What is mod_security?
ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting as
a powerful umbrella - shielding applications from attacks. ModSecurity
supports both branches of the Apache web server.
You can install mod_security on Apache 1.3x or 2.x
Installation steps :
1) Download modsecurity-apache-1.9.2
# wget http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
# tar zxvf modsecurity-apache-1.9.2.tar.gz
# cd modsecurity-apache-1.9.2/
2) Now you need to determine which version of apache you use:
If it's APACHE 1.3.x then
# cd apache1/
If it's APACHE 2.x then
# cd apache2/
Note : To check apache version give httpd -v command or type http://ip/xyz
you will get apache version.
3) Lets Compile the module now:
Find apxs files path
# locate apxs
If path is /usr/sbin/apxs then give following command
# /usr/sbin/apxs -cia mod_security.c
4) Ok, now its time to edit the httpd conf file. First we will make a
backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
or
cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup
5) Now that we have backed it all up, we can edit the httpd.conf. Replace
pico with nano depending on what you have
vi /usr/local/apache/conf/httpd.conf
or
vi /etc/httpd/conf/httpd.conf
Now add this :
-------------------------------
SecFilterEngine On
SecServerSignature "Apache"
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "../"
SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "curl "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
SecFilterSelective THE_REQUEST "/config.php?v=1&DIR "
SecFilterSelective THE_REQUEST "/../../ "
SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Weaker XSS protection but allows common HTML tags
SecFilter ""
:wq!
--------------------------------
6) Restart apache
# service httpd restart
You've successfully installed mod_security!
No comments:
Post a Comment