How do I install ModSecurity OWASP CRS Plugins in Directadmin?

[kristian]

I have mixed results with the DOS protection of coreruleset. It does block some "1 IP" flood attacks but not all. It's hard to monitor when it does or doesn't "trigger" a block.

I read some issues on github where people didn't find it very accurate. I've also looked at the requests in my logs, and the default settings would block a whole lot of stuff, including (I suspect) requests coming from the IP of the server itself (typically wp-cron calls). I will skip it for now I think.

I'm still on OWASPv3.7 for production

I was too, until a recent change by DA forcibly installed 4.19.0 on many of my servers, which was fun.. It seems to work fine, although there was some noise in the immediate aftermath of the upgrade. Currently I'm only using the exclusion plugins for wordpress, phpmyadmin and nextcloud. Those seem to cover all my previous custom exceptions I had for v3. There's a rule 942550 that has lots of false positives in 4.19.0 (https://github.com/coreruleset/coreruleset/pull/4284 - fixed in 4.20.0) so I had to globally disable that for now.

but I think I would put custom modifications in REQUEST-900-EXCLUSION...conf either above or directly below the IncludeOptional /opt/modsecurity.plugins/*/plugins/*-config.conf statement (depending on the contents of the plugin config file you might want to disable or "overwrite").

That makes sense.

 

[dkzr]

Yes, DA changed the owasp label in custom_versions.txt. It must now be "modsecurity-rules-owasp:3.3.7"

 

[dkzr]

Regarding the DOS settings, I use:

SecAction \
 "id:<your local ID>,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.dos_burst_time_slice=30',\
  setvar:'tx.dos_counter_threshold=300',\
  setvar:'tx.dos_block_timeout=600'"

De default is slice=60 and threshold=100. In my setup you need much more hits in shorter time to be blocked.

Based on some log analysis where I had between 500 and 200 requests in 10sec. But most "attacks" are around 100 req. in 10 sec.