What is mod_security ?ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks."
Also mod_security support prevention attacks. Because it's stay between client and server can filter a lot of bad requests and can perform a number of built-in actions.
Overview * Request filtering; incoming requests are analysed as they come in, and before they get handled by the web server or other modules.
* Anti-evasion techniques; paths and parameters are normalised before analysis takes place in order to fight evasion techniques.
* Understanding of the HTTP protocol; since the engine understands HTTP, it performs very specific and fine granulated filtering.
* POST payload analysis; the engine will intercept the contents transmitted using the POST method, too.
* Audit logging; full details of every request (including POST) can be logged for later analysis.
* HTTPS filtering; since the engine is embedded in the web server, it gets access to request data after decryption takes place.
If you want a more detailed list you can check
http://www.modsecurity.orgInstallationFor mod security you need apache 1.3.x or 2.x and apache module utils for compilation (apxs). If you don't have apxs installed you need
to install him. In my case under debian is simple: apt-get install apache-dev. Under other system the packes is named httpd-dev or something like that.
From mod_security site you can chose from a stable and a development version. I suggest you to get stable version.
http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz. Anyway please check what version is available when you read this.
Log on in your server and get the latest version. Before download the sources go to /usr/src dir (the work place for compiling)
#cd /usr/src
You can get the sources with wget or links or whatever you want.
I recommend you to get it with wget:
# wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
After that you need to decompress the sources
#tar -xzf modsecurity-apache_1.9.4.tar.gz
Now we have 2 options:
1. to compile static in apache
2. to compile a DSO module for apache
1. Compiling static in apache (1.3.x)
This require to have enough experience to do that.
To compile the module into the body of the web server do
the following:
Copy the file mod_security.c to /src/modules/extra
Configure Apache distribution with two additional configuration options:
--activate-module=src/modules/extra/mod_security
--enable-module=security
3. Compile and install as usual
2. Compiling as a DSO module
Change directory to modsecurity sources:
# cd modsecurity-apache_1.9.4/apachex
where x is you major version of your apache (1 or 2)
After that we compile the module:
# apxs -cia mod_security.c
And that's all folks !
ConfigurationNow we need to configure apache to
Usualy apxs will add module for us directly in configuration but is better to check that.
So open for reading /etc/apache/httpd.conf and look after mod_security if is not there add in your module section:
LoadModule security_module /usr/lib/apache/1.3/mod_security.so
(take care path can differ from a distro to other)
Now we need to configure mod_security to take action. A minimal conf is comming with the sources:
<IfModule mod_security.c>
# Enable ModSecurity
SecFilterEngine On
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
# Designate a directory for temporary files
# storage. It is a good idea to change the
# value below to a private directory, just as
# an additional measure against race conditions
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
# Uncomment below to record responses with unusual statuses
# SecAuditLogRelevantStatus ^5
SecAuditLog /var/log/apache/modsec_audit.log
## You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog /var/log/apache/modsec_debug.log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
</IfModule>
Now let's explain the most important directives:
You probably heard about SQL Injection. Mod_security can protect us if it see something like this in POST Urls
SecFilter "drop[[:space:]]table"
is rejecting all GET or POSTS Requests what contains drop table
other examples:
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
Another way to stop atacks is too look after shell comands or files like "/bin/ps", "/bin/ls", "/etc/passwd"
SecFilter /bin/ls
SecFilter /bin/ps
SecFilter /etc/passwd
Directory traversal attacks ?
SecFilter "\.\./"
Or just looking after some common output:
SecFilterSelective OUTPUT "file(s) copied"
SecFilterSelective OUTPUT "Index of /cgi-bin/"
SecFilterSelective OUTPUT ".*uid\=\("
And not the last "masking" the server :
SecServerSignature "Microsoft-IIS/5.0"
This are just a few things of what to expect from mod_security. I warm recommend you this module.
Regards
News
