ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.
-
Download tarball from modsecurity.org
Check that you have "httpd-devel" installed.
Backup your original "httpd.conf" file.
After extracting, compile and install from the relevant apache direcoty, via:
# apxs -cia mod_security.cThe module is automatically activated and you should see a similar line in the "httpd.conf" file.
LoadModule security_module modules/mod_security.soAdd the below ruleset to the apache conf file, just below the above LoadModule line.
# # mod_security ruleset BEGIN # <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature "Apache" # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicoRestart Apache for the module to be enabled.deEncoding Off # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/log/httpd/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:403" # Require HTTP_USER_AGENT and HTTP_HOST in all requests # SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelect ive COOKIE_PHPSESSID "!^[0-9a-z]*$" # Protect against phpBB2 Exploits SecFilter "viewtopic\.php\?" chain SecFilter "chr\(([0-9]{1,3})\)" "deny,log" # Exploit phpBB Highlighting Code Execution Attempt SecFilterSelective THE_REQUEST "&highlight='\.system\(" # Exploit phpBB Highlighting SQL Injection SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\(" # Exploit phpBB Highlighting Code Execution - Santy.A Worm SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\( " # Exploit phpBB Highlight Exploit Attempt SecFilter "&highlight=\x2527\x252Esystem \(" # Block various methods of downloading files to a server SecFilterSelective THE_REQUEST "wget " SecFilterSelective THE_REQUEST "lynx " SecFilterSelective THE_REQUEST "scp " SecFilterSelective THE_REQUEST "ftp " SecFilterSelective THE_REQUEST "cvs " SecFilterSelective THE_REQUEST "rcp " SecFilterSelective THE_REQUEST "telnet " SecFilterSelective THE_REQUEST "ssh " SecFilterSelective THE_REQUEST "echo " SecFilterSelective THE_REQUEST "links -dump " SecFilterSelective THE_REQUEST "links -dump-charset " SecFilterSelective THE_REQUEST "links -dump-width " SecFilterSelective THE_REQUEST "links http:// " SecFilterSelective THE_REQUEST "links ftp:// " SecFilterSelective THE_REQUEST "links -source " SecFilterSelective THE_REQUEST "mkdir " SecFilterSelective THE_REQUEST "cd /tmp " SecFilterSelective THE_REQUEST "cd /var/tmp " SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy " </IfModule> # # mod_security ruleset END #
Check the audit log file located at "/var/log/httpd/audit_log" for any errors or if any legit traffic is being caught and adjust the ruleset accordingly.
Test the setup by running the "run-test.pl" script in the test folder.
- sandip's blog
- Login or register to post comments