In the first part of the article the installation and configuration of Apache as a reverse proxy for Exchange Server was carried out, this article deals with the installation and configuration of ModSecurity as a web application firewall for Exchange 2019. ModSecurity is an open source web application firewall that can protect Exchange from common attacks with an appropriate set of rules.
Installation of ModSecurity and OWASP ModSecurity Core Rule Set
First, the Apache module modSecurity is installed and activated:
apt-get install libapache2-mod-security2
a2enmod security2
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
systemctl restart apache2
Now the rules can be OWASP ModSecurity Core Rule Set and integrate it into the configuration:
cd /tmp
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.tar.gz
tar xvf v3.3.2.tar.gz
mkdir /etc/apache2/modsecurity-crs/
mv coreruleset-3.3.2/ /etc/apache2/modsecurity-crs/
cd /etc/apache2/modsecurity-crs/coreruleset-3.3.2/
mv crs-setup.conf.example crs-setup.conf
In the file "/etc/apache2/mods-enabled/security2.conf", the line "IncludeOptional /usr/share/modsecurity-crs/*.load" must now be commented out and replaced by the following two lines:
IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.2/crs-setup.conf
IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.2/rules/*.conf
To activate ModSecurity, the Apache configuration can now be checked once and then restarted:
apache2ctl -t
systemctl restart apache2
Adaptation of the OWASP rules for Exchange 2019
To do this, the file "/etc/apache2/sites-available/001-exchange-proxy.conf" is adapted. For MapiOverHTTP, for example, the following 3 rules return False/Positives:
- 920420
- 949110
- 980120
These 3 rules can be deactivated in the "MAPIoverHTTP" section as follows:
<LocationMatch "/mapi/*">
SecRuleRemoveById 920420 949110 980120
</LocationMatch>
For EWS are a few must be switched off the following rules:
- 921130
- 941100
- 941130
- 941140
- 941160
- 941180
- 941190
- 941250
- 941260
- 949110
- 980130
The following block is therefore inserted in the "EWS" section:
<LocationMatch "/EWS/Exchange.asmx">
SecRuleRemoveById 921130 941100 941130 941140 941160 941180 941190 941250 941260 949110 980130
</LocationMatch>
As can be seen, "LocationMatch" is used to specify the URI and "SecRuleRemoveById" is used to specify the rules that are to be deactivated.
The log file "/var/log/apache2/exchange_443_error.log" provides information on which rules can cause problems. As ModSecurity is set to "DetectOnly" by default, i.e. it only logs but does not block anything, you can take your time to see which rules are problematic. The log can be tracked live with the following command, for example:
tail -f /var/log/apache2/exchange_443_error.log
Before ModSecurity can be set to blocking mode, as many functions as possible must now be tested. As many functions as possible should therefore be tried out in Outlook and as many clicks as possible should be made in OWA. Programs and tools that access Exchange interfaces such as EWS should be tested.
If you look at the log with "tail", you will probably be quickly overwhelmed by the mass of entries, so the following command can only list the most necessary information about rules that have been posted in the log:
grep ModSecurity /var/log/apache2/exchange_443_error.log | grep "\[id" | sed -E -e 's#^.*\[id "([0-9]*).*hostname "([a-z0-9\-\_\.]*)"].*uri "(.*?)".*"#\1 \2 \3#' | cut -d\" -f1 | sort -n | uniq -c | sort -n
The command can be used to identify which rules have been applied to which URIs. The screenshot shows the rules for OWA, for example. I always tested one protocol/program after the other, first Outlook, then Autodiscover, then EWS, and finally OWA.
Since every Exchange installation is different and the programs/tools used are different, everyone has to identify the right rules for themselves. As already mentioned, ModSecurity initially only works in "DetectOnly" mode, once all important functions have been tested (don't forget ActiveSync), ModSecurity can then be switched to "Blocking mode". To do this, edit the file "/etc/modsecurity/modsecurity.conf" and set the value for "SecRuleEngine" to "On":
Then restart Apache again:
systemctl restart apache2
Finally, if you want to block known malicious IP addresses, you can use the "Project Honeypot" can be used. All you need is a free account with Project Honeypot and a corresponding API key:
The API key can be entered and the configuration activated in the file "/etc/apache2/modsecurity-crs/coreruleset-3.3.2/crs-setup.conf":
Finally, restart Apache and test again extensively.