These are default configuration modsecurity with apache, that we are using linux environment.
These setting maybe not suitable your server configuration depends OS and other things.
Example modsecurity configuration file: modsecurity.conf
# -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection # only to start with, because that minimises the chances of post-installation # disruption. # SecRuleEngine On # -- Request body handling --------------------------------------------------- # Allow ModSecurity to access request bodies. If you don't, ModSecurity # won't be able to see any POST parameters, which opens a large security # hole for attackers to exploit. # SecRequestBodyAccess On SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 # Store up to 128 KB of request body data in memory. When the multipart # parser reachers this limit, it will start using your hard disk for # storage. That is slow, but unavoidable. # SecRequestBodyInMemoryLimit 131072 # What do do if the request body size is above our configured limit. # Keep in mind that this setting will automatically be set to ProcessPartial # when SecRuleEngine is set to DetectionOnly mode in order to minimize # disruptions when initially deploying ModSecurity. # SecRequestBodyLimitAction ProcessPartial SecDefaultAction "phase:1,deny,log,status:406" SecDefaultAction "phase:2,deny,log,status:406" SecRemoteRulesFailAction Warn # PCRE Tuning # We want to avoid a potential RegEx DoS condition # SecPcreMatchLimit 250000 SecPcreMatchLimitRecursion 250000 SecResponseBodyLimitAction ProcessPartial SecTmpDir /tmp SecDataDir /tmp SecUploadDir /tmp SecUploadKeepFiles on SecUploadFileMode 0644 # Needed to Clamav scan SecTmpSaveUploadedFiles on # -- Audit log configuration ------------------------------------------------- # Log the transactions that are marked by a rule, as well as those that # trigger a server error (determined by a 5xx or 4xx, excluding 404, # level response status codes). # SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only ocassionally. # SecAuditLog /var/log/apache2/modsec_audit.log # Specify the path for concurrent audit logging. SecAuditLogType Concurrent SecAuditLogStorageDir /var/log/apache2/modsec_audit # -- ModSecurity Core Rules Set and Local configuration ------------------------ # IncludeOptional /etc/modsecurity.d/*.conf.main # IncludeOptional /etc/modsecurity.d/*.conf
Directory Permissions
# mkdir /var/log/apache2/modsec_audit # chmod 777 /var/log/apache2/modsec_audit # chown www-data: /var/log/apache2