ModSecurity WAF and Ubuntu 10.04 LTS

I was unable to Install properly OpenSuSE 11.3 with Plesk 10.1.1. This has forced me to install #Ubuntu 10.04 LTS and since then also to (re)learn some basic stuff to secure my #Linux server. Here are some of my How-To.

ModSecurity is an open source web application firewall (WAF) engine for Apache that is developed by Trustwave’s SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.

 

Install

Using the package manager

apt-get -y install libapache-mod-security

Configure

These are some directories that are needed by ModSecurity to work properly. Run all these commands before continuing:

chown www-data.www-data /var/asl/data/msa chown www-data.www-data /var/asl/data/audit chown www-data.www-data /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*  mkdir /var/asl/updates mkdir /var/asl/rules/ mkdir /var/asl/rules/clamav

Initial setup

Create a new File

vi /etc/apache2/conf.d/00_modsecurity.conf

And put inside

<ifmodule mod_security2.c> Include /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf </ifmodule>

Then create new directory that will contains mod security rules

mkdir /etc/apache2/modsecurity.d/ vi /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf

Content of file modsecurity_crs_10_config.conf

Some default values to hide the server name and signature

 ServerTokens Prod  ServerSignature Off  TraceEnable Off   SecRuleEngine On  SecRequestBodyAccess On  SecResponseBodyAccess On  SecResponseBodyMimeType (null) text/html text/plain text/xml  SecResponseBodyLimit 2621440  SecServerSignature Apache  SecComponentSignature 200911012341  SecUploadDir /var/asl/data/suspicious  SecUploadKeepFiles Off  SecAuditEngine RelevantOnly  SecAuditLogRelevantStatus "^(?:5|4(?!04))"  SecAuditLogType Concurrent  SecAuditLog logs/audit_log  SecAuditLogParts ABIFHZ  SecArgumentSeparator "&"  SecCookieFormat 0  SecRequestBodyInMemoryLimit 131072  SecDataDir /var/asl/data/msa  SecTmpDir /tmp  SecAuditLogStorageDir /var/asl/data/audit  SecResponseBodyLimitAction ProcessPartial   Include /etc/apache2/modsecurity.d/gotroot/*asl*.conf

Getting Initial set of rules from Gotroot

Run these commands to install the latest free but delayed set of ModSecurity Rules from GotRoot.com

The last command restart apache,

cd /etc/apache2/modsecurity.d/gotroot wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz tar zxvf modsec-2.5-free-latest.tar.gz mv modsec/* . /etc/init.d/apache2 restart

Watch your logs to see if you have some warning/error like these. This is confirming that ModSecurity is working as expected

[Mon Feb 28 20:52:45 2011] [error] [client 195.8.45.152] 
ModSecurity: Warning. CC# match "\\d{13,16}" at RESPONSE_BODY. 
[offset "15816"] [file "/etc/apache2/modsecurity.d/gotroot/11_asl_data_loss.conf"]
 [line "33"] [id "340838"] [rev "2"] 
[msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules:  
Potential credit card number detected in output (not blocked)"] 

You can always get new rules by visiting http://updates.atomicorp.com/channels/rules/delayed/