Apache2 security defaults - increase/improve default security config

[JedMeister]

This applies to LAMP/LAPP and all dependent apps.

We have some Apache security measures installed and enabled by default. See:

• https://github.com/turnkeylinux/common/blob/18.x/plans/turnkey/lamp
• https://github.com/turnkeylinux/common/blob/18.x/conf/apache-security
• https://github.com/turnkeylinux/common/blob/18.x/overlays/apache/etc/apache2/conf-available/security.conf

However, we could still improve on this. Additional measures do have potential false positive issues (e.g. initial issues with mod_evasive in v18.0) - so we should be careful of what we enable by default and should document it regardless.

A couple of specific ideas are:

---

Enable additional/default mod_security2 config. I.e. something like this:

cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

From my reading this is low risk as the default/example config provided by Debian is set to detected only. Thus minimizing risk of negative impacts.

---

Consider Installing modsecurity-crs - "OWASP ModSecurity Core Rule Set"

This is potentially more risky as while it does have some default rules which configure for specific apps, there is a risk that there may be false positives for specific apps not explicitly accounted for.

Perhaps initially we could enable it for the software that has specific config and document it for others?