I will say Mod_security is software required for each Apache web server. I will write how I make my test install on the server.
1. download latest files from http://www.modsecurity.org/download/index.html. I'm using modsecurity-apache_2.5.13.tar.gz
2. Untar to any folder,this is what u get
modsecurity-apache_2.5.13# ls
CHANGES LICENSE MODSECURITY_LICENSING_EXCEPTION README.TXT README_WINDOWS.TXT apache2/ doc/ modsecurity.conf-minimal rules/ tools/
3. select folder apache2 as slackware 13.1 package currently using apache2
4. Logged as root run all these command
./configure
make
make test
make install
5. You should get this result. i think is it successfull
build/apxs-wrapper -i mod_security2.la
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL='/usr/lib/apr-1.3.9/build-1/libtool' mod_security2.la /usr/lib/httpd/modules
/usr/lib/apr-1.3.9/build-1/libtool --mode=install cp mod_security2.la /usr/lib/httpd/modules/
cp .libs/mod_security2.so /usr/lib/httpd/modules/mod_security2.so
cp .libs/mod_security2.lai /usr/lib/httpd/modules/mod_security2.la
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
----------------------------------------------------------------------
Libraries have been installed in:
/usr/lib/httpd/modules
6. so far so good, mod_security2.so module is created and you can apply this module in httpd.conf.
cd /etc/httpd , you may copy httpd.conf to reserve old one.
Edit httpd.conf, add this line (bold line)
LoadModule rewrite_module lib/httpd/modules/mod_rewrite.so
LoadModule security2_module lib/httpd/modules/mod_security2.so
and bottom portion of httpd.conf(bold line)
# Uncomment the following line to enable PHP:
#
Include /etc/httpd/mod_php.conf
Include /etc/httpd/mod_security2.conf
# Uncomment the following lines to enable svn support:
7. File mod_security2.conf must fill in with latest base rules from modsecurity,get it download.
http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/
Untar and this is all files i get:
8. Put all every single file stated modsecurity_crs* in one file mod_security2.conf which is located at /etc/httpd and you should read README file. Some rule you may rewrite on your own favour. For example SecServerSignatute may name 'mysrv' so that your client cannot guest what server you are running on.
i think you can choose which modsecurity_crs* file to put it on but modsecurity_crs_10_config.conf is mandatory because the switch on/off is inside that file.Finally that file,
# ---------------------------------------------------------------
# Core ModSecurity Rule Set ver.1.6.1
# Copyright (C) 2006-2007 Breach Security Inc. All rights reserved.
#
# The ModSecuirty Core Rule Set is distributed under GPL version 2
# Please see the enclosed LICENCE file for full details.
# ---------------------------------------------------------------
# Configuration contained in this file should be customized
# for your specific requirements before deployment.
#
# Next to each rule there is a description of what it does. Each
# location where customization is needed is marked with "TODO". It
# is recommended that you:
#
# 1) Keep a copy of the original file. This will allow you to use
# the "diff" command to quickly see the changes. It will also
# make upgrades to future rule sets easier.
#
# 2) Document your changes thoroughly.
#
# You are advised to start with ModSecurity in detection mode only.
# Switch to protection when you are comfortable with your rule set.
# For maximum protection monitor your logs on daily basis (or
# better).
#
# TODO You may want to provide an error friendly message to your
# users when you start rejecting requests. You can do this using
# the Apache ErrorDocument directive. You should also add
# mod_unique_id to your configuration and display the unique
# request ID on the error page. This would allow your users to
# report the request ID back to you so that you can investigate
# the false positive (if that's what it is). A nice error page
# usually reduces the impact of false positives on the users.
#
# The drawback of this user friendly approach is that it is
# easier for the attackers to figure out there is an web
# application firewall protecting the application.
#
# ErrorDocument 403 /path/to/error_document.php
#
# For more information see
# http://httpd.apache.org/docs-2.0/custom-error.html
## -- Configuration ----------------------------------------------------------
# Turn ModSecurity on ("On"), set to monitoring only
# ("DetectionOnly") or turn off ("Off").
#
SecRuleEngine On
# Define which part of the HTTP transaction to inspect.
#
# Inspecting request body (SecRequestBodyAccess) should probably be always set
# to "on". Only very high volume sites that never use POST requests might want
# to set it to "off" to optimize performance.
#
# Inspecting response body is useful for monitoring for information leaks,
# or for signs of intrusion. However, it does require all responses to be
# buffered in memory. For most sites this should not be a problem, but special
# care must be taken to avoid buffering file downloads (through
# MIME type selection, as shown below).
#
# TODO If you decide to enable output filtering make sure to
# review the list of scanned MIME types. If pages of the types specified
# for outbound inspection are smaller than 512K in you application
# (which is usually the case) you may reduce the SecResponseBodyLimit
# to protect from potential denial of service attacks.
#
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 524288
........and so on....all content goes here
#
# Email Injection
#
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,t:none,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Email Injection Attack',id:'950019',logdata:'%{TX.0}',severity:'2'"
SecRule REQUEST_HEADERS|XML:/* "[\n\r]\s*\b(?:to|b?cc)\b\s*:.*?\@" \
"phase:2,t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:'Email Injection Attack',id:'959019',logdata:'%{TX.0}',severity:'2'"
#
# HTTP Response Splitting
#
SecRule REQUEST_URI|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "%0[ad]" \
"phase:2,t:none,t:lowercase,capture,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950910',logdata:'%{TX.0}',severity:'1'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|XML:/* "(?:\bhttp\/(?:0\.9|1\.[01])|<(?:html|meta)\b)" \
"phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,ctl:auditLogParts=+E,deny,log,auditlog,status:400,msg:'HTTP Response Splitting Attack',id:'950911',logdata:'%{TX.0}',severity:'1'"
9. restart httpd /etc/rc.d/rc.httpd restart. You must get no error. For my case i get this error
[Fri Dec 10 08:20:31 2010] [notice] SIGHUP received. Attempting to restart
Syntax error on line 192 of /etc/httpd/mod_security2.conf:
ModSecurity: Failed to open the audit log file: /usr/logs/modsec_audit.log
root@uji:/usr# /etc/rc.d/rc.httpd restart
Syntax error on line 307 of /etc/httpd/mod_security2.conf:
Invalid command '------------------------------------------------------------', perhaps misspelled or defined by a module not included in the server configuration
httpd not running, trying to start
Correct it ,create /usr/logs/ directory and syntax error on line 307 is a line reported because that line is without comment tag #
Get it done and let httpd start ok.
10. Now ,i may ask will mod_security is working. Oh ya that is critical part on every job TESTING
To test it create on php program like below
$text=$_GET['file'];
echo "Content of File $text";
echo `cat $text`;
and save as testmod1.php. run this http://your.server.ip.no/testmod1.php?file=/etc/passwd
you must get error reported on browser
Method Not Implemented
GET to /testmod1.php not supported.
and look into /var/log/httpd/access.log
[Fri Dec 10 08:33:28 2010] [error] [client 192.168.5.52] ModSecurity: Access denied with code 501 (phase 2). Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:file. [file "/etc/httpd/mod_security2.conf"] [line "546"] [id "950005"] [msg "Remote File Access Attempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"] [hostname "192.168.5.99"] [uri "/testmod1.php"] [unique_id "TQF1WMCoBWMAACO6ILoAAAAA"]
this message also goes to /usr/logs/modsec_audit.log
11. Yeah mod_security installed succesfully.
