ModSecurity2 settings for Apache BZ 61551

1. <IfModule mod_security2.c>
2. # Basic configuration options
3. SecRuleEngine On
4. SecRequestBodyAccess On
5. SecResponseBodyAccess Off
6.  
7. # Debug log
8. SecDebugLog /var/log/httpd/modsec_debug.log
9. SecDebugLogLevel 0
10.  
11. # Serial audit log
12. SecAuditEngine RelevantOnly
13. SecAuditLogRelevantStatus "^(?:5|4(?!04))"
14. SecAuditLogParts ABIJDEFHZ
15. SecAuditLogType Serial
16. SecAuditLog /var/log/httpd/modsec_audit.log
17.  
18. # Maximum request body size we will
19. # accept for buffering
20. SecRequestBodyLimit 13107200
21.  
22. # Up to 1MB for non-file requests and in-memory
23. SecRequestBodyNoFilesLimit 1048576
24. SecRequestBodyInMemoryLimit 1048576
25.  
26. # Misc folders
27. SecTmpDir /var/lib/mod_security2
28. SecDataDir /var/lib/mod_security2
29.  
30. # ModSecurity Core Rules Set and Local configuration
31. IncludeOptional modsecurity.d/*.conf
32. IncludeOptional modsecurity.d/activated_rules/*.conf
33. IncludeOptional modsecurity.d/local_rules/*.conf
34.  
35. # Disable Status engine
36. SecStatusEngine Off
37.  
38. # SlowLoris protection
39. # https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week--Mitigation-of--Slow-Read--Denial-of-Service-Attack/
40. SecRule RESPONSE_STATUS "@Streq 408" "phase:5,t:none,log,msg:'Counter +1',pass,setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60,id:'10'"
41. SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,deny,msg:'Client Connection Dropped due to high number of slow DoS alerts',id:'11'"
42. SecDefaultAction "phase:1,pause:3000,drop,nolog,auditlog"
43.  
44. # Slow Read protection
45. SecConnEngine On
46. SecConnWriteStateLimit 50
47. SecConnReadStateLimit 50
48. </IfModule>