Current time: 12-26-2024, 10:51 AM Hello There, Guest! (LoginRegister)


Post Reply 
[HowTo] Mod Security on debian
Author Message
hxbro Offline
Junior Member
*

Posts: 34
Joined: Feb 2007
Reputation: 0
Post: #1
[HowTo] Mod Security on debian
How to install latest mod-security on debian lenny (probably applicable to other debian based distributions), there are .debs available but they are out of date so you need to install it manually.

In my opinion no apache server should be without mod-security, it helps filter out a lot of potential security holes in software to help protect your webserver, this has saved me a number of times when running beta/old
code like vhcs/ispcp or code like phpbb/wordpress/other popular web software.

More info on modsecurity here: http://www.modsecurity.org/

1. Install required packages:

Quote:apt-get install libxml2-dev liblua5.1-0 lua5.1 apache2-threaded-dev

2. Fetch the latest mod-security (2.5.1 at time of writing)

Quote:cd /tmp
wget http://www.modsecurity.org /download/modsecurity-apache_2.5.1.tar.gz

(remove the space after .org if cutting and pasting)

3. Extract mod-security

Quote:tar zxvf modsecurity-apache_2.5.1.tar.gz

4. Enter mod-security directory

Quote:cd modsecurity-apache_2.5.1/apache2/

5. Build mod-security

Quote:./configure && make && make install

If all is well mod-security should now be in /usr/lib/apache2/modules/ and called mod_security2.so

6. Create the mod-security load file for apache to load it

Quote:vi /etc/apache2/mods-available/mod-security2.load

and add the following lines:

Quote:LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so.0
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

and save it (ESC :wq)

7. Enable the module to load with apache (unique_id is required for mod-security, it should come standard with apache)

Quote:a2enmod mod-security2
a2enmod unique_id

8. Tell apache where to load the mod-security config

Quote:vi /etc/apache2/conf.d/mod-security2.conf

and add the following line:

Quote:Include /etc/modsecurity2/*.conf

and save it (ESC :wq)

9. Create the mod-security directories and logs

Quote:mkdir /etc/modsecurity2
mkdir /etc/modsecurity2/logs
touch /etc/modsecurity2/logs/modsec_audit.log
touch /etc/modsecurity2/logs/modsec_debug.log

10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

Quote:cp /tmp/modsecurity-apache_2.5.1/rules/*.conf /etc/modsecurity2

11. Update the rules so the log locations are correct

Quote:vi /etc/modsecurity2/modsecurity_crs_10_config.conf

Find SecDebugLog logs/modsec_debug.log

Replace with SecDebugLog /etc/modsecurity2/logs/modsec_debug.log

Find SecAuditLog logs/modsec_audit.log

Replace with SecAuditLog /etc/modsecurity2/logs/modsec_audit.log

and save it (ESC :wq)

12. Check apache config is ok

Quote:apache2ctl configtest

(should return Syntax OK)

13. Restart apache

Quote:/etc/init.d/apache2 restart

14. Check mod-security2 is running

Quote:cat /var/log/apache2/error.log | grep ModSecurity

[Thu Mar 27 14:56:58 2008] [notice] ModSecurity for Apache/2.5.1 (http://www.modsecurity.org/) configured.

Done!

More info on mod-security http://www.modsecurity.org/

These instructions were taken from http://www.debianitalia.org/modules/wfse...icleid=161 and updated/fixed as needed.
(This post was last modified: 11-25-2008 03:10 AM by BeNe.)
03-28-2008 01:10 AM
Find all posts by this user Quote this message in a reply
gOOvER Offline
Banned

Posts: 3,561
Joined: Jul 2007
Post: #2
RE: Mod Security on debian
Thanx for the HowTo Smile
03-28-2008 01:53 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Viktor Offline
Junior Member
*

Posts: 118
Joined: Nov 2006
Reputation: 1
Post: #3
RE: Mod Security on debian
gOOvER Wrote:Thanx for the HowTo Smile

I say also thanks.

I have install it on my Testserver (Etch amd-64) and I think its works.

I must also install "apt-get install build-essential".

