-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathmodsecurity3-wordpress.sh
87 lines (73 loc) · 3.05 KB
/
modsecurity3-wordpress.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#!/bin/sh
# Instructions on how to use this script:
# chmod +x SCRIPTNAME.sh
# sudo ./SCRIPTNAME.sh
#
# SCRIPT: modsecurity3-wordpress.sh
# AUTHOR: ALBERT VALBUENA
# DATE: 05-04-2021
# SET FOR: Production
# (For Alpha, Beta, Dev, Test and Production)
#
# PLATFORM: FreeBSD 12/13
#
# PURPOSE: This script installs ModSecurity 3 configured for WordPress on a FAMP stack
#
# REV LIST:
# DATE: 12-12-2021
# BY: ALBERT VALBUENA
# MODIFICATION: 12-12-2021
#
#
# set -n # Uncomment to check your syntax, without execution.
# # NOTE: Do not forget to put the comment back in or
# # the shell script will not execute!
##########################################################
################ BEGINNING OF MAIN #######################
##########################################################
# Change the default pkg repository from quarterly to latest
sed -ip 's/quarterly/latest/g' /etc/pkg/FreeBSD.conf
# Update packages (it will first download the pkg repo from latest)
# secondly it will upgrade any installed packages.
pkg upgrade -y
# Install Modsecurity 3 for Apache HTTP
pkg install -y modsecurity3-apache
# Download Git SpiderLab Rules >> OWASP ModSecurity Core Rule Set
pkg install -y git
git clone https://github.com/coreruleset/coreruleset /usr/local/etc/modsecurity/coreruleset/
cp /usr/local/etc/modsecurity/coreruleset/crs-setup.conf.example /usr/local/etc/modsecurity/coreruleset/crs-setup.conf
sed -i -e 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /usr/local/etc/modsecurity/modsecurity.conf
# Set the configuration files for ModSecurity 3 to work
touch /usr/local/etc/apache24/modsecurity-rules.conf
echo "
Include /usr/local/etc/modsecurity/modsecurity.conf
Include /usr/local/etc/modsecurity/coreruleset/crs-setup.conf
Include /usr/local/etc/modsecurity/coreruleset/rules/*.conf
" >> /usr/local/etc/apache24/modsecurity-rules.conf
# Enable ModSecurity's 3 module
echo "
modsecurity on
modsecurity_rules_file /usr/local/etc/apache24/modsecurity-rules.conf
" >> /usr/local/etc/apache24/httpd.conf
# Rename 2 config files
mv /usr/local/etc/modsecurity/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/local/etc/modsecurity/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
mv /usr/local/etc/modsecurity/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example /usr/local/etc/modsecurity/coreruleset/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
# Add the exclusion file for Wordpress
echo "
SecAction \\
\"id:900130,\\
phase:1,\\
nolog,\\
pass,\\
t:none,\\
setvar:tx.crs_exclusions_wordpress=1\"
" >> /usr/local/etc/modsecurity/coreruleset/crs-setup.conf
# Exclude your domain from the rules (ADJUST THIS FOR YOUR DOMAIN!)
echo "
SecRule REQUEST_HEADERS:Host \"@streq blog.yourdomain.com\" \"id:1000,phase:1,setvar:tx.crs_exclusions_wordpress=1\"
" >> /usr/local/etc/modsecurity/coreruleset/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
# Restart Apache HTTP
apachectl restart
## References:
## https://github.com/SpiderLabs/owasp-modsecurity-crs
## https://raw.githubusercontent.com/coreruleset/coreruleset/v3.2/dev/INSTALL