Header Shadow Image


Apache: Configuring mod_security (modsecurity) for Apache on Fedora.

INTRODUCTION

Most people today know or have some idea what a firewall is.  For those not too familiar with it, it's essentially a piece of software or hardware that sits between your computer and the internet (outside world) helping to prevent unauthorized access to your computer / workstation.  The firewall does this by blocking certain ports on your workstation that applications normally use to communicate with over networks. It does this to hide vulnerable applications from being exposed to potentially malicious break in attempts.  The firewall's granularity typically reaches and is limited to filtering the type of protocols allowed on as little as a single IP, the direction (IN / OUT = TO / FROM your computer) of the traffic and as broad as blocking entire sets of IP's (For example 50.N.N.N – 150.N.N.N).  This is really the broad range of what a typical firewall can do.

What it does not do is filter based on the type of traffic on a single IP and a single protocol going in either direction.  What we mean is that it doesn't look at the type of traffic going in and out to decide if the intent is good or bad.  The internet which uses port 80 is the prime example here.  We know very well that when we browse, viruses, spyware and malware can get into our systems.  Firewalls are typically not designed to tell the difference here. For example a request such as this:

 http://<your IP>/'c:\; format c:'

cannot be distinguished by your operating system and firewall to be different from

http://<your IP>/

Simply put, to your computer, firewall or not, the two requests on port 80 (World Wide Web / http) are identical in terms of safety.

This is where mod_security comes in. In this case it scans all traffic on port 80 coming in and out of your PC, matches this to a bunch of rules we can write and based on the written rules, decides to either deny, warn or allow the traffic.  So for example, if we know a certain break in attempt and gathered data on it, we can write a rule to block it in on port 80.  We can then distinguish between the two above examples to deny the first one (it has format c: in it) and allow the second.

SETUP

Mod security has progressed significantly in the past few years and is fairly easy to install and configure.  In fact, as we will see it comes out of the box with some written rules to catch most of the common intrusion types on the internet on port 80 (httpd / www ).  This makes for fairly easy setup and configuration.

BASIC INSTALLATION

  1. yum search mod_security  (or yum search modsecurity)
    (Should yield mod_security.i386 as one of the results: mod_security.i386 : Security module for the Apache HTTP Server
  2. yum install mod_security
    (This installed package mod_security-2.5.6-1.fc10.i386)
  3. rpm -ql mod_security-2.5.6-1.fc10.i386
    /etc/httpd/conf.d/mod_security.conf
    /etc/httpd/modsecurity.d
    /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_20_protocol_violations.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_23_request_limits.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_35_bad_robots.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_45_trojans.conf
    /etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf
    /etc/httpd/modsecurity.d/modsecurity_localrules.conf

    /etc/httpd/modsecurity.d/optional_rules
    /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_20_protocol_violations.conf
    /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
    /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_40_generic_attacks.conf
    /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_42_comment_spam.conf
    /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_42_tight_security.conf
    /etc/httpd/modsecurity.d/optional_rules/modsecurity_crs_55_marketing.conf
    /usr/lib/httpd/modules/mod_security2.so
    /usr/share/doc/mod_security-2.5.6
    /usr/share/doc/mod_security-2.5.6/CHANGES
    /usr/share/doc/mod_security-2.5.6/LICENSE
    /usr/share/doc/mod_security-2.5.6/README.TXT
    .
    .
    (Highlighted items are most important: the Apache HTTPD .so module, .conf config files and the main mod_security.conf )
  4. rpm –verify mod_security-2.5.6-1.fc10.i386
    (Does various verifications such as MD5, Modification time of files etc verification from the RPM since the RPM was installed: No news (results) is good news in this case)
  5. rpm -q –whatprovides /usr/lib/httpd/modules/mod_security2.so
    mod_security-2.5.6-1.fc10.i386 (Verify where mod_security2.so came from, in case old copies resided.)
  6. cat /etc/httpd/conf/httpd.conf|grep "Include conf.d"
    Include conf.d/*.conf
    ( This ensures that mod_security.conf will be loaded automatically.  mod_security.conf will then load mod_security2.so.
  7. OPTIONAL: Follow Linux: Enable extended httpd status reports in Apache if you have not already.  Test with service httpd fullstatus (If there is no error and you get detailed printouts, you are fine.)
  8. Run apachectl configtest to check the config file for syntax errors or simply run service httpd restart.
  9. Test the configuration for some basic intrusion attempts.  Type
    http://localhost/update.php?entries=2837%27;DELETE%20FROM%20t_entries–
    in a browser.  It simulates an SQL injection.
  10. Check the log file with 
    # tail -f /var/log/httpd/error_log
    [Tue Jan 13 01:11:16 2009] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match “(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? …” at ARGS:user. [file “/etc/httpd/modsecurity.d/modsecurity_crs_40_generic_attacks.conf”] [line “66”] [id “950001”] [msg “SQL Injection Attack”] [data “delete from”] [severity “CRITICAL”] [tag “WEB_ATTACK/SQL_INJECTION”] [hostname “localhost”] [uri “/login.php”] [unique_id “SWwwhMCoAAQAACz4CDwAAAAA”]

     

    The result in error_log tells you the attempt was caught but only a Warning was issued.

  11. You're done!   (w/ basic configuration)
     

Now follow the link below and let's add example rules for some real-life situations found at Security: Round cube webmail scans spreading on the web: roundcube, msgimport, nonexistenshit and webmail.

Cheers!

One Response to “Apache: Configuring mod_security (modsecurity) for Apache on Fedora.”

  1. […] Tips for a Successful Roll-outNoVirusThanks Blog » ModSecurity 2.5.7 for Apache Web ServerApache: Configuring mod_security (modsecurity) for Apache on Fedora.admin.jugamanusia.com » Mod_Security.. what is and how to […]

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License