Welcome to another Sysadmin & DBA Tips, in this post I’ll explain how install and configure Mod_Security, an open source web application firewall, that protect your personal/business Web Applications.
With over 70% of all attacks now carried out over the web application level, organisations need every help they can get in making their systems secure. Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.
Before install modsecurity requires the following additional components:
The apxs binary is provided by the Apache tools or by default, if you have installed from source.
The libxml2 library can be installed with the server package manager (aptitude, yum ,etc) .
The mod_unique_id must be installed from the Apache source package:
/usr/local/etc2/apache22/bin/apxs -cia /usr/local/etc/httpd-2.2.21/modules/metadata/mod_unique_id.c
Mod_security need Core Rules to provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded.
In order to provide generic web applications protection, the Core Rules use the following techniques:
- HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
- Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
- Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
- HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
- Common Web Attacks Protection – detecting common web application security attack.
- Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
- Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
- Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
- Trojan Protection – Detecting access to Trojans horses.
- Identification of Application Defects – alerts on application misconfigurations.
- Error Detection and Hiding – Disguising error messages sent by the server.
Download and install the latest stable versión (at this moment 2.7.3):
wget http://www.modsecurity.org/tarball/2.7.3/modsecurity-apache_2.7.3.tar.gz tar -xvzf modsecurity-apache_2.7.3.tar.gz cd modsecurity-apache_2.7.3 ./configure --prefix=/usr/local/etc2/modsecurity --with-apxs=/usr/local/etc2/apache22/bin/apxs make make install
Integrating ModSecurity with Apache
Copy the security2_module that reside in the $MODSECURITY_PATH/lib to the $APACHE_PATH/modules.
cp -pr /usr/local/etc2/modsecurity/lib/security2_module /usr/local/etc2/apache22/modules
The next step is load it in the Apache configuration file adding a line to let the web server know about the new module:
LoadModule security2_module modules/mod_security2.so
Download the Core Rules download from here.
Is the moment to load the mod_security configuration and rules.
Copy the default configuration file, that is provided by the package to your apache configuration directory:
cd modsecurity-apache_2.7.3 cp -pr modsecurity.conf-recommended /usr/local/etc2/apache22/conf/mod_security/modsecurity.conf
Copy the rules that previously we download to your apache configuration directory:
- Copy the modsecurity_crs_10_setup.conf.example file to modsecurity_crs_10_setup.conf and customize the settings for your local environment.
cp -pr modsecurity_crs_10_setup.conf.example /usr/local/etc2/apache22/conf/mod_security/modsecurity_crs_10_setup.conf
- Enable the CRS rules files you want to use by creating symlinks under the “activated_rules” directory location.
mkdir /usr/local/etc2/apache22/conf/mod_security/crs mkdir /usr/local/etc2/apache22/conf/mod_security/crs/activated_rules cp -pr base_rules optional_rules slr_rules /usr/local/etc2/apache22/conf/mod_security/crs/ cd /usr/local/etc2/apache22/conf/mod_security/crs for f in `ls base_rules/` ; do ln -s /usr/local/etc2/apache22/conf/mod_security/crs/base_rules/$f activated_rules/$f ; done for f in `ls optional_rules/` ; do ln -s /usr/local/etc2/apache22/conf/mod_security/crs/optional_rules/$f activated_rules/$f ; done
- Include this rules in the modsecurity.conf configuration file
Include conf.d/mod_security/modsecurity_crs_10_config.conf Include conf.d/mod_security/crs/activated_rules/*.conf
- And include this configuration file in the apache2.conf main configuration file:
- Restart web server, and check if all is fine
Mod_security write the log in the file that we specify in the modsecurity.conf
By default the module is activated in DetectionOnly for checking that normal operations not are blocked for any core rules. If you’re sure that no rule can cause problems, change the SecRuleEngine from DetectionOnly to On and reload your apache configuration:
SecRuleEngine On #SecRuleEngine DetectionOnly
Additional configurations are allowed, in my case I configurate: