Ubuntu - ModSecurity - Configure mod_security
Out of the box, modsecurity doesn't do anything as it needs rules to work.
The default configuration file is set to DetectionOnly which logs requests according to rule matches and doesn't block anything.
This can be changed by editing the modsecurity.conf file:
vi /etc/modsecurity/modsecurity.conf
Find this line
- /etc/modsecurity/modsecurity.conf
SecRuleEngine DetectionOnly
and change it to:
- /etc/modsecurity/modsecurity.conf
SecRuleEngine On
If you're trying this out on a production server, change this directive only after testing all your rules.
Another directive to modify is SecResponseBodyAccess. This configures whether response bodies are buffered (i.e. read by modsecurity). This is only necessary if data leakage detection and protection is required. Therefore, leaving it On will use up droplet resources and also increase the logfile size.
Find this
- /etc/modsecurity/modsecurity.conf
SecResponseBodyAccess On
and change it to:
- /etc/modsecurity/modsecurity.conf
SecResponseBodyAccess Off
Now we'll limit the maximum data that can be posted to your web application. Two directives configure these:
SecRequestBodyLimit SecRequestBodyNoFilesLimit
The SecRequestBodyLimit directive specifies the maximum POST data size. If anything larger is sent by a client the server will respond with a 413 Request Entity Too Large error. If your web application doesn't have any file uploads this value can be greatly reduced.
The value mentioned in the configuration file is
- /etc/modsecurity/modsecurity.conf
SecRequestBodyLimit 13107200
which is 12.5MB.
Similar to this is the SecRequestBodyNoFilesLimit directive. The only difference is that this directive limits the size of POST data minus file uploads– this value should be “as low as practical.”
The value in the configuration file is
- /etc/modsecurity/modsecurity.conf
SecRequestBodyNoFilesLimit 131072
which is 128KB.
Along the lines of these directives is another one which affects server performance: SecRequestBodyInMemoryLimit. This directive is pretty much self-explanatory; it specifies how much of “request body” data (POSTed data) should be kept in the memory (RAM), anything more will be placed in the hard disk (just like swapping). Since droplets use SSDs, this is not much of an issue; however, this can be set a decent value if you have RAM to spare.
- /etc/modsecurity/modsecurity.conf
SecRequestBodyInMemoryLimit 131072
This is the value (128KB) specified in the configuration file.