+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Contributions Area (/forum-40.html)
+--- Forum: Howtos (/forum-41.html)
+--- Thread: [HowTo] Mod Security on debian (/thread-2862.html)
[HowTo] Mod Security on debian - hxbro - 03-28-2008 01:10 AM
How to install latest mod-security on debian lenny (probably applicable to other debian based distributions), there are .debs available but they are out of date so you need to install it manually.
In my opinion no apache server should be without mod-security, it helps filter out a lot of potential security holes in software to help protect your webserver, this has saved me a number of times when running beta/old
code like vhcs/ispcp or code like phpbb/wordpress/other popular web software.
More info on modsecurity here: http://www.modsecurity.org/
1. Install required packages:
Quote:apt-get install libxml2-dev liblua5.1-0 lua5.1 apache2-threaded-dev
2. Fetch the latest mod-security (2.5.1 at time of writing)
Quote:cd /tmp
wget http://www.modsecurity.org /download/modsecurity-apache_2.5.1.tar.gz
(remove the space after .org if cutting and pasting)
3. Extract mod-security
Quote:tar zxvf modsecurity-apache_2.5.1.tar.gz
4. Enter mod-security directory
Quote:cd modsecurity-apache_2.5.1/apache2/
5. Build mod-security
Quote:./configure && make && make install
If all is well mod-security should now be in /usr/lib/apache2/modules/ and called mod_security2.so
6. Create the mod-security load file for apache to load it
Quote:vi /etc/apache2/mods-available/mod-security2.load
and add the following lines:
Quote:LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so.0
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
and save it (ESC :wq)
7. Enable the module to load with apache (unique_id is required for mod-security, it should come standard with apache)
Quote:a2enmod mod-security2
a2enmod unique_id
8. Tell apache where to load the mod-security config
Quote:vi /etc/apache2/conf.d/mod-security2.conf
and add the following line:
Quote:Include /etc/modsecurity2/*.conf
and save it (ESC :wq)
9. Create the mod-security directories and logs
Quote:mkdir /etc/modsecurity2
mkdir /etc/modsecurity2/logs
touch /etc/modsecurity2/logs/modsec_audit.log
touch /etc/modsecurity2/logs/modsec_debug.log
10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)
Quote:cp /tmp/modsecurity-apache_2.5.1/rules/*.conf /etc/modsecurity2
11. Update the rules so the log locations are correct
Quote:vi /etc/modsecurity2/modsecurity_crs_10_config.conf
Find SecDebugLog logs/modsec_debug.log
Replace with SecDebugLog /etc/modsecurity2/logs/modsec_debug.log
Find SecAuditLog logs/modsec_audit.log
Replace with SecAuditLog /etc/modsecurity2/logs/modsec_audit.log
and save it (ESC :wq)
12. Check apache config is ok
Quote:apache2ctl configtest
(should return Syntax OK)
13. Restart apache
Quote:/etc/init.d/apache2 restart
14. Check mod-security2 is running
Quote:cat /var/log/apache2/error.log | grep ModSecurity
[Thu Mar 27 14:56:58 2008] [notice] ModSecurity for Apache/2.5.1 (http://www.modsecurity.org/) configured.
Done!
More info on mod-security http://www.modsecurity.org/
These instructions were taken from http://www.debianitalia.org/modules/wfsection/article.php?articleid=161 and updated/fixed as needed.
RE: Mod Security on debian - gOOvER - 03-28-2008 01:53 AM
Thanx for the HowTo
RE: Mod Security on debian - Viktor - 04-18-2008 07:42 AM
gOOvER Wrote:Thanx for the HowTo
I say also thanks.
I have install it on my Testserver (Etch amd-64) and I think its works.
I must also install "apt-get install build-essential".
Kind regards
Viktor
RE: Mod Security on debian - prale - 04-19-2008 08:59 AM
Works perfect!
I also had to install "apt-get install build-essential" on debian etch.
RE: Mod Security on debian - fulltilt - 04-19-2008 07:51 PM
hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)
I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?
RE: Mod Security on debian - Viktor - 04-19-2008 09:43 PM
fulltilt Wrote:hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)
I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?
Hello,
the rule from gotroot.com in not working I become a error.
Must I change something?
Kind regards
Viktor
RE: Mod Security on debian - fulltilt - 04-19-2008 09:52 PM
Hi Viktor,
yes i changed 4-6 parts in all rule files, some parts blocking also PMA by deleting tables.
You need to find the rules that not working und uncoment ...
e.g.
The gotrule confs in folder ...
Rename all files from conf to bak without the first one - restart apche and see if it's working, rename the next file from . bak to .conf and see if it working. You need to restart always apache before ...
If you get error you need to check the error log and find the rule in ruleset and delete or modify it.
Have also a look to to PMA.
Viktor Wrote:fulltilt Wrote:hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)
I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?
Hello,
the rule from gotroot.com in not working I become a error.
Must I change something?
Kind regards
Viktor
RE: Mod Security on debian - Viktor - 04-19-2008 10:23 PM
Hello,
the ruleset from gotroot.com has no master.conf file.
How do you create this file.
Kind regards
Viktor
RE: Mod Security on debian - fulltilt - 04-19-2008 10:38 PM
Viktor Wrote:the ruleset from gotroot.com has no master.conf file.
You need to create a folder /etc/modsecurity2 and copy the files from gotroot in there.
and in modsecurity2.conf add:
Include /etc/modsecurity2/*.conf
all gotrule files are ending with .conf
maybe you need to remove older double rules if you have created some before.
Always restart apache :-)
RE: Mod Security on debian - prale - 04-21-2008 03:30 AM
I also needed to set ServerTokens from Prod to Full in /etc/apache2/apache2.conf
And I have some problems after enabling mod_security2:
- HTTP 501/HTTP 505 response when editing a record in PMA
- HTTP 400 response when using my ip-adres instead of my main-domain.
(before I always saw the ISPCP login)
I see many entry's like this in /var/log/apache2/error.log:
Code:
[Sun Apr 20 20:40:08 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/modsecurity2/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "localhost"] [uri "/watch-list"] [unique_id "T-tpl1GpgkIAAD@pFY4AAAAA"]
[Sun Apr 20 20:40:08 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/modsecurity2/modsecurity_crs_35_bad_robots.conf"] [line "29"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [tag "AUTOMATION/MISC"] [hostname "localhost"] [uri "/watch-list"] [unique_id "T-tpl1GpgkIAAD@pFY4AAAAA"]I think it's the munin/monit daemon checking 127.0.0.1 for the apache service.
How can I allow it for 127.0.0.1 only? I don't want to uncomment te whole rule.
I also get a error 500 when browsing my SVN with tortoise