Praji’s Weblog

Welcome to praji’s world

ModSecurity

leave a comment »

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

The mod_security module runs on both Apache 1.3 and Apache 2.0. Although for most Linux distributions, you’ll need to install mod_security from source

****************************************************************
Installing mod security for Apache
****************************************************************

The mod_security module, like all other Apache modules, is controlled from httpd.conf in Apache 1.3, or apache2.conf in Apache 2.

1. SSH to the server as root

2. Download the latest version of mod_security :

wget http://www.modsecurity.org/download/mod_security-x.y.z.tar.gz

3. Untar the archive and cd into the directory:

tar zxvf mod_security-x.y.z.tar.gz
cd mod_security-x.y.z/

4. Enter the apache directory (Depends on which verion of apache you are running on the server)

cd apache1/   OR cd apache2/

5. Compile the module :

/usr/local/apache/bin/apxs -cia mod_security.c

6. Take a backup of the apache configuration file (verify directory locations as applicable):

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

7. In the apache configuration file, find :

<IfModule mod_dir.c>

8. Now add this
—————————————————————————
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature ” ”

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. “On” will log everything,
# “DynamicOrRelevant” will log dynamic requests or violations,
# and “RelevantOnly” will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction “deny,log,status:500”

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”

# Prevent path traversal (..) attacks
SecFilter “../”

# Weaker XSS protection but allows common HTML tags
SecFilter “<[[:space:]]*script”

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter “<(.|n)+>”

# Very crude filters to prevent SQL injection attacks
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID “!^[0-9a-z]*$”
SecFilterSelective COOKIE_PHPSESSID “!^[0-9a-z]*$”
</IfModule>

———————————————————————————
9. Save the file

10. Restart Apache

/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start

Written by praji

January 8, 2008 at 8:05 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: