Installation and configuration of mod_security

[Spy$Eyes]

Mod_security is a firewall application that presents itself as a module for the Apache Web server. Its role is to detect and protect the server against attacks of all kinds: SQL injection, cross-site scripting (XSS) ... Here's how to install and configure it for basic use.

Installation of mod_security

Mod_security to install a RPM based distribution (Red Hat, CentOS, Fedora ...), open a terminal and run the following command as root:

yum install mod_security

Or this one for a distribution based on Debian:

sudo apt-get install libapache2-mod-security2

[Spy$Eyes]

Basic configuration of mod_security

To establish the minimum distribution based on Debian, just copy the example file like this:

sudo cp / usr / share / doc / mod-security-common / examples / modsecurity.conf-minimal / etc/apache2/conf.d/mod-security.conf

For RPM based distribution (Red Hat, CentOS ...), the default configuration is already installed in the / etc / httpd / modsecurity.d. The next step will be setting up some basic options for the module to work properly. Here is a sample configuration to make the end of the file / etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf:

Code:

# Mod_security is activated for all sites
 It SecRuleEngine

 # Signature of Server
 SecServerSignature "Skynet"

 # Allow mod_security to analyze
 # Body of requests and responses
 It SecRequestBodyAccess
 SecResponseBodyAccess Off

 # Maximum size of the applications received (128k)
 SecRequestBodyLimit 131072

 # Store up to 128 KB in memory
 SecRequestBodyInMemoryLimit 131072

 # Maximum size of the requests for response (512k)
 SecResponseBodyLimit 524288

 # It indicates a directory or mod_security can store information
 SecDataDir "/ var / tmp / ModSecurity"

 # Managing logs
 # The three options are On, Off and RelevantOnly
 # Allows not to log the queries that generate an alert
 SecAuditEngine RelevantOnly
 # It specifies which status must be logged
 # Ex: ^ [45] log errors 4XX and 5XX Server
 SecAuditLogRelevantStatus ^ 5
 SecAuditLogParts ABIFHZ
 Serial SecAuditLogType
 SecAuditLog / var / log / httpd / ModSecurity-audit.log

 # Log debug Management
 SecDebugLog / var / log / httpd / ModSecurity-debug.log
 SecDebugLogLevel 0

[Spy$Eyes]

It then creates the directory that will contain information for Mod_security:

mkdir / var / tmp / ModSecurity
chown-R apache: apache / var / tmp / ModSecurity

And you restart Apache to take into account the changes:

/ Etc / init.d / httpd restart

And it scans the log files to detect possible problems:

tail-f / var / log / httpd / ModSecurity-audit.log
tail-f / var / log / httpd / error_log

For my part, I noticed that the logs in the message which came up often:

Request Missing a Host Header
Request Accept Header Missing year
Request Missing a User Agent Header
...

This happens when the client connects to the server uses headers misconfigured. This is not really a safety problem or, at least to be paranoid. So I turned off the layer that checks the headers like this:

cd / etc / httpd / modsecurity.d / base_rules /
mv modsecurity_crs_21_protocol_anomalies.conf \
modsecurity_crs_21_protocol_anomalies.conf.disable

I also disabled the rules that detect the bad robots. Because they block the requests made on site with wget or curl, or published many articles in favor of using these commands:

mv modsecurity_crs_35_bad_robots.conf \
modsecurity_crs_35_bad_robots.conf.disable

[Spy$Eyes]

Disabling mod_security for a specific website

Using Mod_security had some side effects on Tux-planet. In fact, I had many problems with the admin interface of WordPress. The module had a tendency to block certain actions such as writing articles or amendments options ... Many sites provide exception rules to apply, for me they were not working. As I am the only one to access the management interface and that it is already protected by one. Htaccess, I chose to disable the security module for part of this site. Here is an example of configuring Apache to use to disable a Mod_security virtuahost:

Code:

# This disables mod_security for the admin of wordpress
 <LocationMatch "/wp-admin">
   <IfModule Mod_security2.c>
     SecRuleEngine Off
   </ IfModule>
 </ LocationMatch>

Security Test

I strongly discourages the establishment of Mod_security on a production server, not least because this kind of application firewall generates false positives. Here are some examples of tests that can be achieved. The following actions should be blocked for example:

• enter 'OR 1 = 1 "in a search box
• add "<script> xss </ script>" at the end of a URL of the site
• add "/../../ etc / passwd "at the end of a URL of the site

Also consider legitimate test forms. For example, adding comments to a site based on WordPress, or adding a message on a forum should function normally.