Article 10551 at 07/08/09 19:21:31 From: paulw (at mark) swiftinter.net Subject: [coba-e:10551] Re: apache mod

Index: [Article Count Order] [Thread]
Date:  Thu, 9 Aug 2007 11:19:12 +0100
From:  "Paul Wilson - Swift Internet" <paulw (at mark) swiftinter.net>
Subject:  [coba-e:10551] Re: apache mod_security + bq
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <DD490A22DC384B08ADF65AF8FF4B33F7 (at mark) office.swiftinter.net>
In-Reply-To:  <20070808202557.M49480 (at mark) lewiscounty.com>
References:  <20070808202557.M49480 (at mark) lewiscounty.com>
X-Mail-Count: 10551

The site www.gotroot.com details the installation of mod_security quite 
well.

http://gotroot.com/tiki-index.php?page=Setup+of+mod_security


However, I put the mod_security directives into a seperate file located at 
/etc/httpd/conf.d/mod_security.conf and comment out (or remove) the 
mod_security module load line in httpd.conf
This put the module load and basic setup into one file (instead of 2)

So the mod_security.conf file would look a bit like this:

########################################################
LoadModule security_module    /usr/lib/httpd/modules/mod_security.so
<IfModule mod_security.c>

# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#And now, the rules
#Remove any of these Include lines you do not use or have rules for.

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf

#Application protection rules
Include /etc/modsecurity/rules.conf

#Comment spam rules
Include /etc/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf

#Additional rules for Apache 2.x ONLY!  Do not add this line if you use 
Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>
##########################################################


Also, when you download the rulesets from gotroot.com it is best if you put 
them into a directory (say /etc/modsecurity) and have your mod_security.conf 
file point to them

Once it is set up the results of any blocked connections are placed in 
/var/log/httpd/audit_log - this is very good as it will help spot IP 
addresses of recent attacks (then you can block them for good via firewall) 
and also help find any false positives - which you will get from time to 
time.



Example of custom rules:

To block certain php inclusion attacks you can create rules such as below 
(either in a seperate rule conf file [include this file in the 
mod_security.conf file lists] or added to one of the existing ones)

SecFilterSelective THE_REQUEST "/*\.php\?[PARAMETER]=(http|https|ftp)\:/*"

for example:

SecFilterSelective THE_REQUEST "/*\.php\?dir\[inc\]=(http|https|ftp)\:/*"
SecFilterSelective THE_REQUEST "/*\.php\?middle=(http|https|ftp)\:/*"
SecFilterSelective THE_REQUEST "/*\.php\?dir_inc=(http|https|ftp)\:/*"
SecFilterSelective THE_REQUEST "/*\.php\?main_page=(http|https|ftp)\:/*"

These prevent the php page from being tricked into parsing remote files, 
such as shell scripts, bulk spam mail interfaces and other hacker toolkits. 
NOT a complete answer, as the php page should have been programmed to 
prevent this and the rules only prevent the  but it is a way of giving your 
developers time to sort the vulnerabiility out.


To exclude a site from mod_security

Locate the site's number and edit the 
/etc/httpd/conf/vhosts/site[number].include file

add the following lines

<IfModule mod_security.c>
SecFilterEngine Off
</IfModule>

Save the file and restart apache to exclude the site from scanning.


Mod_security is effective, but you will encounter some false positives, so 
be prepared to comment out some of the rules from time time.


Paul



----- Original Message ----- 
From: "Randy Smith" <forhire (at mark) lewiscounty.com>
To: <coba-e (at mark) bluequartz.org>
Sent: Wednesday, August 08, 2007 9:27 PM
Subject: [coba-e:10548] apache mod_security + bq


> Does anyone have install notes for mod_security + bq? Any gotchas I need 
> to
> watch for?
>
> Thanks, Randy
>