Search:  
Gentoo Wiki

Apache_Modules_mod_security

Apache2 Series


Main


Modules


Addons & Tunnels


Tips


Configuring


Other

edit

Introduction to ModSecurity

ModSecurity is an open source web application firewall that runs as an Apache module. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. This is no longer a luxury because to expand your website functionality everybody adds script languages like php and perl. For example take a look at this url:

  http://www.webapp.com/login.php?username=admin';DROP%20TABLE%20users--

The system firewall thinks it is an acceptable URL and all it now takes is some poor php configuring/scripting from your side and you just lost all user data from your application! ModSecurity is able to detect and prevent these harmfull URLs by filtering both the POST and GET http-methodes. This can only function properly in Apache 2.x.x because Apache 1.3.x does not support a notion of filters. Thus make sure you have apache 2.x.x or above.

Installing ModSecurity

emerge -vauD mod_security

[The current version has been updated to : 2.1.1 which is the latest version]

Configuring Apache2

Edit /etc/conf.d/apache2 by adding

 -D SECURITY

To your APACHE2_OPTS so it should look like this :

 APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PERL -D PHP5 -D SECURITY"

Restarting apache2 will load the Security Module.

/etc/init.d/apache2 restart

Configuring the module

The mod_security is rules driven. Depending on the rule-sets you use, you will get higher or lower security. But be careful when changing the rules, you're risking false positives (e.g. something harmless will be prohibited) and false negatives (an actual attack is not being discovered).

The module is configured in /etc/apache2/modules.d/99_mod_security.conf

By adding a line like

SecFilter KEYWORD

here, any request containing KEYWORD (case-insesitive) will be denied.

There are also prewritten rulesets for you to download -- of course, keep in mind from whom to download them. A new rule set was published by mod security which pretty extensive. You can visit their download site here or use the following command to wget it directly

 wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz

Since these rules are more advanced then the default rules supplied with the 2.1.1 package we first are going to remove them

 rm /etc/apache2/modules.d/mod_security/*

Then copy the core-rules tar (which you just downloaded) to the right directory and uncompress them

 cp modsecurity-core-rules_2.1-1.4.tar.gz /etc/apache2/modules.d/mod_security/
 cd /etc/apache2/modules.d/mod_security/
 tar xzvf modsecurity-core-rules_2.1-1.4.tar.gz

Before using them we have to change the log entries in the config file

 nano -w /etc/apache2/modules.d/mod_security/modsecurity_crs_10_config.conf

Change the log directory from /logs to /var/log/apache2/ at these 2 lines : 176 and 270. Thus they should look like this

 SecAuditLog /var/log/apache2/modsec_audit.log
 SecDebugLog /var/log/apache2/modsec_debug.log

If you for some reason are desperate for more rule sets here one from http://www.gotroot.com. Again if you place them into the /etc/apache2/modules.d/mod_security/ they will be automaticly loaded when apache (re)starts.

Restart apache

 /etc/init.d/apache2 restart

And check if a request like http://www.youdomin.de/index.php?a=/bin/sh is blocked and mentioned in error.log.

links

Retrieved from "http://www.gentoo-wiki.info/Apache_Modules_mod_security"

Last modified: Wed, 09 Jul 2008 15:02:00 +0000 Hits: 10,428