[HowTo] Mod Security on debian

[hxbro]

How to install latest mod-security on debian lenny (probably applicable to other debian based distributions), there are .debs available but they are out of date so you need to install it manually.

In my opinion no apache server should be without mod-security, it helps filter out a lot of potential security holes in software to help protect your webserver, this has saved me a number of times when running beta/old
code like vhcs/ispcp or code like phpbb/wordpress/other popular web software.

More info on modsecurity here: http://www.modsecurity.org/

1. Install required packages:

Quote:apt-get install libxml2-dev liblua5.1-0 lua5.1 apache2-threaded-dev

2. Fetch the latest mod-security (2.5.1 at time of writing)

Quote:cd /tmp
wget http://www.modsecurity.org /download/modsecurity-apache_2.5.1.tar.gz

(remove the space after .org if cutting and pasting)

3. Extract mod-security

Quote:tar zxvf modsecurity-apache_2.5.1.tar.gz

4. Enter mod-security directory

Quote:cd modsecurity-apache_2.5.1/apache2/

5. Build mod-security

Quote:./configure && make && make install

If all is well mod-security should now be in /usr/lib/apache2/modules/ and called mod_security2.so

6. Create the mod-security load file for apache to load it

Quote:vi /etc/apache2/mods-available/mod-security2.load

and add the following lines:

Quote:LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so.0
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

and save it (ESC :wq)

7. Enable the module to load with apache (unique_id is required for mod-security, it should come standard with apache)

Quote:a2enmod mod-security2
a2enmod unique_id

8. Tell apache where to load the mod-security config

Quote:vi /etc/apache2/conf.d/mod-security2.conf

and add the following line:

Quote:Include /etc/modsecurity2/*.conf

and save it (ESC :wq)

9. Create the mod-security directories and logs

Quote:mkdir /etc/modsecurity2
mkdir /etc/modsecurity2/logs
touch /etc/modsecurity2/logs/modsec_audit.log
touch /etc/modsecurity2/logs/modsec_debug.log

10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

Quote:cp /tmp/modsecurity-apache_2.5.1/rules/*.conf /etc/modsecurity2

11. Update the rules so the log locations are correct

Quote:vi /etc/modsecurity2/modsecurity_crs_10_config.conf

Find SecDebugLog logs/modsec_debug.log

Replace with SecDebugLog /etc/modsecurity2/logs/modsec_debug.log

Find SecAuditLog logs/modsec_audit.log

Replace with SecAuditLog /etc/modsecurity2/logs/modsec_audit.log

and save it (ESC :wq)

12. Check apache config is ok

Quote:apache2ctl configtest

(should return Syntax OK)

13. Restart apache

Quote:/etc/init.d/apache2 restart

14. Check mod-security2 is running

Quote:cat /var/log/apache2/error.log | grep ModSecurity

[Thu Mar 27 14:56:58 2008] [notice] ModSecurity for Apache/2.5.1 (http://www.modsecurity.org/) configured.

Done!

More info on mod-security http://www.modsecurity.org/

These instructions were taken from http://www.debianitalia.org/modules/wfse...icleid=161 and updated/fixed as needed.

[gOOvER]

Thanx for the HowTo

[Viktor]

gOOvER Wrote:Thanx for the HowTo

I say also thanks.

I have install it on my Testserver (Etch amd-64) and I think its works.

I must also install "apt-get install build-essential".

Kind regards
Viktor

[prale]

Works perfect!
I also had to install "apt-get install build-essential" on debian etch.

[fulltilt]

hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?

[Viktor]

fulltilt Wrote:

hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?

Hello,

the rule from gotroot.com in not working I become a error.

Must I change something?

Kind regards
Viktor

[fulltilt]

Hi Viktor,

yes i changed 4-6 parts in all rule files, some parts blocking also PMA by deleting tables.
You need to find the rules that not working und uncoment ...
e.g.
The gotrule confs in folder ...
Rename all files from conf to bak without the first one - restart apche and see if it's working, rename the next file from . bak to .conf and see if it working. You need to restart always apache before ...
If you get error you need to check the error log and find the rule in ruleset and delete or modify it.
Have also a look to to PMA.

Viktor Wrote:

fulltilt Wrote:

hxbro Wrote:10. Copy the core rules into the mod-security dirs (more info on the core rules can be found on http://www.modsecurity.org/projects/rules/index.html)

I'm using the ruleset from gotroot.com did you know if the core rules from modsecurity are more up to date?

Hello,

the rule from gotroot.com in not working I become a error.

Must I change something?

Kind regards
Viktor

[Viktor]

Hello,

the ruleset from gotroot.com has no master.conf file.

How do you create this file.

Kind regards
Viktor

[fulltilt]

Viktor Wrote:the ruleset from gotroot.com has no master.conf file.

You need to create a folder /etc/modsecurity2 and copy the files from gotroot in there.

and in modsecurity2.conf add:
Include /etc/modsecurity2/*.conf

all gotrule files are ending with .conf

maybe you need to remove older double rules if you have created some before.
Always restart apache :-)

[prale]

I also needed to set ServerTokens from Prod to Full in /etc/apache2/apache2.conf

And I have some problems after enabling mod_security2:

- HTTP 501/HTTP 505 response when editing a record in PMA
- HTTP 400 response when using my ip-adres instead of my main-domain.
(before I always saw the ISPCP login)

I see many entry's like this in /var/log/apache2/error.log:

Code:

[Sun Apr 20 20:40:08 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [file "/etc/modsecurity2/modsecurity_crs_21_protocol_anomalies.conf"] [line "41"] [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER"] [hostname "localhost"] [uri "/watch-list"] [unique_id "T-tpl1GpgkIAAD@pFY4AAAAA"]

[Sun Apr 20 20:40:08 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/etc/modsecurity2/modsecurity_crs_35_bad_robots.conf"] [line "29"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [tag "AUTOMATION/MISC"] [hostname "localhost"] [uri "/watch-list"] [unique_id "T-tpl1GpgkIAAD@pFY4AAAAA"]

I think it's the munin/monit daemon checking 127.0.0.1 for the apache service.
How can I allow it for 127.0.0.1 only? I don't want to uncomment te whole rule.

I also get a error 500 when browsing my SVN with tortoise