Apache Modules mod security

From Gentoo Linux Wiki

Jump to: navigation, search

Apache2 Series

Main

Installing Apache 2

Modules

mod_ssl (for encrypted https)
mod_php (PHP Support)
mod_ftpd (FTP Support)
mod_perl (Perl Support)
mod_python (Python Support)
mod_jk (JSP & Servlet Support)
mod_security (intrusion detection)
mod_vhost_alias (Dynamic virtual hosting)
mod_deflate (deflate compression)
mod_fcgid and mod_suexec (Secure execution of external applications that support fastcgi)

Addons & Tunnels

Ruby on Rails

Tips

Using cacert.org SSL certificates with Apache

Configuring

Other

edit

[edit] Introduction to ModSecurity

ModSecurity is an open source web application firewall that runs as an Apache module. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. This is no longer a luxury because to expand your website functionality everybody adds script languages like php and perl. For example take a look at this url:

  http://www.webapp.com/login.php?username=admin';DROP%20TABLE%20users--

The system firewall thinks it is an acceptable URL and all it now takes is some poor php configuring/scripting from your side and you just lost all user data from your application! ModSecurity is able to detect and prevent these harmfull URLs by filtering both the POST and GET http-methodes. This can only function properly in Apache 2.x.x because Apache 1.3.x does not support a notion of filters. Thus make sure you have apache 2.x.x or above.

[edit] Installing ModSecurity

emerge -vauD mod_security

[The current version has been updated to : 2.1.1 which is the latest version]

[edit] Configuring Apache2

Edit /etc/conf.d/apache2 by adding

 -D SECURITY

To your APACHE2_OPTS so it should look like this :

 APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PERL -D PHP5 -D SECURITY"

Restarting apache2 will load the Security Module.

/etc/init.d/apache2 restart

[edit] Configuring the module

The mod_security is rules driven. Depending on the rule-sets you use, you will get higher or lower security. But be careful when changing the rules, you're risking false positives (e.g. something harmless will be prohibited) and false negatives (an actual attack is not being discovered).

The module is configured in /etc/apache2/modules.d/99_mod_security.conf

By adding a line like

SecFilter KEYWORD

here, any request containing KEYWORD (case-insesitive) will be denied.

There are also prewritten rulesets for you to download -- of course, keep in mind from whom to download them. A new rule set was published by mod security which pretty extended. You can visit their download site here or use the following command to wget it directly

 wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz

Since these rules are more advanced then the default rules supplied with the 2.1.1 package we first are going to remove them

 rm /etc/apache2/modules.d/mod_security/*

Then copy the core-rules tar (which you just downloaded) to the right directory and uncompress them

 cp modsecurity-core-rules_2.1-1.4.tar.gz /etc/apache2/modules.d/mod_security/
 cd /etc/apache2/modules.d/mod_security/
 tar xzvf modsecurity-core-rules_2.1-1.4.tar.gz

Before using them we have to change the log entries in the config file

 nano -w /etc/apache2/modules.d/mod_security/modsecurity_crs_10_config.conf

Change the log directory from /logs to /var/log/apache2/ at these 2 lines : 176 and 270. Thus they should look like this

 SecAuditLog /var/log/apache2/modsec_audit.log
 SecDebugLog /var/log/apache2/modsec_debug.log

If you for some reason are desperate for more rule sets here one from http://www.gotroot.com. Again if you place them into the /etc/apache2/modules.d/mod_security/ they will be automaticly loaded when apache (re)starts.

Restart apache