Configuration
- Let's have a look at the config. Although if you read it carefully, you will have no questions left
nano -w /etc/crs4/crs-setup.conf
- Making sure that module is working in an Anomaly Scoring mode
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
- Setting Paranoia Level = 3. Why not? We'll have an increased level of protection and a chance to work on false positives :)
SecAction \
"id:900000,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.blocking_paranoia_level=3"
- Enforcing Body Processor URLENCODED for all client requests with no Content-Type header
SecAction \
"id:900010,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.enforce_bodyproc_urlencoded=1"
- Setting up weight for anomalies
SecAction \
"id:900100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.critical_anomaly_score=5,\
setvar:tx.error_anomaly_score=4,\
setvar:tx.warning_anomaly_score=3,\
setvar:tx.notice_anomaly_score=2"
- Setting up blocking thresholds. I suggest increasing those until we are done with debugging
SecAction \
"id:900110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.inbound_anomaly_score_threshold=5000,\
setvar:tx.outbound_anomaly_score_threshold=4000"
- Turning on the second log level. After all we have PL=3 and it would be handy to see what is happening to the system
SecAction \
"id:900115,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.reporting_level=2"
- Turning on default signatures
SecAction \
"id:900130,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.enable_default_collections=1"
- Defining allowed HTTP methods. I have added PUT which is used by the CMS. More on the logic here and here
SecAction \
"id:900200,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT'"
- Restricting HTTP Content Type
SecAction \
"id:900220,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |text/html|'"
- Restricting HTTP versions
SecAction \
"id:900230,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_http_versions=HTTP/1.1'"
SecAction \
"id:900280,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_request_content_type_charset=|utf-8|'"
- Limiting max number of arguments, name length, argument length and total argument length
SecAction \
"id:900300,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.max_num_args=255"
SecAction \
"id:900310,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.arg_name_length=100"
SecAction \
"id:900320,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.arg_length=400"
SecAction \
"id:900330,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.total_arg_length=64000"
- Limiting file length in a POST request along with the total size of all files
SecAction \
"id:900340,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.max_file_size=1048576"
SecAction \
"id:900350,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.combined_file_sizes=1048576"
- Making sure our server supports the encoding
SecAction \
"id:900950,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.crs_validate_utf8_encoding=1"
- Leaving the rest by default
- Turning on filtering
nano -w /etc/apache2/sites-enabled/null.conf
# WAF
<IfModule security2_module>
SecRuleEngine On
</IfModule>
systemctl reload apache2
