Loading...

Skip to main content

History: ModSecurity

View published page Collapse Into Edit Sessions

Source of version: 21

«
»

Copy to clipboard

            ! ModSecurity Configuration for Tiki

! 1. Introduction
ModSecurity is a powerful, open-source web application firewall (WAF) module that enhances security by protecting __web applications, including Tiki sites, from a wide range of threats__ such as __SQL injection, cross-site scripting (XSS), and malicious bots attempting to scrape content or exploit vulnerabilities__. It operates based on predefined rules to filter and block potentially harmful requests. This guide provides a comprehensive walkthrough for setting up and configuring ModSecurity, ensuring __optimal security while preserving Tiki's usability and functionality__.


! 2. Installation
!! Step 1: Install ModSecurity
__For Apache (Debian/Ubuntu)__
{CODE(colors=>lua)}
sudo apt update
sudo apt install libapache2-mod-security2
{CODE}

!! Step 2: Enable ModSecurity
Enable ModSecurity by copying the recommended configuration file:
{CODE(colors=>lua)}
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
{CODE}
Then, __edit the file__:
{CODE(colors=>lua)}
sudo nano /etc/modsecurity/modsecurity.conf
{CODE}
Find:
{CODE(caption=>apache)}
SecRuleEngine DetectionOnly
{CODE}
Change it to:
{CODE(caption=>apache)}
SecRuleEngine On
{CODE}
__Save and close the file.__

!! Step 3: Verify Installation
Check if ModSecurity is enabled:
{CODE(colors=>lua)}
sudo apachectl -M | grep security2
{CODE}
Expected output:
{CODE(colors=>lua)}
 security2_module (shared)
{CODE}
If the module is not loaded, restart Apache:
{CODE(colors=>lua)}
sudo systemctl restart apache2
{CODE}


! 3. Basic Configuration
!! Step 1: Enable the OWASP CRS Rules
Enable the __OWASP Core Rule Set (CRS)__:
{CODE(colors=>lua)}
sudo nano /etc/apache2/mods-enabled/security2.conf
{CODE}
Ensure this line is included:
{CODE(caption=>apache)}
IncludeOptional /usr/share/modsecurity-crs/*.conf
{CODE}
Restart Apache:
{CODE(colors=>lua)}
sudo systemctl restart apache2
{CODE}

!! Step 2: Adjust Anomaly Scoring
Modify anomaly scoring to __reduce false positives__:
{CODE(colors=>lua)}
sudo nano /etc/modsecurity/crs/crs-setup.conf
{CODE}
Change:
{CODE(caption=>apache)}
SecAction "id:900110,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=10000"
SecAction "id:900120,phase:2,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=10000"
SecAction "id:900130,phase:1,nolog,pass,t:none,setvar:tx.outbound_anomaly_score_threshold=10000"
{CODE}
Restart Apache:
{CODE(colors=>lua)}
sudo systemctl restart apache2
{CODE}


! 4. Tiki-Specific Configuration

Tiki uses complex URLs, dynamic AJAX calls, and multiple languages. Without tailoring rules, ModSecurity might block legitimate Tiki features like editing wiki pages, uploading files, or using certain character sets.


!! Step 1: Handling False Positives
Exclude __static files__:

{CODE(colors=>lua)}
sudo nano /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
{CODE}

Add:

{CODE(colors=>lua)}
SecRule REQUEST_URI "\.(jpeg|jpg|gif|png|bmp|ico|css|js)$" "id:1000017,phase:1,pass,nolog,ctl:ruleEngine=Off"
{CODE}

Allow __file uploads in Tiki__:

{CODE(colors=>lua)}
SecRule REQUEST_URI "@beginsWith /tiki-upload_file.php" "id:1000021,phase:2,pass,nolog,ctl:ruleRemoveById=200004"
{CODE}

Restart Apache:

{CODE(colors=>lua)}
sudo systemctl restart apache2
{CODE}

!! Step 2: Handling Language-Specific False Positives
Some actions by users on Tiki sites may trigger alerts or blocking due to ModSecurity's filtering rules. For example, words with multiple accented characters in a single word, like __"Měšťáček"__ (Czech), can be flagged as suspicious.

To prevent such cases from causing a __500 error__ or blocking the page:

!! Review ModSecurity logs for blocked requests:
   {CODE(colors=>lua)}
   sudo tail -f /var/log/apache2/modsec_audit.log
   {CODE}
!! Identify the specific rule blocking the request.
!! Create an exception rule in `REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf`.
   {CODE(caption=>apache)}
   SecRule REQUEST_URI "@beginsWith /tiki-editpage.php" "id:1000022,phase:2,pass,nolog,ctl:ruleRemoveById=942100"
   {CODE}
!! Restart Apache:
   {CODE(colors=>lua)}
   sudo systemctl restart apache2
   {CODE}

This ensures ModSecurity does not incorrectly block legitimate content written in different languages.

5. Blocking Bots with ModSecurity

Bots can overload your server, scrape content, or scan for vulnerabilities. Blocking known bad bots protects performance and security.

