Configuration
- Looking at the config. You should have no questions left if the config file is read properly :)
nano -w /etc/crs4/crs-setup.conf
- Making sure that module is working in an Anomaly Scoring mode
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"
- Setting up Paranoia Level = 3 (High enough to secure the system and, probably, high in terms of false positives, but, we'll deal with those as we go)
SecAction \
"id:900000,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.blocking_paranoia_level=3"
- Turning on Body Processor URLENCODED for all client requests with no Content-Type header
SecAction \
"id:900010,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.enforce_bodyproc_urlencoded=1"
- Setting up weight for anomalies
SecAction \
"id:900100,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.critical_anomaly_score=5,\
setvar:tx.error_anomaly_score=4,\
setvar:tx.warning_anomaly_score=3,\
setvar:tx.notice_anomaly_score=2"
- Setting up blocking thresholds. Here I'm deliberately leaving them high until the system is tuned properly.
SecAction \
"id:900110,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.inbound_anomaly_score_threshold=5000,\
setvar:tx.outbound_anomaly_score_threshold=4000"
- Enabling the second log level. (After all we have PL=3 and it's handy to get informative logs)
SecAction \
"id:900115,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.reporting_level=2"
- Turning on default signature set
SecAction \
"id:900130,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.enable_default_collections=1"
- Limiting HTTP Methods. Here I've added HTTP PUT used by the CMS (Be careful with what you do as this example is tuned to my needs and always check the logs) More on the logic is here и here
SecAction \
"id:900200,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT'"
- Limiting HTTP Content Type
SecAction \
"id:900220,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_request_content_type=|application/x-www-form-urlencoded| |text/html|'"
SecAction \
"id:900230,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_http_versions=HTTP/1.1'"
SecAction \
"id:900280,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:'tx.allowed_request_content_type_charset=|utf-8|'"
- Limiting number of arguments, argument name length and argument length as well as the sum of all arguments
SecAction \
"id:900300,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.max_num_args=255"
SecAction \
"id:900310,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.arg_name_length=100"
SecAction \
"id:900320,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.arg_length=400"
SecAction \
"id:900330,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.total_arg_length=64000"
- Limiting the file size in a POST request as well as the sum size of all files
SecAction \
"id:900340,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.max_file_size=1048576"
SecAction \
"id:900350,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.combined_file_sizes=1048576"
- Making sure that our server supports the encoding
SecAction \
"id:900950,\
phase:1,\
pass,\
t:none,\
nolog,\
tag:'OWASP_CRS',\
ver:'OWASP_CRS/4.10.0',\
setvar:tx.crs_validate_utf8_encoding=1"
- The rest is by default
- Enabling filtering
nano -w /etc/apache2/sites-enabled/null.conf
# WAF
<IfModule security2_module>
SecRuleEngine On
</IfModule>
systemctl reload apache2
