Securing OpenEMR - Apache
From OpenEMR Project Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
NOTES
- This tutorial requires a basic understanding of the Linux Terminal and a text editor such as Nano or Vi
- This tutorial assumes Ubuntu on AWS. Installation elsewhere will likely be very similar.
BASIC
- Make Apache disclose less information
sudo vi /etc/apache2/conf-enabled/security.conf
ServerTokens Prod ServerSignature Off
SSL
- Follow this tutorial: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
INSTALL WAF / ENABLE MOD_SECURITY
- Based mainly on this: https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/
- Install WAF
sudo apt-get install libapache2-modsecurity
- Might have to run:
sudo dpkg --configure -a
- Check Installation
apachectl -M | grep security
- Rename rules
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
- Turn rules on
sudo vi /etc/modsecurity/modsecurity.conf
- make sure it reads
SecRuleEngine on
- Remove default rules
sudo rm -rf /usr/share/modsecurity-crs
- Download github rules
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
- Rename setup file
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
- Add all new rules
sudo vi /etc/apache2/mods-enabled/security2.conf
- place the following block in the document
<IfModule security2_module> SecDataDir /var/cache/modsecurity IncludeOptional /etc/modsecurity/*.conf IncludeOptional "/usr/share/modsecurity-crs/*.conf IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf </IfModule>
- Restart apache
systemctl restart apache2
- Raise paranoia level to 2 out of 5
sudo vi /usr/share/modsecurity-crs/crs-setup.conf
- Edit this line to be 2 instead of 1:
setvar:tx.paranoia_level=2
- Test WAF by entering these URLs
http://www.<your IP or domain name>/?q="><script>alert(1)</script>
http://www.<your IP or domain name>/?q='1 OR 1=1''
- You should get a 403 error
Enable Mod_Evasive
- Prevents brute force attempts, spidering, Burp Suite, Nikto, etc
- This module limits you to X amount of page requests site-wide per interval
- Install mod_evasive
apt-get install libapache2-mod-evasive
- Create Log
sudo mkdir /var/log/mod_evasive
chown -R www-data:www-data /var/log/mod_evasive
- Create blocking script
sudo mkdir /etc/apache2/scripts
vi /etc/apache2/scripts/ban_ip.sh
#!/bin/sh IP=$1 IPTABLES=/sbin/iptables $IPTABLES -A banned -s $IP -p TCP --dport 80 -j DROP $IPTABLES -A banned -s $IP -p TCP --dport 443 -j DROP echo "$IPTABLES -D banned -s $IP -p TCP --dport 80 -j DROP" | at now + 3 minutes echo "$IPTABLES -D banned -s $IP -p TCP --dport 443 -j DROP" | at now + 3 minutes
- Adjust properties of script
sudo chown www-data:www-data /etc/apache2/scripts/ban_ip.sh
sudo chmod 550 /etc/apache2/scripts/ban_ip.sh
- Create mod_evasive config file
vi /etc/apache2/mods-enabled/evasive.conf
<IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 10 DOSBlockingPeriod 180 #DOSEmailNotify email@yourdomain.com DOSSystemCommand "sudo /etc/apache2/scripts/ban_ip.sh %s'" DOSLogDir "/var/log/mod_evasive" </IfModule>
- Restart Apache
sudo apache2 stop
sudo apache2 start