Part 9: Install mod_security for apache 2.4.x

1) Download and install mod_security
Check https://modsecurity.org/download/
This assumes you’ve install `apr` via the previous steps in the apache config.

cd
yum -y install expat-devel pcre-devel libxml2-devel lua-devel curl-devel
wget https://www.modsecurity.org/tarball/2.7.5/modsecurity-apache_2.7.5.tar.gz
tar zxvf modsecurity-apache_*.tar.gz
cd modsecurity-apache*
./configure --with-apxs=/usr/bin/apxs
make && make install

2) Configure additional settings:

cd
cd modsecurity-apache*
echo "#default global settings" > /etc/httpd/conf/modsecurity.conf
cat modsecurity.conf-recommended | sed s/SecRuleEngine\ DetectionOnly/SecRuleEngine\ On/g | sed s@SecAuditLog\ /var/log/modsec_audit@SecAuditLog\ logs/modsec_audit@g | sed s@#SecDebugLog\ /opt/modsecurity/var/log/debug.log@SecDebugLog\ logs/modsec_debug.log@g  >> /etc/httpd/conf/modsecurity.conf
echo "#SecChrootDir /chroot/apache" >> /etc/httpd/conf/modsecurity.conf
echo "SecServerSignature \" \"" >> /etc/httpd/conf/modsecurity.conf

3) If you’d like install the common rule set:
check: http://spiderlabs.github.io/owasp-modsecurity-crs/

cd
wget https://codeload.github.com/SpiderLabs/owasp-modsecurity-crs/legacy.tar.gz/master
tar zxvf master
mkdir /etc/httpd/conf/modsecurity-crs/ && cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/httpd/conf/modsecurity-crs/
mv /etc/httpd/conf/modsecurity-crs/modsecurity_crs_10_setup.conf{.example,}

3) Effectively configure apache for mod_security:

a) Make sure mod_unique_id is installed and loading.

b) Add the following into your /etc/httpd/conf/httpd.conf before the LoadModule call for mod_security2.so.

LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so

c) The first module loaded (less the four modules loaded as indicated with `httpd -l`) should be mod_security2.so.

#before the first LoadModule directive in the /etc/httpd/conf/httpd.conf add the following:
LoadModule security2_module /usr/sbin/modules/mod_security2.so

d) Add the following:

<IfModule security2_module>
Include conf/modsecurity.conf
Include conf/modsecurity-crs/activated_rules/*.conf
</IfModule>

e) To add rules you can simply create symlinks to the ruleset:

cd /etc/httpd/conf/modsecurity-crs/activated_rules/
ln -s /etc/httpd/conf/modsecurity-crs/modsecurity_crs_10_setup.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_35_bad_robots.data
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_35_scanners.data
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_40_generic_attacks.data
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_23_request_limits.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_30_http_policy.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_35_bad_robots.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_40_generic_attacks.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_41_xss_attacks.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_45_trojans.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_49_inbound_blocking.conf
ln -s /etc/httpd/conf/modsecurity-crs/base_rules/modsecurity_crs_60_correlation.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_42_comment_spam.data
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_10_ignore_static.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_11_avs_traffic.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_13_xml_enabler.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_16_authentication_tracking.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_16_session_hijacking.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_16_username_tracking.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_25_cc_known.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_42_comment_spam.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_43_csrf_protection.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_46_av_scanning.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_49_header_tagging.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_55_application_defects.conf
ln -s /etc/httpd/conf/modsecurity-crs/optional_rules/modsecurity_crs_55_marketing.conf
ln -s /etc/httpd/conf/modsecurity-crs/slr_rules/modsecurity_46_slr_et_xss.data
ln -s /etc/httpd/conf/modsecurity-crs/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf

4) To test access whatever page and try to append the following:

?<script>alert(1)</script>

This request should be caught by a few rule filters.

5) Each rule has an ID, if you are getting hits that are necessary for production, you can exclude files from rules by including the following in modsecurity.conf:

<LocationMatch "/dir/file.php">
    <IfModule security2_module>
        SecRuleRemoveById 981173
        #or the following to completely disable the rule engine for a scope
        #SecRuleEngine Off
    </IfModule>
</LocationMatch>

6) Leverage LogWatch to watch the modsecurity audit logs:

Thank this guy (blog)

cd
curl https://codeload.github.com/derhansen/logwatch-modsec2/legacy.tar.gz/master -o derhansen-logwatch-modsec2.tar.gz
tar zxvf derhansen-logwatch-modsec2.tar.gz
cd derhansen-logwatch-modsec2*
cat ./conf/logfiles/audit_log.conf | sed s@modsecurity2/modsec_audit.log@/etc/httpd/logs/modsec_audit.log@g > /etc/logwatch/conf/logfiles/audit_log.conf
cp ./conf/services/mod_security2.conf /etc/logwatch/conf/services/mod_security2.conf
cp ./scripts/services/mod_security2 /etc/logwatch/scripts/services/mod_security2
Advertisements
  1. March 14, 2014 at 11:53 pm

    httpd: Syntax error on line 69 of /var/apache2/conf/httpd.conf: Cannot load modules/mod_security2.so into server: /var/apache2/modules/mod_security2.so: undefined symbol: lua_setglobal

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: