I've gone back to basics and installed using a standard ami on Amazon (ami-0ccc4a89319472344) and then copied the owasp files to /opt/bitnami/apache2/conf/crs using scp, then edited the file httpd.conf to:
include modsecurity.conf, crs/crs-setup.conf, crs/rules/*.conf
I now get an error related to unknown action "ver" (I think that may be because OWASP files need version 2.9 and above but the version included in the ami seems to be 2.6.7 as when I do:
grep -i modsecurity /opt/bitnami/apache2/logs/error_log
[Tue Nov 05 17:47:22.163835 2019] [:notice] [pid 708:tid 140464498657024] ModSecurity for Apache/2.6.7 configured.
even though when I do:
apt-cache show libapache2-mod-security2
I get: (and this implies 2.9.0)
Maintainer: Ubuntu Developers firstname.lastname@example.org
Original-Maintainer: Alberto Gonzalez Iniesta email@example.com
Replaces: libapache2-modsecurity (<< 2.7.7-1~)
Depends: libxml2 (>= 2.9.0), libapr1 (>= 1.2.7), libaprutil1 (>= 1.4.0), libc6 (>= 2.14), libcurl3-gnutls (>= 7.16.2), liblua5.1-0, libpcre3, libyajl2 (>= 2.0.4), apache2-api-20120211
Breaks: libapache2-modsecurity (<< 2.7.7-1~)
Description-en: Tighten web applications security for Apache
Modsecurity is an Apache module whose purpose is to tighten the Web
application security. Effectively, it is an intrusion detection and prevention
system for the web server.
At the moment its main features are:
* Audit log; store full request details in a separate file, including POST
* Request filtering; incoming requests can be analysed and offensive requests
can be rejected (or simply logged, if that is what you want). This feature
can be used to prevent many types of attacks (e.g. XSS attacks, SQL
injection, ...) and even allow you to run insecure applications on your
servers (if you have no other choice, of course).
Hope you can help as I'm making no progress and would prefer to have the WAF enabled before leaving the server up.
As an aside the SSL cert doesn't match the domain (as this is a test server) does that matter?