Wednesday, May 7, 2008

Apache and Mod Security

Installing and configuring Mod Security

ModSecurity is an open source application that acts as a web application firewall or an Intrusion Detection and Prevention system. It can but run as an Apache Module or as standalone. ModSecurity is able to increase web based application security from attacks.

Installing ModSecurity

This is simple just run a make install clean in FreeBSD's mod_sec port directory, if you are not running FreeBSD and need the source you can get it from the ModSecurity Site.

Preparing the ModSecurity config file for use with Apache

I have split my httpd.conf file up so I have a separate conf directory in /usr/local/etc/apache you can put your modsecurity.conf directly in that directory but for this example I am going to use /usr/local/etc/apache/conf

# mkdir modsec-rules
# vi modsecurity,conf





AddHandler application/x-httpd-php .php

SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec/audit_log
SecFilterScanPOST On
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:500"
SecAuditLogRelevantStatus ^5
#
# Rules
#
# RootKits
Include /usr/local/etc/apache/conf/modsec-rules/rootkits.conf
# useragents
Include /usr/local/etc/apache/conf/modsec-rules/useragents.conf
You can download the rules you want to use from GotRoot. Just check which ones are relevant to you and use those rule sets. There are quite a few options that you can implement in your modsecurity.conf file but you will have to test them the wrong rule could make your web page or clients pages unusable.


Add this into your apache config file
Options FollowSymLinks
AllowOverride None
Include etc/apache/conf/modsecurity.conf
Reload your apache config and test to see that the pages still work.
Once again make sure that the modsec log directory is there when you reload apache an audit log file should appear and any odd traffic will appear there by monitoring the log file you can see what is being blocked and take appropriate action if something is being blocked that should not be.

No comments:

Joe's Store