What is mod_security?
Mod_security is a filter for requests and responses sent to and from an Apache web server. It is the "snort" of web applications.
As an example, lets say "super haxor," starts up their kiddie "Auto Haxs 4000" script and begins to pummel your web server with every known vulnerability for every known web application - perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor's requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.
In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.
Obviously mod_security adds another layer of protection to your web server and the applications it hosts in keeping with pauldotcom.com's "defense in depth" mantra.
How do I install mod_security?
This guide covers installing mod_security on Ubuntu 7.10 for Apache 2. Since there is no package for mod_security in Ubuntu due to licensing issues, and we have to install it from source.
Use the Source, Luke
Download the latest mod security tars from the mod_security site. http://www.modsecurity.org/download/direct.html . You will only need the current modsecurity-apache archive.
Now get the necessary packages for compiling mod_security on Ubuntu with this command:
sudo apt-get install automake g++ apache2-threaded-dev \
dpkg-dev libxml2 libxml2-dev
Now compile and install mod_security with the following commands:
cd <modsecurity download directory>/apache2
./configure
make
sudo make install
Apache Conf Files
Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.
Create a file called /etc/apache2/mods-available/security2.load with the following contents:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
<IfModule !mod_security2.c>
error_mod_security2_is_not_loaded
</IfModule>
<IfModule mod_security2.c>
Include /etc/apache2/modsecurity_crs/*.conf
</IfModule>
Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it.
sudo mkdir /etc/apache2/modsecurity_crs
sudo cp -R <mod_security download directory> \
/rules/*.conf /etc/apache2/modsecurity_crs/
You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
After the settings were made I created the directories and set proper permissions with the following commands:
sudo mkdir /var/log/modsecurity
sudo mkdir /var/log/modsecurity/SecDataDir
sudo mkdir /var/log/modsecurity/SecTmpDir
sudo mkdir /var/log/modsecurity/SecUploadDir
sudo mkdir /var/log/modsecurity/SecAuditLog
sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir
sudo mkdir /var/log/modsecurity/SecDebugLog
sudo chown -R www-data:www-data /var/log/modsecurity
sudo chmod -R a-rwx /var/log/modsecurity/
sudo chmod -R u+rwx /var/log/modsecurity/
I also had some trouble using mod_security with my Drupal installation. Mod_security was rejecting the application/xml request type, so I added "application/xml" to the regular expression in modsecurity_crs_30_http_policy.conf on line 72. It now looks like this:
:SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml|application/xml)"
There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.
Enable and Test
You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.
sudo a2enmod security2
sudo /etc/init.d/apache2 reload
Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.
Conclusion
If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.
Subscribe to:
Post Comments (Atom)
18 comments:
Good paper... but there is an error !!!!
this string....
SecAuditLog /var/log/modsecurity/SecAuditLogStorageDir
is
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
Good work!!!
Bye...
i get errors for installing apache2-threaded-dev... what should i do? tried -f
/tmp/modsecurity-apache_2.5.7/apache2# sudo apt-get install automake g++ apache2-threaded-dev \
>
Reading package lists... Done
Building dependency tree... Done
Note, selecting automake1.4 for regex âautomakeâ
g++ is already the newest version.
You might want to run âapt-get -f installâ to correct these:
The following packages have unmet dependencies.
apache2-threaded-dev: Depends: libapr0-dev (= 2.0.55-1001.0) but it is not going to be installed
Depends: libssl-dev but it is not going to be installed
Depends: libdb4.3-dev but it is not going to be installed
Depends: zlib1g-dev but it is not going to be installed
Depends: libpcre3-dev but it is not going to be installed
libcurl4-gnutls-dev: Depends: libcurl3-gnutls (= 7.18.2-8) but it is not going to be installed
Depends: libgnutls-dev
Depends: zlib1g-dev but it is not going to be installed
Depends: libidn11-dev but it is not going to be installed
Depends: libkrb5-dev but it is not going to be installedor
hurd but it is not installable
Depends: libldap2-dev but it is not going to be installed
E: Unmet dependencies. Try âapt-get -f installâ with no packages (or specify a solution).
@HJ
Those errors look OK actually... mod_security just needs the header files from apache to do the building...
Dan
@Raiz82
Thanks! Fixed.
Dan
I have a problem installing mod_security. I have libxml2 installed (and libxml2.so in usr/lib) but mod_security doesn't find it. (I've tried even --with-libxml=/usr/lib/libxml2.so).
Thanks,
Symba
ITSolusenz departments manage all components ITsolusenz.com of software development including, Application Development Company, software development company india, Software Development Services.
There is an small error while writing the security2.conf.
The following line should be include:
LoadModule unique_id_module /path/to/apache2/modules/mod_unique_id.so
for those missing the libxml2, do an apt-get install libxml2-dev, and that should solve the problem, at least it did for me
cheers!
Thanks this was very useful
Thanks for paper!
I have a problem installing mod_security. I have libxml2 installed (and libxml2.so in usr/lib) but mod_security doesn't find it.
iPad Developer | Custom Software Development | Mobile App Development | iPhone App Development | iPhone Games Development
thanks, this helped a lot at http://repat.de :)
I have installed the Mod Security and when try to restart the apache server it gives me the following error
* Starting web server apache2 apache2: Syntax error on line 204 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/security2.load: Cannot load /usr/lib/apache2/modules/mod_security2.so into server: libpcre.so.0: cannot open shared object file: No such file or directory
GOT STUCK ...Any Assistance ??
I just implement server information masking with modsec. This very useful module to harden your apache server.
There is a mod_security package in Synaptic package manager of Ubuntu 10.04 Lucid. I simply installed that package. I see it did config in /etc/apache2/mod-enabled, but I don't know if mod_sec is working. Do I have to manually install rules as per this blog page?
So far I can't see any indication in apache2 logs that mod_sec is doing anything. No audit.log has been created.
Excellent post. I was checking this blog continuously and I’m impressed! The information is very helpful especially the last part. I am very interested in such info. I was seeking this particular information for a very long time. Thank you and good luck.Windows Application Development
very nice post, i certainly love this website, keep on it…
very nice post, i certainly love this website, keep on it… Custom Logo Design
Post a Comment