History: ModSecurity
Preview of version: 20
ModSecurity Configuration for Tiki
1. Introduction
ModSecurity is a powerful, open-source web application firewall (WAF) module that enhances security by protecting web applications, including Tiki sites, from a wide range of threats such as SQL injection, cross-site scripting (XSS), and malicious bots attempting to scrape content or exploit vulnerabilities. It operates based on predefined rules to filter and block potentially harmful requests. This guide provides a comprehensive walkthrough for setting up and configuring ModSecurity, ensuring optimal security while preserving Tiki's usability and functionality.
2. Installation
Step 1: Install ModSecurity
For Apache (Debian/Ubuntu)
sudo apt update sudo apt install libapache2-mod-security2
Step 2: Enable ModSecurity
Enable ModSecurity by copying the recommended configuration file:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then, edit the file:
sudo nano /etc/modsecurity/modsecurity.conf
Find:
SecRuleEngine DetectionOnly
Change it to:
SecRuleEngine On
Save and close the file.
Step 3: Verify Installation
Check if ModSecurity is enabled:
sudo apachectl -M | grep security2
Expected output:
security2_module (shared)
If the module is not loaded, restart Apache:
sudo systemctl restart apache2
3. Basic Configuration
Step 1: Enable the OWASP CRS Rules
Enable the OWASP Core Rule Set (CRS):
sudo nano /etc/apache2/mods-enabled/security2.conf
Ensure this line is included:
IncludeOptional /usr/share/modsecurity-crs/*.conf
Restart Apache:
sudo systemctl restart apache2
Step 2: Adjust Anomaly Scoring
Modify anomaly scoring to reduce false positives:
sudo nano /etc/modsecurity/crs/crs-setup.conf
Change:
SecAction "id:900110,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=10000" SecAction "id:900120,phase:2,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=10000" SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.outbound_anomaly_score_threshold=10000"
Restart Apache:
sudo systemctl restart apache2
4. Tiki-Specific Configuration
Tiki uses complex URLs, dynamic AJAX calls, and multiple languages. Without tailoring rules, ModSecurity might block legitimate Tiki features like editing wiki pages, uploading files, or using certain character sets.
Step 1: Handling False Positives
Exclude static files:
sudo nano /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
Add:
SecRule REQUEST_URI "\.(jpeg|jpg|gif|png|bmp|ico|css|js)$" "id:1000017,phase:1,pass,nolog,ctl:ruleEngine=Off"
Allow file uploads in Tiki:
SecRule REQUEST_URI "@beginsWith /tiki-upload_file.php" "id:1000021,phase:2,pass,nolog,ctl:ruleRemoveById=200004"
Restart Apache:
sudo systemctl restart apache2
Step 2: Handling Language-Specific False Positives
Some actions by users on Tiki sites may trigger alerts or blocking due to ModSecurity's filtering rules. For example, words with multiple accented characters in a single word, like "Měšťáček" (Czech), can be flagged as suspicious.
To prevent such cases from causing a 500 error or blocking the page:
Review ModSecurity logs for blocked requests:
sudo tail -f /var/log/apache2/modsec_audit.log
Identify the specific rule blocking the request.
Create an exception rule in `REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf`.
SecRule REQUEST_URI "@beginsWith /tiki-editpage.php" "id:1000022,phase:2,pass,nolog,ctl:ruleRemoveById=942100"
Restart Apache:
sudo systemctl restart apache2
This ensures ModSecurity does not incorrectly block legitimate content written in different languages.
5. Blocking Bots with ModSecurity
Bots can overload your server, scrape content, or scan for vulnerabilities. Blocking known bad bots protects performance and security.
Identifying Bots in Logs
{CODE}
grep -oiP '\w+(bot|spider|crawler)' /PATH_TO_YOUR_VHOST/logs/access_log | sort | uniq -c | sort -nr
{CODE}
Adding Rules to Block Bots
Instead of one rule per bot, use a list.
Create /etc/modsecurity/bad_bots.txt:
Add:
{CODE}
spider
crawl
slurp
AliyunSecBot
AhrefsBot
SemrushBot
MJ12bot
DotBot
Bytespider
Amazonbot
PetalBot
Scrapy
{CODE}
Add the rule:
{CODE}
sudo nano /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
{CODE}
{CODE}
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/modsecurity/bad_bots.txt" \
"id:1000025,phase:1,log,deny,status:403,msg:'Blocked known bad bots from file'"
{CODE}
Allowing Legitimate Crawlers:
{CODE}
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/modsecurity/bad_bots.txt" \
"id:1000025,phase:1,log,deny,status:403,msg:'Blocked bad bots'" \
"chain"
SecRule REQUEST_HEADERS:User-Agent "!@pm Googlebot bingbot DuckDuckBot Applebot"
{CODE}
Blocking Bots by IP Address
{CODE}
SecRule REMOTE_ADDR "@ipMatch IP 1,IP 2" \
"id:1000026,phase:1,log,deny,status:403,msg:'Blocked bot IP addresses'"
{CODE}
6. Testing & Troubleshooting
Testing with CURL
{CODE}
curl -A "AhrefsBot" https://yourdomain.com
{CODE}
Reviewing Logs
sudo tail -f /var/log/apache2/modsec_audit.log
7. Final Checks & Maintenance
- Monitor logs weekly
- Update bad_bots.txt with newly detected bots
- Review CRS updates (OWASP CRS releases often)
- Backup your configuration before changes
Conclusion
This guide helps secure Tiki with ModSecurity, prevent false positives, and block malicious bots. Regularly monitor logs and adjust exclusion rules for usability.
Security Admin
Advanced Settings
- http://www.modsecurity.org
- http://es.wikipedia.org/wiki/Mod_Security
- http://sourceforge.net/projects/mod-security/