How do I install ModSecurity OWASP CRS Plugins in Directadmin?

[webbasica]

In Mod Security, the OWASP CRS 4.x have plugins (formerly "exclusion packages"). I'm trying to enable them in my custom modsecurity conf file for Custom Build. Since I'm using OpenLiteSpeed, this is the file:
/usr/local/directadmin/custombuild/custom/openlitespeed/conf/httpd-modsecurity.conf

According to the CRS documentation, it's as simple as creating a directory, and adding he rule files:

Include crs/crs-setup.conf
 
Include crs/plugins/*-config.conf
Include crs/plugins/*-before.conf
 
Include crs/rules/*.conf
 
Include crs/plugins/*-after.conf

However, I don't know how to accomplish this using the Custom Build conf file (httpd-modsecurity.conf)

# Default recommended configuration
SecRuleEngine On
SecRequestBodyAccess On
SecDefaultAction "phase:2,deny,log,status:406"
SecRequestBodyLimitAction ProcessPartial
SecResponseBodyLimitAction ProcessPartial
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecAuditLogFormat JSON

SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000

SecCollectionTimeout 600

SecDebugLog /var/log/httpd/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modsec_audit.log
SecUploadDir /tmp
SecTmpDir /tmp
SecDataDir /tmp
SecTmpSaveUploadedFiles on

# ModSecurity Core Rules Set and Local configuration
Include /etc/modsecurity.d/*.conf.main
Include /etc/modsecurity.d/*.conf

Has anyone installed OWASP CRS plugins in Directadmin?

 

[Stije]

You checked this:

GitHub - litespeedtech/ols1clk: One click installation of Open LiteSpeed

One click installation of Open LiteSpeed. Contribute to litespeedtech/ols1clk development by creating an account on GitHub.

github.com

 

[dkzr]

I have exactly the same question (for Apache webserver). For now I've pinned my DA install to keep OWASP v3 because of this.

With OWASP v3 I have some custom settings in /usr/local/directadmin/custombuild/custom/modsecurity/conf/ that get included every time the httpd confs are rewritten.

With OWASP v4 it's unclear for me if this will still work since, with default settings, it would require overwriting directories?
Since the build script is now included in the DA binary it's impossible to find out without just testing and I don't want to try this on my live server....

Some kind of "how to" from DA would be nice...

 

[dkzr]

@fln any chance DA can post a how-to for this?

 

[dkzr]

I've done a quick experiment myself.

The OWASP directory layout of v4+ is roughly the same as v3.

The DA httpd-modsecurity.conf stays the same.

So you should be able to enable plugins by creating two files in /usr/local/directadmin/custombuild/custom/modsecurity/conf/ that load your plugin files "before" and "after".

OWASP suggests using REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.

I haven't tested this myself (and still am on v3)

 

[dkzr]

I've done a quick experiment myself.

The OWASP directory layout of v4+ is roughly the same as v3.

The DA httpd-modsecurity.conf stays the same.

So you should be able to enable plugins by creating two files in /usr/local/directadmin/custombuild/custom/modsecurity/conf/ that load your plugin files "before" and "after".

OWASP suggests using REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.

I haven't tested this myself (and still am on v3)

This is for Apache webserver

 

[webbasica]

Did it work? Are the plugins working?

 

[toktokcity]

I am curious if there are people who implemented these plugins successfully on DA with Apache. The ModSecurity logs show that the OWASP ruleset is doing good work, but it also breaks editors like Elementor and plugins suchs as Roundcube.

 

[webbasica]

I disabled ModSec altogether, WordPress was becoming more incompatible every day. Still waiting if we get this functionality someday to give it another try

 

[toktokcity]

That's a pity. I really do like the idea of managing this on server level instead of website level with Wordfence doing multiple scans breaking the server.

 

[Ohm J]

I'm trying to use OWASP rules in the past and find out it too much breaking application, so I switch back to COMODO rules. Even phpmyadmin can't use at all.

Comodo rules have a little false positive better than OWASP.

 

[toktokcity]

I'm trying to use OWASP rules in the past and find out it too much breaking application, so I switch back to COMODO rules. Even phpmyadmin can't use at all.

Comodo rules have a little false positive better than OWASP.

Yes, but they are outdated and the ruleset is not in development anymore?

 

[dkzr]

I've found some time to test a OWASPv4 plugin setup.

What I did:

1. I've created a custom directory /opt/modsecurity.plugins/ where my plugins live;
2. I created a dummy empty plugin in /opt/modsecurity.plugins/ (to handle Include directives when you don't have IncludeOptional), see setup below;
3. In /opt/modsecurity.plugins/ I did a git clone <plugin> for the plugins I use (WordPress, phpMyAdmin, Nextcloud, DOS protection)
4. In /usr/local/directadmin/custombuild/custom/modsecurity/conf/ I created REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf and RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
5. The relevant contents of those conf files are below
6. Do a da build rewrite_confs
7. That's it

REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf content

##
# OWASP custom settings, eg. put your generic settings/modifications here
##
# -- [[ Paranoia Level Initialization ]] ---------------------------------------
SecAction \
  "id:900000,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.paranoia_level=1"

##
# v3 rules
# Skipped when crs_setup_version >= 400
##
SecRule TX:crs_setup_version "@ge 400" "id:30001,phase:1,pass,nolog,skipAfter:DKZR-OWASP-V3"
SecRule TX:crs_setup_version "@ge 400" "id:30002,phase:2,pass,nolog,skipAfter:DKZR-OWASP-V3"

# To make testing/switching easier, put any OWASPv3 rules here

SecMarker "DKZR-OWASP-V3"

##
# v4 rules
# Skipped when crs_setup_version < 400
##
SecRule TX:crs_setup_version "@lt 400" "id:40001,phase:1,pass,nolog,skipAfter:DKZR-OWASP-V4-BEFORE"
SecRule TX:crs_setup_version "@lt 400" "id:40002,phase:2,pass,nolog,skipAfter:DKZR-OWASP-V4-BEFORE"

# All included files are part of this skipAfter block
IncludeOptional /opt/modsecurity.plugins/*/plugins/*-config.conf
IncludeOptional /opt/modsecurity.plugins/*/plugins/*-before.conf

SecMarker "DKZR-OWASP-V4-BEFORE"

RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf content

##
# v4 rules
# Skipped when crs_setup_version < 400
##
SecRule TX:crs_setup_version "@lt 400" "id:41001,phase:1,pass,nolog,skipAfter:DKZR-OWASP-V4-AFTER"
SecRule TX:crs_setup_version "@lt 400" "id:41002,phase:2,pass,nolog,skipAfter:DKZR-OWASP-V4-AFTER"

# All included files are part of this skipAfter block
IncludeOptional /opt/modsecurity.plugins/*/plugins/*-after.conf

SecMarker "DKZR-OWASP-V4-AFTER"

Empty plugin setup

1. Create directories /opt/modsecurity.plugins/00-empty-placeholder-plugin/plugins/
2. In that directory, create three empty files: empty-config.conf, empty-before.conf and empty-after.conf

Git clone a plugin
For example the phpMyAdmin plugin, after cd /opt/modsecurity.plugins/ you run: git clone https://github.com/coreruleset/phpmyadmin-rule-exclusions-plugin.git You get a plugin directory phpmyadmin-rule-exclusions-plugin.

You must now decide if you want to use de main/master branch or a specific version (tag). See the git manpage on how to do this.

 

[dkzr]

PS. I only did a short test with v4 as I only have one server. So back on v3 in production time, hopefully can do some more testing later.
But in the short time that I used v4 all WordPress and Nextcloud instances and phpMyAdmin worked fine.