Select Page

ModSecurity WAF and Ubuntu 10.04 LTS

ModSecurity WAF and Ubuntu 10.04 LTS

I was unable to Install properly OpenSuSE 11.3 with Plesk 10.1.1. This has forced me to install #Ubuntu 10.04 LTS and since then also to (re)learn some basic stuff to secure my #Linux server. Here are some of my How-To.

ModSecurity is an open source web application firewall (WAF) engine for Apache that is developed by Trustwave’s SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.

 

Install

Using the package manager

apt-get -y install libapache-mod-security

Configure

These are some directories that are needed by ModSecurity to work properly. Run all these commands before continuing:

chown www-data.www-data /var/asl/data/msa chown www-data.www-data /var/asl/data/audit chown www-data.www-data /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*  mkdir /var/asl/updates mkdir /var/asl/rules/ mkdir /var/asl/rules/clamav

Initial setup

Create a new File

vi /etc/apache2/conf.d/00_modsecurity.conf

And put inside

<ifmodule mod_security2.c> Include /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf </ifmodule>

Then create new directory that will contains mod security rules

mkdir /etc/apache2/modsecurity.d/ vi /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf

Content of file modsecurity_crs_10_config.conf

Some default values to hide the server name and signature

 ServerTokens Prod  ServerSignature Off  TraceEnable Off   SecRuleEngine On  SecRequestBodyAccess On  SecResponseBodyAccess On  SecResponseBodyMimeType (null) text/html text/plain text/xml  SecResponseBodyLimit 2621440  SecServerSignature Apache  SecComponentSignature 200911012341  SecUploadDir /var/asl/data/suspicious  SecUploadKeepFiles Off  SecAuditEngine RelevantOnly  SecAuditLogRelevantStatus "^(?:5|4(?!04))"  SecAuditLogType Concurrent  SecAuditLog logs/audit_log  SecAuditLogParts ABIFHZ  SecArgumentSeparator "&"  SecCookieFormat 0  SecRequestBodyInMemoryLimit 131072  SecDataDir /var/asl/data/msa  SecTmpDir /tmp  SecAuditLogStorageDir /var/asl/data/audit  SecResponseBodyLimitAction ProcessPartial   Include /etc/apache2/modsecurity.d/gotroot/*asl*.conf

Getting Initial set of rules from Gotroot

Run these commands to install the latest free but delayed set of ModSecurity Rules from GotRoot.com

The last command restart apache,

cd /etc/apache2/modsecurity.d/gotroot wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz tar zxvf modsec-2.5-free-latest.tar.gz mv modsec/* . /etc/init.d/apache2 restart

Watch your logs to see if you have some warning/error like these. This is confirming that ModSecurity is working as expected

[Mon Feb 28 20:52:45 2011] [error] [client 195.8.45.152] 
ModSecurity: Warning. CC# match "\\d{13,16}" at RESPONSE_BODY.
[offset "15816"] [file "/etc/apache2/modsecurity.d/gotroot/11_asl_data_loss.conf"]
[line "33"] [id "340838"] [rev "2"]
[msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules:
Potential credit card number detected in output (not blocked)"]

You can always get new rules by visiting http://updates.atomicorp.com/channels/rules/delayed/

About The Author

Cédric Walter

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories