mod_security in apache2 on ubuntu 04/14/4 x64 [closed]

All the good time.

Please help with setting up the mod_security module in apache2 on ubuntu 04/14/4 x64, found a bunch of links and articles on this subject, but everything is either 2012-2015, or not exact information at all ... Namely, for example, I put libapache2_modsecurity2 , respectively, no mod_security is placed, and the module: secutiry2, from here many configs do not work ... But this is still half the trouble. Still managed to configure the module, but in the end, when using the OWASP ModSecurity rules, I get a bunch of errors about blocking everything. Used as base_rules, and active_rules. In general, you need a normal manual, if someone can write or give a normal link how to fully configure this module, with explanations and examples? Thank you very much in advance.

Specifically, the results of my installation (included options): /etc/apache2/mods-enabled/security2.conf:

SecDataDir /var/cache/modsecurity IncludeOptional /etc/modsecurity/*.conf Include /etc/modsecurity/base_rules/*.conf 

File /etc/apache2/mods-enabled/security2.load:

 LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so.2 LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so 

File /etc/modsecurity/modsecurity.conf:

 #SecRuleEngine DetectionOnly SecRuleEngine On SecServerSignature FreeOSHTTP SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" #SecRequestBodyLimit 13107200 SecRequestBodyLimit 16384000 #SecRequestBodyNoFilesLimit 131072 SecRequestBodyNoFilesLimit 16384000 #SecRequestBodyInMemoryLimit 131072 SecRequestBodyInMemoryLimit 16384000 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200002',phase:2,t:none,log,deny,status:44, \ msg:'Multipart request body failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'" SecPcreMatchLimit 1000 SecPcreMatchLimitRecursion 1000 SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml SecResponseBodyLimit 524288 SecResponseBodyLimitAction ProcessPartial SecTmpDir /tmp/ SecDataDir /tmp/ SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log SecArgumentSeparator & SecCookieFormat 0 SecUnicodeMapFile unicode.mapping 20127 

File /etc/modsecurity/modsecurity_crs_10_setup.conf: standard from OWASP

File /etc/apache2/mods-enabled/mpm_prefork.conf:

 <IfModule mpm_prefork_module> StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxRequestWorkers 200 ServerLimit 200 MaxClients 200 MaxConnectionsPerChild 2000 MaxRequestsPerChild 2000 </IfModule> 

Accordingly, in the / etc / modsecurity 2 folder of the * .conf file: modsecurity.conf and modsecurity_crs_10_setup.conf

QUESTION 1: is it worth loading both the config file or is modsecurity.conf enough, which means: modsecurity_crs_10_setup.conf is a setup setup file or should it always work?

QUESTION 2: Which rules will work exactly and which base_rules or activated_rules to use?

QUESTION 3: There is a setting in /etc/apache2/apache2.conf, hide information about Apache, specifically ServerTokens Prod, but with this setting, when you start mod_security, it swears that the length of the token is not full, enable the full length of the token, respectively: ServerTokens Full , but from here Apache will show information about itself that I do not need, how to live with it?

QUESTION 4: In the /etc/apache2/mods-enabled/security2.load file, leave the entry for loading LoadFile libxml2.so.2 leave it this way or write in full LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so.2?

QUESTION 5: How can I find information about the mod_security version, as well as the OWASP rule base? The issue of compatibility of versions, so that in one of the articles that the version of OWASP rules do not fit the version of mod_security? (I put everything from the repository for mana).

** QUESTION 6: The actual logs, when Apache boots, we get in the / etc / apache2 file error.log:

 Mon Aug 08 18:06:25.000070 2016] [:notice] [pid 4771] ModSecurity for Apache/2.7.7 () configured. [Mon Aug 08 18:06:25.000169 2016] [:notice] [pid 4771] ModSecurity: APR compiled version="1.5.1-dev"; loaded version="1.5.1-dev" [Mon Aug 08 18:06:25.000176 2016] [:notice] [pid 4771] ModSecurity: PCRE compiled version="8.31 "; loaded version="8.31 2012-07-06" [Mon Aug 08 18:06:25.000181 2016] [:notice] [pid 4771] ModSecurity: LUA compiled version="Lua 5.1" [Mon Aug 08 18:06:25.000185 2016] [:notice] [pid 4771] ModSecurity: LIBXML compiled version="2.9.1" [Mon Aug 08 18:06:26.006486 2016] [mpm_prefork:notice] [pid 4772] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations [Mon Aug 08 18:06:26.006590 2016] [core:notice] [pid 4772] AH00094: Command line: '/usr/sbin/apache2' 

What can be said about this initial log? Whether everything is correct or something is not loaded, at least the module: did not find evasive, although I put it in parallel.

