache2 stop</code>
** <code>sudo apache2 start</code>

Latest revision as of 19:52, 9 September 2018

NOTES

  • This tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
  • This tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.

BASIC

  • Make Apache disclose less information
    • sudo vi /etc/apache2/conf-enabled/security.conf
ServerTokens Prod
ServerSignature Off

SSL


INSTALL WAF / ENABLE MOD_SECURITY

  • Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
  • Install WAF
    • sudo apt-get install libapache2-modsecurity
    • Might have to run: sudo dpkg --configure -a
  • Check Installation
    • apachectl -M | grep security
  • Rename rules
    • mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
  • Turn rules on
    • sudo vi /etc/modsecurity/modsecurity.conf
    • make sure it reads SecRuleEngine on
  • Remove default rules
    • sudo rm -rf /usr/share/modsecurity-crs
  • Download github rules
  • Rename setup file
    • cd /usr/share/modsecurity-crs
    • sudo mv crs-setup.conf.example crs-setup.conf
  • Add all new rules
    • sudo vi /etc/apache2/mods-enabled/security2.conf
    • place the following block in the document
<IfModule security2_module>
    SecDataDir /var/cache/modsecurity 
    IncludeOptional /etc/modsecurity/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/*.conf 
    IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf 
</IfModule>
  • Restart apache
    • systemctl restart apache2
  • Raise paranoia level to 2 out of 5
    • sudo vi /usr/share/modsecurity-crs/crs-setup.conf
    • Edit this line to be 2 instead of 1:
      • setvar:tx.paranoia_level=2
  • Test WAF by entering these URLs
    • http://www.<your IP or domain name>/?q="><script>alert(1)</script>
    • http://www.<your IP or domain name>/?q='1 OR 1=1''
    • You should get a 403 error


Enable Mod_Evasive

  • Prevents brute force attempts, spidering, Burp Suite, Nikto, etc
  • This module limits you to X amount of page requests site-wide per interval
  • Install mod_evasive
    • apt-get install libapache2-mod-evasive
  • Create Log
    • sudo mkdir /var/log/mod_evasive
    • chown -R www-data:www-data /var/log/mod_evasive
  • Create blocking script
    • sudo mkdir /etc/apache2/scripts
    • vi /etc/apache2/scripts/ban_ip.sh
#!/bin/sh

IP=$1
IPTABLES=/sbin/iptables

$IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP
$IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP

echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes
echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes
  • Adjust properties of script
    • sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh
    • sudo chmod 550 /etc/apache2/scripts/ban_ip.sh
  • Create mod_evasive config file
    • vi /etc/apache2/mods-enabled/evasive.conf
<IfModule mod_evasive20.c>
    DOSHashTableSize 3097 
    DOSPageCount 5
    DOSSiteCount 50
    DOSPageInterval 1 
    DOSSiteInterval 10 
    DOSBlockingPeriod 180
    #DOSEmailNotify email@yourdomain.com 
    DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'" 
    DOSLogDir "/var/log/mod_evasive" 
</IfModule>
  • Restart Apache
    • sudo apache2 stop
    • sudo apache2 start