!! Identifying Bots in Logs

{CODE(colors=>lua)}
grep -oiP '\w+(bot|spider|crawler)' /PATH_TO_YOUR_VHOST/logs/access_log | sort | uniq -c | sort -nr
{CODE}

!! Adding Rules to Block Bots

Instead of one rule per bot, use a list.

Create __/etc/modsecurity/bad_bots.txt__:

Add: 
{CODE(colors=>lua)}
spider
crawl
slurp
AliyunSecBot
AhrefsBot
SemrushBot
MJ12bot
DotBot
Bytespider
Amazonbot
PetalBot
Scrapy
{CODE}

!!! Add the rule:

{CODE(colors=>lua)}
sudo nano /etc/modsecurity/crs/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
{CODE}

{CODE(colors=>lua)}
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/modsecurity/bad_bots.txt" \
  "id:1000025,phase:1,log,deny,status:403,msg:'Blocked known bad bots from file'"
{CODE}

!!! Allowing Legitimate Crawlers:

{CODE(colors=>lua)}
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile /etc/modsecurity/bad_bots.txt" \
  "id:1000025,phase:1,log,deny,status:403,msg:'Blocked bad bots'" \
  "chain"
SecRule REQUEST_HEADERS:User-Agent "!@pm Googlebot bingbot DuckDuckBot Applebot"
{CODE}

!!! Blocking Bots by IP Address

{CODE(colors=>lua)}
SecRule REMOTE_ADDR "@ipMatch IP 1,IP 2" \
  "id:1000026,phase:1,log,deny,status:403,msg:'Blocked bot IP addresses'"
{CODE}


! 6. Testing & Troubleshooting

!!! Testing with CURL

{CODE(colors=>lua)}
curl -A "AhrefsBot" https://yourdomain.com
{CODE}

!!! Reviewing Logs

{CODE(colors=>lua)}
sudo tail -f /var/log/apache2/modsec_audit.log
{code}

! 7. Final Checks & Maintenance

* Monitor logs weekly
* Update __bad_bots.txt__ with newly detected bots
* Review CRS updates (OWASP CRS releases often)
* Backup your configuration before changes


! Conclusion
This guide helps secure Tiki with ModSecurity, prevent false positives, and block malicious bots. Regularly monitor logs and adjust exclusion rules for usability.



-=related pages=-
((Security Admin))
((Advanced Settings))

-=external links=-
* http://www.modsecurity.org
* http://es.wikipedia.org/wiki/Mod_Security 
* http://sourceforge.net/projects/mod-security/

-=aliases for this page=-
(alias(mod security)) | (alias(mod_security))

History

Enable pagination rows per page

Information	Version
Wed 16 Apr, 2025 18:45 GMT-0000 Bruno Kambere	26
Wed 16 Apr, 2025 17:26 GMT-0000 Bruno Kambere	25
Wed 16 Apr, 2025 17:01 GMT-0000 Bruno Kambere	24
Wed 16 Apr, 2025 14:34 GMT-0000 Bruno Kambere	23
Wed 16 Apr, 2025 14:30 GMT-0000 Bruno Kambere	22
Wed 16 Apr, 2025 14:28 GMT-0000 Bruno Kambere	21
Wed 16 Apr, 2025 14:26 GMT-0000 Bruno Kambere update documentation with bots detection	20
Thu 06 Feb, 2025 17:01 GMT-0000 Bruno Kambere Document a recipe for ModSecurity to interop with Tiki	19
Sun 11 Aug, 2019 05:22 GMT-0000 Yves Kipondo [Rollback by kambereBr to version 16]	18
Thu 06 Feb, 2025 16:52 GMT-0000 Bruno Kambere	17
Sun 11 Aug, 2019 05:22 GMT-0000 Yves Kipondo	16
Thu 07 Nov, 2013 19:20 GMT-0000 Marc Laporte	15
Thu 07 Nov, 2013 19:15 GMT-0000 Marc Laporte	14
Mon 26 Aug, 2013 10:50 GMT-0000 pianoliv +structure install guide	13
Tue 21 Aug, 2012 00:33 GMT-0000 amette	12
Tue 17 Jan, 2012 05:53 GMT-0000 Marc Laporte	11
Thu 03 Nov, 2011 12:48 GMT-0000 Oliver Hertel	10
Thu 03 Nov, 2011 12:40 GMT-0000 Oliver Hertel	9
Thu 03 Nov, 2011 12:39 GMT-0000 Oliver Hertel	8
Thu 03 Nov, 2011 12:37 GMT-0000 Oliver Hertel	7
Thu 03 Nov, 2011 12:35 GMT-0000 Oliver Hertel	6
Thu 03 Nov, 2011 12:32 GMT-0000 Oliver Hertel	5
Thu 03 Nov, 2011 12:07 GMT-0000 Oliver Hertel	4
Thu 03 Nov, 2011 10:09 GMT-0000 Xavier de Pedro	3
Thu 03 Nov, 2011 10:08 GMT-0000 Xavier de Pedro	2
Thu 03 Nov, 2011 10:04 GMT-0000 Xavier de Pedro stub started	1