Top

Modsecurity Configuration

These are default configuration modsecurity with apache, that we are using linux environment.

These setting maybe not suitable your server configuration depends OS and other things.

Example modsecurity configuration file: modsecurity.conf

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
#
SecRuleEngine On


# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
#
SecRequestBodyAccess On
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
#
SecRequestBodyInMemoryLimit 131072

# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
#
SecRequestBodyLimitAction ProcessPartial

SecDefaultAction "phase:2,deny,log,status:406"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
#
SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000
SecResponseBodyLimitAction ProcessPartial

SecTmpDir /tmp
SecDataDir /tmp
SecUploadDir /tmp
SecUploadKeepFiles on
SecUploadFileMode 0644

# Needed to Clamav scan
SecTmpSaveUploadedFiles on


# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
# level response status codes).
#
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.
SecAuditLogParts ABIJDEFHZ

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
#
SecAuditLog /var/log/apache2/modsec_audit.log

# Specify the path for concurrent audit logging.
SecAuditLogType Concurrent
SecAuditLogStorageDir /var/log/apache2/modsec_audit

# -- ModSecurity Core Rules Set and Local configuration ------------------------
IncludeOptional /etc/modsecurity.d/*.conf.main
IncludeOptional /etc/modsecurity.d/*.conf

Directory Permissions

# mkdir /var/log/apache2/modsec_audit
# chmod 777 /var/log/apache2/modsec_audit
# chown www-data: /var/log/apache2