Installation & configuration of ModSecurity on APACHE
Mod Security is a web based firewall (WAF) designed for apache (though there is a version available for IIS too). It is widely used and highly effective. But there is a learning curve in using modsec. You can start exploring by installing ModSec on your system.
INSTALLATION USING YUM
To install modsec from YUM you will need to install EPEL ( Extra Packages for Enterprise Linux )
Depending upon your Linux installation run the following command
[yOMan@ x-machine ~]# uname -a
Linux x-machine.net.pk 2.6.18-308.1.1.el5 #1 SMP Wed Mar 7 04:57:35 EST 2012 x86_64
Install Extended Packages
As you can see this is an EL5 installation so we will install EL5 rpm on this machine
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
for EL6 you can use following
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
Now you can install extra packages on Linux. Lets install ModSec
Installing ModSecurity
Modsec has two parts
1) ModSec Engine
2) ModSec Rules
You will need to install both for a working ModSec installation.
If you dont know exact package name, you can search the repository using the following
yum search modsec
======================== Matched: modsec ============================
mlogc.x86_64 : ModSecurity Audit Log Collector
mod_security.x86_64 : Security module for the Apache HTTP Server
mod_security_crs.noarch : ModSecurity Rules
mod_security_crs-extras.noarch : Supplementary mod_security rules
Proceed to installation
yum install mod_security.x86_64 mod_security_crs.noarch
==================================================================
Package Arch Version Repository Size
==================================================================
Installing:
mod_security x86_64 2.6.8-6.el5 epel 160 k
mod_security_crs noarch 2.2.5-5.el5 epel 103 k
Installing for dependencies:
lua x86_64 5.1.4-4.el5 epel 229k
==================================================================
There you go ModSec has been installed on your Server.
NOTE: ModSec rules installed here are the Standard OWASP rules. If you like to use other rules you can always download and include them in the modsecurity.d directory located in your httpd installation.
NOTE2: As of writing this primer, there is a bug in mod_security 2.6.8-6.el5 , to resolve this you will have to install a patch
yum update --enablerepo=epel-testing mod_security-2.6.8-6.el5
Confirm by navigating to
[yoMan@x-machine ~]# cd /etc/httpd
[yoMan@x-machine httpd]# ll
drwxr-xr-x 2 root root 4096 Apr 25 15:49 conf
drwxr-xr-x 2 root root 4096 Apr 25 15:49 conf.d
drwxr-xr-x 3 root root 4096 Apr 18 21:11 modsecurity.d
lrwxrwxrwx 1 root root 29 Apr 25 15:49 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root 13 Apr 25 15:49 run -> ../../var/run
lrwxrwxrwx 1 root root 19 Apr 25 15:49 logs -> ../../var/log/httpd
You will find modsecurity configuration file and rules in following directory
[yoMan@x-machine httpd]# ll conf.d
-rw-r--r-- 1 root root 3161 Apr 25 13:18 mod_security.conf
[yoMan@x-machine httpd]# ll modsecurity.d
drwxr-xr-x 2 root root 4096 Apr 18 21:11 activated_rules
-rw-r--r-- 1 root root 13544 Sep 13 2012 modsecurity_crs_10_config.conf
Everything is set, Lets configure ModSec!!!
Configuring ModSecurity
Now there are some Options for ModSec that every beginner should know.
Main configuration directives Directive Description
SecRuleEngine Controls the operation of the rule engine [Off On DetectOnly]
SecDataDir Sets the folder for persistent storage
SecRequestBodyAccess Controls request body buffering
SecRequestBodyInMemoryLimit Sets the size of the per-request memory buffer
SecRequestBodyLimit Sets the maximum request body size ModSecurity will accept
SecRequestBodyNoFilesLimit Sets the maximum request body size, excluding uploaded files
SecResponseBodyAccess Controls response body buffering
SecResponseBodyLimit Specifies the response body buffering limit
SecTmpDir Sets the folder for temporary files
Lets just turn on modsec and see what happens, but we will enable it in Detection mode only, this way we will be able to see if the rules are working without them actually blocking anything. Comment out the line
vim /etc/httpd/conf.d/mod_security.conf
---> SecRuleEngine
Add the following line
SecRuleEngine DetectionOnly
By default all the active rules are present in the following directory
[APACHE Configuration Dir]/modsecurity.d/activated_rules/
After making the changes as indicated above, restart your apache server. Tail your apache error log file and watch for any ModSec triggered errors. We will get into more detail on ModSec in the next tutorial.
Author: siBzz