• Categories:

• FreeBSD
• Security
• Apache
• - Redirect all domains to www version
• - ModSecurity
• Email
• OpenBSD
• PHP
• DNS
• Work




• Home
• login

•  Links:

• Cookbook
• FreeBSD
• OpenBSD
• Property
• French Property
• German Property
• Spanish Property
• Italian Property
• UK Job Search

ModSecurity

ModSecurity is a web application firewall (WAF). With over 70% of all attacks now carried out over the web application level, organisations need every help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

Now that I'm letting the world access my websites, it's obviously good sense to check the requests and also any post payloads. Rather than put this in the Security section, I'll stick with Apache.

I've a few issues with the latest version, so let's make a start by downloading, installing and configuring version 1.9.4 - it'll only take a few minutes.

cd /usr/local/share/modules
fetch http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
gunzip modsecurity-apache_1.9.4.tar.gz
tar xf modsecurity-apache_1.9.4.tar
cd modsecurity-apache_1.9.4
cd apache2
/usr/sbin/apxs -cia mod_security.c

Note that this is for apache2. You can download to a different directory if you prefer. This will also automatically modify your httpd.conf, adding the line:

LoadModule security_module /usr/lib/apache/mod_security.so

I'm using the extensive ModSecurity rulesets from Got Root, so:

cd /etc/httpd/conf
mkdir modsecurity
cd modsecurity
fetch http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz
gunzip apache2-gotrootrules-latest.tar.gz
tar xf apache2-gotrootrules-latest.tar
cp apache2/*.conf .
rm -rf apache2
rm apache2-gotrootrules-latest.tar

Now we will include one conf file, which will both configure our use of ModSecurity and also include all the rulesets we've just downloaded.

vi /etc/httpd/conf/modsecurity.conf

and add the following:

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
#SecAuditEngine On
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/httpd/modsec_debug_log

#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/httpd/conf/modsecurity/exclude.conf

#Application protection rules
Include /etc/httpd/conf/modsecurity/rules.conf

#Comment spam rules
Include /etc/httpd/conf/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
Include /etc/httpd/conf/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
Include /etc/httpd/conf/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
Include /etc/httpd/conf/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/httpd/conf/modsecurity/proxy.conf

#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/httpd/conf/modsecurity/apache2-rules.conf

This will use two log files, audit_log and modsec_debug_log: if you wish you can edit the file to change their location. Now edit your httpd.conf and at the bottom add:

Include /etc/httpd/conf/modsecurity.conf

Restart apache and you're done. You can check that requests are logged by uncommenting the line:

#SecAuditEngine On

and commenting out the line:

SecAuditEngine RelevantOnly

in the file modsecurity.conf (don't forget to restart apache) and this will log *all* requests to the audit_log file. Check that it does so, then change back, and restart apache again.

You may find that some web applications will break, and if so, you will need to examine the audit_log to determine which rule matched (it usually returns 500 error when it blocks) the request. You can remove the rule, or modify it, but it's best to read the documentation at ModSecurity before messing around.