How To : Add CRS OWASP Modsecurity

  Firewall, Tools

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.


/usr/local/directadmin/custombuild/options.conf
modsecurity=yes
modsecurity_ruleset=no

Navigate to /usr/local/src folder and

cd /usr/local/src
wget https://www.kernel.org/pub/software/scm/git/git-2.14.2.tar.xz

Untar the file and navigate to extracted folder by using cd command and issue the following commands.


tar -xvf git-2.14.2.tar.xz
cd git-2.14.2
./configure
make
make install

If during the git compiling the following error appeared:

* tclsh failed; using unoptimized loading
MSGFMT po/bg.msg make[1]: *** [po/bg.msg] Error 127
make: *** [all] Error 2

We may need to install gettext:

[cc]yum install gettext[/cc]

Move to /etc/modsecurity.d/ folder and get the clone of modsecurity

cd /etc/modsecurity.d
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
cd owasp-modsecurity-crs/
mv crs-setup.conf.example crs-setup.conf
vi /etc/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf

Uncomment these lines

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

Then make comment these lines


#SecDefaultAction "phase:1,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"
# SecDefaultAction "phase:2,log,auditlog,redirect:'http://%{request_headers.host}/',tag:'Host: %{request_headers.host}'"

Now go to secure section and uncomment the all


#SecAction \
# "id:900000,\
# phase:1,\
#nolog,\
#pass,\
#:none,\
#setvar:tx.paranoia_level=1"

Now go to DOS section and uncomment the following lines


SecAction \
#"id:900700,\
#phase:1,\
#nolog,\
#pass,\
#t:none,\
#setvar:'tx.dos_burst_time_slice=60',\
#setvar:'tx.dos_counter_threshold=100',\
#setvar:'tx.dos_block_timeout=600'"
Save and exit the file .


vi /etc/httpd/conf/extra/httpd-includes.conf

and add following lines


Include /etc/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
Include /etc/modsecurity.d/owasp-modsecurity-crs/rules/*.conf

Now move to /usr/local/directadmin/custombuild and issue the following command

./build modsecurity
systemctl restart httpd