Kind regards
Viktor
04-18-2008 07:42 AM
Visit this user's website Find all posts by this user Quote this message in a reply
prale Offline
Junior Member
*

Posts: 92
Joined: Feb 2008
Reputation: 1
Post: #4
RE: Mod Security on debian
Works perfect!
I also had to install "apt-get install build-essential" on debian etch.
04-19-2008 08:59 AM
Find all posts by this user Quote this message in a reply
fulltilt Offline
Member
***

Posts: 1,225
Joined: Apr 2007
Reputation: 5
Post: #5
RE: Mod Security on debian
hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?
04-19-2008 07:51 PM
Find all posts by this user Quote this message in a reply
Viktor Offline
Junior Member
*

Posts: 118
Joined: Nov 2006
Reputation: 1
Post: #6
RE: Mod Security on debian
fulltilt Wrote:
hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?

Hello,

the rule from gotroot.com in not working I become a error.

Must I change something?

Kind regards
Viktor
04-19-2008 09:43 PM
Visit this user's website Find all posts by this user Quote this message in a reply
fulltilt Offline
Member
***

Posts: 1,225
Joined: Apr 2007
Reputation: 5
Post: #7
RE: Mod Security on debian
Hi Viktor,

yes i changed 4-6 parts in all rule files, some parts blocking also PMA by deleting tables.
You need to find the rules that not working und uncoment ...
e.g.
The gotrule confs in folder ...
Rename all files from conf to bak without the first one - restart apche and see if it's working, rename the next file from . bak to .conf and see if it working. You need to restart always apache before ...
If you get error you need to check the error log and find the rule in ruleset and delete or modify it.
Have also a look to to PMA.

Viktor Wrote:
fulltilt Wrote:
hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?

Hello,

the rule from gotroot.com in not working I become a error.

Must I change something?

Kind regards
Viktor
04-19-2008 09:52 PM
Find all posts by this user Quote this message in a reply
Viktor Offline
Junior Member
*

Posts: 118
Joined: Nov 2006
Reputation: 1
Post: #8
RE: Mod Security on debian
Hello,

the ruleset from gotroot.com has no master.conf file.Sad

How do you create this file.Rolleyes

Kind regards
ViktorWink
04-19-2008 10:23 PM
Visit this user's website Find all posts by this user Quote this message in a reply
fulltilt Offline
Member
***

Posts: 1,225
Joined: Apr 2007
Reputation: 5
Post: #9
RE: Mod Security on debian
Viktor Wrote:the ruleset from gotroot.com has no master.conf file.Sad

You need to create a folder /etc/modsecurity2 and copy the files from gotroot in there.

and in modsecurity2.conf add:
Include /etc/modsecurity2/*.conf

all gotrule files are ending with .conf

maybe you need to remove older double rules if you have created some before.
Always restart apache :-)
04-19-2008 10:38 PM
Find all posts by this user Quote this message in a reply
prale Offline
Junior Member
*

Posts: 92
Joined: Feb 2008
Reputation: 1
Post: #10
RE: Mod Security on debian
I also needed to set ServerTokens from Prod to Full in /etc/apache2/apache2.conf

And I have some problems after enabling mod_security2:

- HTTP 501/HTTP 505 response when editing a record in PMA
- HTTP 400 response when using my ip-adres instead of my main-domain.
(before I always saw the ISPCP login)

I see many entry's like this in /var/log/apache2/error.log:

Code:
[Sun Apr 20 20:40:08 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/modsecurity2/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "localhost"] [uri "/watch-list"] [unique_id "T-tpl1GpgkIAAD@pFY4AAAAA"]

[Sun Apr 20 20:40:08 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/modsecurity2/modsecurity_crs_35_bad_robots.conf"] [line "29"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [tag "AUTOMATION/MISC"] [hostname "localhost"] [uri "/watch-list"] [unique_id "T-tpl1GpgkIAAD@pFY4AAAAA"]

I think it's the munin/monit daemon checking 127.0.0.1 for the apache service.
How can I allow it for 127.0.0.1 only? I don't want to uncomment te whole rule.

Sad I also get a error 500 when browsing my SVN with tortoise
(This post was last modified: 04-21-2008 06:40 AM by prale.)
04-21-2008 03:30 AM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)