====== Ubuntu - ModSecurity - Configure mod_security ======

Out of the box, modsecurity doesn't do anything as it needs rules to work.

The default configuration file is set to **DetectionOnly** which logs requests according to rule matches and doesn't block anything.

This can be changed by editing the modsecurity.conf file:

<code bash>
vi /etc/modsecurity/modsecurity.conf
</code>

Find this line

<file bash /etc/modsecurity/modsecurity.conf>
SecRuleEngine DetectionOnly
</file>

and change it to:

<file bash /etc/modsecurity/modsecurity.conf>
SecRuleEngine On
</file>

If you're trying this out on a production server, change this directive only after testing all your rules.

Another directive to modify is **SecResponseBodyAccess**.  This configures whether response bodies are buffered (i.e. read by modsecurity).  This is only necessary if data leakage detection and protection is required.  Therefore, leaving it //On// will use up droplet resources and also increase the logfile size.

Find this

<file bash /etc/modsecurity/modsecurity.conf>
SecResponseBodyAccess On
</file>

and change it to:

<file bash /etc/modsecurity/modsecurity.conf>
SecResponseBodyAccess Off
</file>

Now we'll limit the maximum data that can be posted to your web application.  Two directives configure these:

<code bash>
SecRequestBodyLimit
SecRequestBodyNoFilesLimit
</code>

The **SecRequestBodyLimit** directive specifies the maximum POST data size.  If anything larger is sent by a client the server will respond with a [[http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#413|413 Request Entity Too Large]] error.  If your web application doesn't have any file uploads this value can be greatly reduced.

The value mentioned in the configuration file is

<file bash /etc/modsecurity/modsecurity.conf>
SecRequestBodyLimit 13107200
</file>

which is 12.5MB.

Similar to this is the **SecRequestBodyNoFilesLimit** directive.  The only difference is that this directive limits the size of //POST// data minus file uploads-- this value should be "as low as practical."

The value in the configuration file is

<file bash /etc/modsecurity/modsecurity.conf>
SecRequestBodyNoFilesLimit 131072
</file>

which is 128KB.

Along the lines of these directives is another one which affects server performance: **SecRequestBodyInMemoryLimit**.  This directive is pretty much self-explanatory; it specifies how much of "request body" data (POSTed data) should be kept in the memory (**RAM**), anything more will be placed in the hard disk (just like swapping).  Since droplets use SSDs, this is not much of an issue; however, this can be set a decent value if you have RAM to spare.

<file bash /etc/modsecurity/modsecurity.conf>
SecRequestBodyInMemoryLimit 131072
</file>

This is the value (128KB) specified in the configuration file.


----

===== References =====

https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu