Pages

Wednesday, March 27, 2013

How to install mod_security for Apache

What is mod_security?

ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting as
a powerful umbrella - shielding applications from attacks. ModSecurity
supports both branches of the Apache web server.
 
You can install mod_security on Apache 1.3x or 2.x

Installation steps :
 
1) Download modsecurity-apache-1.9.2
# wget http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
# tar zxvf modsecurity-apache-1.9.2.tar.gz
# cd modsecurity-apache-1.9.2/

2) Now you need to determine which version of apache you use:
If it's APACHE 1.3.x then
# cd apache1/
If it's APACHE 2.x then
# cd apache2/

Note : To check apache version give httpd -v command or type http://ip/xyz
you will get apache version.

3) Lets Compile the module now:
Find apxs files path
# locate apxs
If path is /usr/sbin/apxs then give following command
# /usr/sbin/apxs -cia mod_security.c

4) Ok, now its time to edit the httpd conf file. First we will make a
backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
or
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup

5) Now that we have backed it all up, we can edit the httpd.conf. Replace
pico with nano depending on what you have
vi /usr/local/apache/conf/httpd.conf
or
vi /etc/httpd/conf/httpd.conf
 
Now add this :
-------------------------------

SecFilterEngine On

SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On

SecFilterDefaultAction "deny,log,status:403"

SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

SecFilterSelective HTTP_Transfer-Encoding "!^$"

SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"

SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"

SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Weaker XSS protection but allows common HTML tags
SecFilter ""

:wq!
--------------------------------

6) Restart apache

# service httpd restart

You've successfully installed mod_security! 

No comments:

Post a Comment