Install ModSecurity to Directadmin with Custombuild 2.x

by

Prerequisite

If you dont have custombuild or version is 1.x, you need first upgrade to custombuild 2.x.

Upgrade instruction https://help.directadmin.com/item.php?id=555

Update Custombuild

Update custombuild:

# cd /usr/local/directadmin/custombuild
# ./build update

Configuration

Edit options.conf file and change these lines to below:

clamav_exim=yes
modsecurity_uploadscan=yes
modsecurity=yes
modsecurity_ruleset=none

Build ClamAV scanner

# ./build clamav

Optional can use Malware Expert ClamAV Signatures and Linux Malware Detect

Build ModSecurity

# ./build modsecurity

Mod_Security Rules

In options.conf possible values to modsecurity_ruleset is: comodo/owasp/no

modsecurity_ruleset=comodo/owasp/no

Comodo ModSecurity Rules – https://modsecurity.comodo.com/
Owasp ModSecurity Rules – https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

If no, then can use Malware Expert ModSecurity Rules – https://malware.expert/modsecurity-rules/

We select Malware Expert ModSecurity Rules, so set in options.conf file:

modsecurity_ruleset=no

Set to ‘no’ to use no default ruleset and use a custom one. (Need Uploaded to custom/modsecurity/conf directory.)

Buy Malware Expert Rules and create custom configuration:

# cd /usr/local/directadmin/custombuild
# mkdir custom
# mkdir custom/modsecurity
# mkdir custom/modsecurity/conf

Add file malware_expert.conf to custom/modsecurity/conf folder and replace (serial key) with buyed one. (here)

SecRemoteRules (serial key) https://rules.malware.expert/download.php?rules=generic

# ./build modsecurity_rules

httpd-modsecurity.conf

Also apache modsecurity configuration need little modifications, because ClamAV need scan uploaded files.

# cd /usr/local/directadmin/custombuild
# mkdir custom
# mkdir custom/ap2
# mkdir custom/ap2/conf
# mkdir custom/ap2/extra

Add custom/ap2/extra/httpd-modsecurity.conf file with these modifications:

LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module /usr/lib/apache/mod_security2.so
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecDefaultAction "phase:1,deny,log,status:406"
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRemoteRulesFailAction Warn
    SecRequestBodyLimitAction ProcessPartial
    SecResponseBodyLimitAction ProcessPartial

    SecPcreMatchLimit 250000
    SecPcreMatchLimitRecursion 250000

    SecCollectionTimeout 600

    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly

    SecAuditLogDirMode 1733 
    SecAuditLogFileMode 0550 
    SecAuditLogType Concurrent
    SecAuditLogStorageDir /var/log/modsec_audit

    SecAuditLog /var/log/httpd/modsec_audit.log
    SecUploadDir /tmp
    SecTmpDir /tmp
    SecDataDir /tmp
    SecUploadFileMode 0644

    SecTmpSaveUploadedFiles on

    # ModSecurity Core Rules Set and Local configuration
    IncludeOptional /etc/modsecurity.d/*.conf.main
    IncludeOptional /etc/modsecurity.d/*.conf
</IfModule>

Rebuild configurations

# ./build rewrite_confs

Activate rules and modifications:

# ./build modsecurity_rules