QUESTION 7: Actually errors when mod_security is working, just when accessing one of the sites (redirected to the site folder with the .htaccess file):

 [Mon Aug 08 18:11:15.017274 2016] [:error] [pid 4777] [client 192.168.0.100] ModSecurity: Warning. Pattern match "\\\\W{4,}" at ARGS:code. [file "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0\\xe5\\xf1 \\xfd\\xeb. \\xef\\xee\\xf7\\xf2\\xfb \\xef\\xee\\xeb\\xf3\\xf7\\xe0\\xf2\\xe5\\xeb\\xff? found within ARGS:code: \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0\\xe5\\xf1 \\xfd\\xeb. \\xef\\xee\\xf7\\xf2\\xfb \\xef\\xee\\xeb\\xf3\\xf7\\xe0\\xf2\\xe5\\xeb\\xff?"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [hostname "site.com"] [uri "/upload.php"] [unique_id "V6ho0sCoAOgAABKpzNoAAAAB"] [Mon Aug 08 18:11:15.027209 2016] [:error] [pid 4777] [client 192.168.0.100] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [hostname "site.com"] [uri "/box/upload.php"] [unique_id "V6ho0sCoAOgAABKpzNoAAAAB"] 

The modsec_audit.log file gets the following log:

 --3694d703-A-- [08/Aug/2016:18:11:15 +0700] V6ho0sCoAOgAABKpzNoAAAAB 192.168.0.100 56540 192.168.0.230 80 --3694d703-B-- POST /upload.php HTTP/1.1 Host: site.com Connection: keep-alive Content-Length: 315 Cache-Control: max-age=0 Origin: http://site.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 YaBrowser/16.7.0.3342 Yowser/2.5 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBQhab1BHnSIbcaqP Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 DNT: 1 Referer: http://site.com/ Accept-Encoding: gzip, deflate Accept-Language: ru,en;q=0.8 Cookie: __utmz=61650367.1465064573.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=61650367.977473803.1465064573.1465179927.1465184383.3; PHPSESSID=qq0nj7d06rhu2um6tgonsa6ha0 --3694d703-I-- code=%d3%ea%e0%e6%e8%f2%e5+%e0%e4%f0%e5%f1+%fd%eb%2e+%ef%ee%f7%f2%fb+%ef%ee%eb%f3%f7%e0%f2%e5%eb%ff%3f --3694d703-F-- HTTP/1.1 200 OK Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1228 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html --3694d703-H-- Message: Warning. Pattern match "\\W{4,}" at ARGS:code. [file "/etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "37"] [id "960024"] [rev "2"] [msg "Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: \xd3\xea\xe0\xe6\xe8\xf2\xe5 \xe0\xe4\xf0\xe5\xf1 \xfd\xeb. \xef\xee\xf7\xf2\xfb \xef\xee\xeb\xf3\xf7\xe0\xf2\xe5\xeb\xff? found within ARGS:code: \xd3\xea\xe0\xe6\xe8\xf2\xe5 \xe0\xe4\xf0\xe5\xf1 \xfd\xeb. \xef\xee\xf7\xf2\xfb \xef\xee\xeb\xf3\xf7\xe0\xf2\xe5\xeb\xff?"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] Message: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Meta-Character Anomaly Detection Alert - Repetative Non-Word Characters"] Apache-Handler: application/x-httpd-php Stopwatch: 1470654674970974 56402 (- - -) Stopwatch2: 1470654674970974 56402; combined=3072, p1=463, p2=2500, p3=0, p4=0, p5=109, sr=100, sw=0, l=0, gc=0 Producer: ModSecurity for Apache/2.7.7 (); OWASP_CRS/2.2.9. Server: Apache Engine-Mode: "DETECTION_ONLY" --3694d703-J-- 2,0,"","<Unknown ContentType>" Total,0 --3694d703-Z-- 

QUESTION 8: How to make the log written on a human? But not:

 \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0\\xe5\\xf1 \\xfd\\xeb. \\xef\\xee\\xf7\\xf2\\xfb \\xef\\xee\\xeb\\xf3\\xf7\\xe0\\xf2\\xe5\\xeb\\xff? found within ARGS:code: \\xd3\\xea\\xe0\\xe6\\xe8\\xf2\\xe5 \\xe0\\xe4\\xf0 

QUESTION 9: Actually the main problems and the log /etc/apache2/error.log thought that this was due to .htaccess and mod_rewrite, but turning off .htaccess all the same:

 "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){8,}" at REQUEST_COOKIES:feedTreeSaveStateCookie. [file "/etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "157"] [id "981172"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: - found within REQUEST_COOKIES:feedTreeSaveStateCookie: root,root/CAT:-1,root/CAT:-1/FEED:-3,root/CAT:-1/FEED:-1,root/CAT:-1/FEED:-4"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname "sub.site.com"] [uri "/backend.php"] [unique_id "V6hrisCoAOgAABOCD3UAAAAA"] 

Thank you in advance! For all the tips and tricks!

ps Basically used this man: thefanclub co za / how-to / how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

No matter how much I confused with mod security, there’s no sense, the last attempt, demolished everything and reinstalled it, reconfigured it, filtering works, deleted all the rules in .htaccess, did everything clean, configured virtual hosts in Apache, all by Feng Shui ... Anyway DOES NOT WORK! For example, a site from Yandex browser cuts, and from IE and FF, no) it is just not clear how the rules work ... I use the latest version and mod security and OWASP rule bases, I include only the basic and optional ones. Even with the option in apache2.conf: SecRuleEngine Off

It is necessary to cut down all: SecRuleEngine Off

Does not help! Site.ru doesn't care where it opens, where it doesn't, the main one, for example, opens in IE, then you follow the link on the site = 403, mod security cuts mercilessly!

I have a question, why the hell do these rules, where is the easiest site on html hacking for hello? Is there anyone who can help with the rules and mod security work?