Sometimes you just need something quick/easy that isn’t cutting edge. OVH Canada, while a decent hosting platform, has a weird quirk with their Virtual Private Servers (VPS). The firewall you can enable for it does not block out bad actors using OVH equipment to try to hack your site. It’s so very weird and I used to report IP addresses that were particularly malicious.
So, if you’re managing a Windows server and need something tough to block incoming IIS requests, look no further than ModSecurity. The unfortunate thing is that they stopped supporting IIS as of version 2.9.7 which was released as of Jan 4, 2023.
But, still, until we can remediate with a better solution, this will have to do. You can download the Windows MSI installer from here:
https://github.com/owasp-modsecurity/ModSecurity/releases/tag/v2.9.7
This is the IIS troubleshooting page which also includes basically the more manual steps to installing ModSecurity: https://github.com/owasp-modsecurity/ModSecurity/wiki/iis-troubleshooting
The installer does not come with OWASP rules so you need to install it after you install ModSecurity.
Installing the correct rule set
Since we’re using v2.x engine (not the latest, which at this time is v3), make sure you are using Core Rule Set (CRS) 3.2.x – (at time of writing they are on version 4.x).
- Project: https://owasp.org/www-project-modsecurity-core-rule-set
- Download instructions: https://coreruleset.org/docs/1-getting-started/1-1-crs-installation/
- Link to CRS 3.2.3: https://github.com/coreruleset/coreruleset/releases/tag/v3.2.3
- The asc files are just PGP keys, you will need to download the source code (zip)
- “Extended Instructions” for IIS: https://coreruleset.org/docs/1-getting-started/1-2-extended_install/
How far I took this
I got as far as installing this locally, seeing the module in IIS Manager and looking through the default C:\Program Files\ModSecurity IIS\modsecurity.conf file
Next steps
Create a test plan
Before I can add additional OWASP rules I need to test the base functionality and make sure it doesn’t break any functions of my app. Fortunately, out of the box, ModSecurity comes with “DetectionOnly” set so it just logs details to the IIS logs.
Add CRS rules to import
modsecurity_iis.conf contains IMPORT directives so you can include additional CRS rules.
Testing effectiveness
At some point I’ll have to test the application to see if it breaks anywhere unexpectedly and since I have no automated integration tests for this application, I’ll have to do this manually.
Deploying to QA & Production
Bringing this configuration over to the public facing sites will be next – where we can be more rigorous and do some UAT testing.
Summary
Not loving that I have to implement old WAF and rules that are now 3 years out of date. This is just a band aid for an old solution. In an ideal world, I would be able create a brand new headless frontend and backend for the application with minimal changes to the relational data structure and use a hosting provider that just deals with these kinds of intrusions.