Adding mod_security to better protect your webserver
 | ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. from http://www.modsecurity.org/ |
Installing mod_security as DSO is easier, and the procedure is the same for both Apache branches. First unpack the distribution somewhere (anywhere will do, I copy the .c files in my home),
| # cd # wget http://www.modsecurity.org/download/mod_security-1.9.4.tar.gz # tar -zxfv mod_security-1.9.4.tar.gz # cd mod_security-1.9.4/apache2 |
and compile the module with:
| apache1 | apache2 |
| /usr/local/psa/admin/bin/apxs -cia ~/mod_security.c | /usr/sbin/apxs2 -cia ~/mod_security.c |
First problem that may occur is the absence of
- Gcc: The GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. It is free software distributed by the Free Software Foundation (FSF) under the GNU GPL, and is a key component of the GNU toolchain. It is the standard compiler for the open source Unix-like operating systems, and certain proprietary operating systems derived therefrom such as Mac OS X. [WikiPedia]
- apache-dev: contains the apxs tool, and required pache heder to compile a module
Both can be installed via YaST2…
Tips: if your apxs2 is not located at /usr/bin/apxs2, you can search it by typing # find / -name apxs2
| # /usr/sbin/apxs2 -cia ~/mod_security.c /usr/share/apache2/build/libtool –silent –mode=compile gcc -prefer-pic -O2 -march=i586 -mcpu=i686 -fmessage-length=0 -Wall -g -fPIC -Wall -fno-strict-aliasing -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2 -I/usr/include/apache2 -I/usr/include/apache2 -c -o /root/mod_security.lo /root/mod_security.c && touch /root/mod_security.slo /usr/share/apache2/build/libtool –silent –mode=link gcc -o /root/mod_security.la -rpath /usr/lib/apache2 -module -avoid-version /root/mod_security.lo /usr/share/apache2/build/instdso.sh SH_LIBTOOL=’/usr/share/apache2/build/libtool’ /root/mod_security.la /usr/lib/apache2 /usr/share/apache2/build/libtool –mode=install cp /root/mod_security.la /usr/lib/apache2/ cp /root/.libs/mod_security.so /usr/lib/apache2/mod_security.so cp /root/.libs/mod_security.lai /usr/lib/apache2/mod_security.la cp /root/.libs/mod_security.a /usr/lib/apache2/mod_security.a ranlib /usr/lib/apache2/mod_security.a chmod 644 /usr/lib/apache2/mod_security.a PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2 ———————————————————————- Libraries have been installed in: /usr/lib/apache2 If you ever happen to want to link against installed libraries See any operating system documentation about shared libraries for |
Do not take care of the error in blue, since the resulting shared library (mod_security.so) has been automatically copied into /usr/lib/apache2
Copy then the desired rule set (modsecurity-general.conf or modsecurity-php.conf) into /etc/apache2
Edit /etc/apache2/httpd.conf and add the following lines at the end of file, it is also recommended to use the rules from www.GotRoot.com
| LoadModule security_module /usr/lib/apache2/mod_security.so SecFilterEngine On Include /etc/apache2/modsecurity_rules/modsecurity-general.conf Include /etc/apache2/modsecurity_rules/modsecurity-hardening.conf #rules set found at http://www.gotroot.com/tiki-index.php?page=mod_security+rules |
BUT be carefull with modsecurity-hardening.conf
- This fle has to be tuned for your server: logs files location, advanced rulesets, read carfeully and uncomment TODO if needed
- As default mod_security is in learning mode: it log and let the request pass through (line SecFilterDefaultAction "pass, log"), recommended as soon as You have a good rulesets SecFilterDefaultAction "deny,log,status:500"
Restart Apache2 by typing
| # /etc/init.d/apache2 restart |
Now it is time to check if mod_security is running
| # tail -f /var/log/apache2/error_log [Mon Aug 21 18:43:38 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured — resuming normal operations [Mon Aug 21 19:01:56 2006] [notice] caught SIGTERM, shutting down [Mon Aug 21 19:01:57 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net’ does NOT match server name!? [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk’ does NOT match server name!? [Mon Aug 21 19:01:57 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2) [Mon Aug 21 19:01:57 2006] [notice] mod_security/1.9.4 configured [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net’ does NOT match server name!? [Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk’ does NOT match server name!? [Mon Aug 21 19:01:57 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured — resuming normal operations |
links
