Results 1 to 3 of 3

Thread: What is Mod_Security and How to Install it

  1. 08-26-2006, 04:32 AM #1
    P_Vivek
    P_Vivek is offline Junior Member
    Join Date
    Aug 2006
    Location
    Nashik
    Posts
    12

    Exclamation What is Mod_Security and How to Install it

    Well, Here I try to explain what Mod_security is ?

    Also please correct me if I am wrong anywhere in this.

    Mod_Security is an open source intrusion detection and prevention engine for web applications (or you can say is a web application firewall). Operating as an Apache Web server module. The current stable version of it is 1.9.4.The purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.
    Mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far i have seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache.
    I highly encourage all of you read the reference document on the modsecurity.org site (under documentation) to better understand each directive and the role it plays in protecting your server and sites.

    How to install?
    1. Login to your server as a root user.

    2. Now, get the full downlaod of the latest version of mod_security by following command

    #wget http://www.modsecurity.org/download/...y-1.7.4.tar.gz

    3. Next we untar the archive and cd into the directory

    # tar zxvf mod_security-1.7.4.tar.gz

    #cd mod_security-1.7.4/

    4. Now you need to determine which version of apache you use:
    APACHE 1.3.x users
    cd apache1/
    APACHE 2.x users
    cd apache2/

    5. Lets Compile the module now:
    /usr/local/apache/bin/apxs -cia mod_security.c

    6. Ok, now its time to edit the httpd conf file.
    But then, First we will make a backup just incase something goes wrong ("PRECAUTION" is better than "CURE"). And also get the assistance of senior admins in case if you are not confident while setting the various parameters for server.
    #cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

    7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have by below mentioned command
    #ln -s /usr/bin/nano /usr/bin/pico so that you can edit the file by pico
    Or else you can go with vi editor
    #vi /usr/local/apache/conf/httpd.conf

    8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for

    (although any of the IfModules would work fine)

    9. Now add this


    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature " "

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:500"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Prevent path traversal (..) attacks
    SecFilter "../"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[[:space:]]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<(.|n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"


    10. Save the file.
    Neverthless to say For Pico editors Ctrl + X then Y and "Esc" :wq! for Vi editors.

    11. Restart Apache.

    #/etc/rc.d/init.d/httpd stop
    #/etc/rc.d/init.d/httpd start

    That's it.

    Congratulations!!

    You have taken a major step for the server security and have successfully installed mod_security!

    ==============================
    Regards,
    P_Vivek.

    A single conversation with a wise man is better than ten years of study.
    Reply With Quote Reply With Quote
  2. 09-05-2006, 08:58 AM #2
    P_Vivek
    P_Vivek is offline Junior Member
    Join Date
    Aug 2006
    Location
    Nashik
    Posts
    12

    Default wget link for mod_security

    wget the stable version releases for mod_security at

    http://www.modsecurity.org/download/index.html


    Warm Regards,
    P_Vivek

    ==============
    A single conversation with a wise man is better than ten years of study.
    Reply With Quote Reply With Quote
  3. 10-01-2006, 08:07 PM #3
    ravibagul
    ravibagul is offline Junior Member
    Join Date
    Mar 2006
    Posts
    23

    Default What is mod_security and what exactly does it block?

    In order to help keep your VPS more secure and to help stop several very common types of attacks on your server, we install mod_security for each of our customers. mod_security integrates with Apache to stop attackers from being able to issue commands to the server through vulnerable scripts and software packages you might have installed.

    By default, the following terms are blocked from being called from within a URL:

    * wget
    * lynx
    * curl
    * tar
    * uname
    * g++
    * gcc
    * nmap
    * .bash_history
    * /etc/passwd
    * /bin/ps
    * /usr/bin/id
    * /bin/kill
    * /usr/bin/gcc
    * /bin/mail
    * /bin/ping
    * /bin/ls
    * lsof
    * perl
    * 0a.pl
    * "img src=javascript"
    * /~nobody
    * /~root
    * /~ftp
    * formmail.cgi
    * formmail.pl
    * formmail.php
    * /modules/My_eGallery
    * telnet.pl
    * telnet.cgi
    * shell.pl
    * shell.cgi
    * shell.php

    Again, this list does not mean you cannot use features like "tar" in your programs. You just can't include "tar" in the URL bar.

    To modify your mod_security configuration file, you would want to:

    1. Login to your server as root.
    2. Open the file /usr/local/apache/conf/mod_security.conf

    pico -w /usr/local/apache/conf/mod_security.conf

    3. Search for any directive you might want to remove (such as "tar") and
    put a "#" at the start of the line. This will "comment" that directive out
    where the server will essentially ignore it. If you wish to add a directive,
    just scroll to the bottom of the file and use:

    SecFilter "phrasetoblock"
    4. Save your changes and restart Apache.

    service httpd restart


    Contact support if you have questions about mod_security or if you need help with how to add/remove an allowed directive from your server.



    Regrds,
    RaviBagul.
    ----------
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules