Spiga

Adding Mod_security with apache

Thursday, November 15, 2007 at Thursday, November 15, 2007 Collected By sP

Adding Mod_Security With Apache2

Mod Security, one of the powerful tools in use for security maintenance in apache servers. The most widely used tool, and with simplest of installations

Visit the url:

https://bsn.breach.com/account/login.php

use the username: Prasul
password : Prasul2004

>> Downloads section you should find the list of softwares available, check the

modsecurity-apache/

directory to find the list of softwares which will include the latest version as well as that of the previous 1.9.x versions. Once you have selected this you can copy the link location and on the shell type the command

wget --no-check-certificate "url u copied without this quotes"

here is what I have done:

cd /usr/local/src

wget --no-check-certificate https://bsn.breach.com/downloads/t=e75bb42feca2d6c5ef356f122d408872/modsecurity-apache/modsecurity-apache_2.1.3.tar.gz

this got me the file named modsecurity-apache_2.1.3.tar.gz which was untarred using:

tar -xzvf modsecurity-apache_2.1.3.tar.gz
cd modsecurity-apache_2.1.3/

here you will find two directories

apache1 and apache 2

based on the configuration and software in use, choose the folder. i am proceeding with apache2 since I have it running up..

cd apache2/

Once you have this updated, check for the module unique_id to be installed. The module should be turned on with the default installation if otherwise, uncomment the entry from your httpd.conf file to have this module enabled and have your apache server restarted.

Now you will need to use the command :

which libxml2

or

locate libxml2 if you do have updatedb running.

Else you should try finding the file at /usr/includes directory.
<<====== LibXML2 installation
If you are missing this you can install the same using the following simple steps:

cd /usr/local/src
wget http://xmlsoft.org/sources/libxml2-2.6.29.tar.gz
wget http://xmlsoft.org/sources/libxslt-1.1.21.tar.gz

tar -xzvf libxml2-2.6.29
cd libxml2-2.6.29/
./configure --prefix=/usr && make
make test
make install
cd ..
tar -xzvf libxslt-1.1.21
cd libxslt-1.1.21
./configure --prefix=/usr && make
make install

you can try running make test before make install to verify the settings but in most occasions you should be good to go with the above steps.

========>>

So now you have the known path to libxml2, enter the modsecurity directory and move along to apache 2 directory there,

cd /usr/local/src/modsecurity-apache_2.1.3/apache2/
pico MakeFile

search and update the location to libxml2 there as:

INCLUDES=-I/usr/include/libxml2

once this is done, save and exit the file and use the command

make
/usr/local/apache2/bin/apachectl stop
make install

pico /usr/local/apache2/conf/httpd.conf

add the entry :

LoadModule security2_module modules/mod_security2.so

or can use:

LoadModule security_module /usr/lib/httpd/modules/mod_security.so

save and exit the file and start apache.

/usr/local/apache2/bin/apachectl start

now you should have apache up with mod security on.make sure that you make a good copy of httpd.conf before adding up the rules. The following are the basic rules and for further filtering I will add up to this. Here is something that is basically done:

use IfModule mod_security.c or use the Include clause to have the modules working:

cd /etc/modsecurity/
touch rules.conf
pico /usr/local/apache2/conf/httpd.conf

add the line:

Include /etc/modsecurity/rules.conf

or

Include conf.d/*.conf

save and exit the file. Now restart apache. This should help you work out the configuration in a smooth way. To start with you can use the following set of rules:

pico /etc/mod_security/rules.conf

add the following entries.
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog logs/audit_log
# Debug level set to a minimum
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

""

This should be the basic setup for the modules. I will add few more rules for work.

< "IfModule" >

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
Include /etc/modsecurity/rules.conf

#Comment spam rules
Include /etc/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf

#Additional rules for Apache 2.x ONLY!  Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
< / IfModule >

You can also check on the rulesets available at:
http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-
latest.tar.gz

these should work perfectly with apache2.

2 comments:

Brian Rectanus

November 15, 2007 at 12:23 PM

Hello,

Your article contains quite a bit of misinformation:

1) You must register for a BSN account to download, however you imply that the site is not really validating credentials. This is not true.

2) You described downloading modsecurity-apache_2.1.3.tar.gz, but your compile/install instructions are for the 1.9.x version of ModSecurity

3) You are promoting using an outdated version of ModSecurity 1.9.x on Apache httpd 2.x. Really, you should only use 1.9.x if your have no choice but to use Apache httpd 1.3.x.

4) The article implies some security after following your steps, but the configuration that you have given does not provide much security (no rules, no limits other than URL encoding verification).

Please consider fixing or removing the article.

Please refer to the documentation at modsecurity.org. If you have further questions, then please send them to the ModSecurity community support list (details under the contact section of the modsecurity.org site).

Thanks,
-B

sP

November 16, 2007 at 5:11 AM

fixed :-). Thank you very much for putting in light on the details. I was just doing a quick work yesterday. Lazy me. But now it is updated. Please do post me if i have left anything uncovered. Again, for the rules I am working on the best configuration set. I will add this pretty soon.

Post a Comment

Subscribe to: Post Comments (Atom)