Summary:
This article describes how to install, and configure the famous mod_security Apache module.
Background:
ModSecurity is an open source intrusion detection and prevention engine
for web applications. Operating as an Apache Web server module, the
purpose of ModSecurity is to increase web application security,
protecting web applications from known and unknown attacks.
Official web site:
http://www.modsecurity.org
More information
1. SSH to your server as the root superuser.
2. Backup your current Apache configuration. In shell, type the following command:
Quote:
|
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
|
3. Next, we will download, untar, and compile the mod_security’s source code. In shell, type the following commands:
Quote:
wget http://www.modsecurity.org/download/...y-1.8.4.tar.gz
tar xvfz mod_security-1.8.4.tar.gz
cd mod_security-1.8.4/
cd apache1/
/usr/local/apache/bin/apxs -cia mod_security.c
Note: Current CPanel distribution utilize Apache version 1.x. If
for whatever reason you’re using Apache 2.x, make sure you change to
the appropriate Apache directory. |
4. Next, we will edit our httpd.conf file to include our
security filters, and snort configuration. In shell, type the following
commands:
Quote:
|
pico /usr/local/apache/conf/httpd.conf
|
Search for ‘
AddModule’ string, and make sure that
AddModule mod_security.c shows up on the module list. It should look something like this:
Quote:
AddModule mod_frontpage.c
AddModule mod_php4.c
AddModule mod_bwlimited.c
AddModule mod_log_bytes.c
AddModule mod_auth_passthrough.c
AddModule mod_security.c
|
Next, add
Include /etc/mod_security.conf two lines below
AddModule mod_security.c. It should look something like this:
Quote:
AddModule mod_security.c
Include /etc/mod_security.conf
|
Save, and exit the httpd.conf configuration file.
5. We will now create, and edit the
/etc/mod_security.conf file to include the following settings:
Quote:
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#Allow CPanel/WHM
SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "drop[[:space:]]table"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# Import our snort converted modsec rules
Include /etc/mod_security_snort.conf
|
6. Next, we will create, and edit the
/etc/mod_security_snort.conf to include the following filters:
Quote:
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"
# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST "ps\x20"
# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"
# WEB-ATTACKS /usr/bin/id command attempt
SecFilterSelective THE_REQUEST "/usr/bin/id"
# WEB-ATTACKS id command attempt
SecFilter "\;id"
# WEB-ATTACKS kill command attempt
SecFilterSelective THE_REQUEST "/bin/kill"
# WEB-ATTACKS chsh command attempt
SecFilterSelective THE_REQUEST "/usr/bin/chsh"
# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"
# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/gcc"
# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"
# WEB-ATTACKS /usr/bin/cc command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cc"
# WEB-ATTACKS cc command attempt
SecFilter "cc\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilterSelective THE_REQUEST "/usr/bin/cpp"
# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilterSelective THE_REQUEST "/usr/bin/g\+\+"
# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"
# WEB-ATTACKS bin/python access attempt
SecFilterSelective THE_REQUEST "bin/python"
# WEB-ATTACKS python access attempt
SecFilter "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecFilterSelective THE_REQUEST "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"
# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"
# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"
# WEB-ATTACKS ping command attempt
SecFilterSelective THE_REQUEST "/bin/ping"
# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"
# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"
# WEB-ATTACKS xterm command attempt
SecFilterSelective THE_REQUEST "/usr/X11R6/bin/xterm"
# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"
# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"
# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"
# WEB-ATTACKS mail command attempt
SecFilterSelective THE_REQUEST "/bin/mail"
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"
# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow"
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"
# WEB-CGI websitepro path access
SecFilter " /HTTP/1\."
# WEB-CGI formmail arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/formmail" chain
SecFilter "\x0a"
# WEB-CGI formmail access
SecFilterSelective THE_REQUEST "/formmail" log,pass
# WEB-CGI phf arbitrary command execution attempt
SecFilterSelective THE_REQUEST "/phf" chain
SecFilter "\x0a/"
# WEB-CGI phf access
SecFilterSelective THE_REQUEST "/phf" log,pass
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"
# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"
# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-FRONTPAGE fpsrvadm.exe access
SecFilterSelective THE_REQUEST "/fpsrvadm\.exe" log,pass
# WEB-FRONTPAGE fpremadm.exe access
SecFilterSelective THE_REQUEST "/fpremadm\.exe" log,pass
# WEB-FRONTPAGE fpadmin.htm access
SecFilterSelective THE_REQUEST "/admisapi/fpadmin\.htm" log,pass
# WEB-FRONTPAGE fpadmcgi.exe access
SecFilterSelective THE_REQUEST "/scripts/Fpadmcgi\.exe" log,pass
# WEB-FRONTPAGE orders.txt access
SecFilterSelective THE_REQUEST "/_private/orders\.txt" log,pass
# WEB-FRONTPAGE form_results access
SecFilterSelective THE_REQUEST "/_private/form_results\.txt" log,pass
# WEB-FRONTPAGE registrations.htm access
SecFilterSelective THE_REQUEST "/_private/registrations\.htm" log,pass
# WEB-FRONTPAGE cfgwiz.exe access
SecFilterSelective THE_REQUEST "/cfgwiz\.exe" log,pass
# WEB-FRONTPAGE authors.pwd access
SecFilterSelective THE_REQUEST "/authors\.pwd" log,pass
# WEB-FRONTPAGE author.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/_vti_aut/author\.exe" log,pass
# WEB-FRONTPAGE administrators.pwd access
SecFilterSelective THE_REQUEST "/administrators\.pwd" log,pass
# WEB-FRONTPAGE form_results.htm access
SecFilterSelective THE_REQUEST "/_private/form_results\.htm" log,pass
# WEB-FRONTPAGE access.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/access\.cnf" log,pass
# WEB-FRONTPAGE register.txt access
SecFilterSelective THE_REQUEST "/_private/register\.txt" log,pass
# WEB-FRONTPAGE registrations.txt access
SecFilterSelective THE_REQUEST "/_private/registrations\.txt" log,pass
# WEB-FRONTPAGE service.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.cnf" log,pass
# WEB-FRONTPAGE service.pwd
SecFilterSelective THE_REQUEST "/service\.pwd" log,pass
# WEB-FRONTPAGE service.stp access
SecFilterSelective THE_REQUEST "/_vti_pvt/service\.stp" log,pass
# WEB-FRONTPAGE services.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/services\.cnf" log,pass
# WEB-FRONTPAGE shtml.exe access
SecFilterSelective THE_REQUEST "/_vti_bin/shtml\.exe" log,pass
# WEB-FRONTPAGE svcacl.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/svcacl\.cnf" log,pass
# WEB-FRONTPAGE users.pwd access
SecFilterSelective THE_REQUEST "/users\.pwd" log,pass
# WEB-FRONTPAGE writeto.cnf access
SecFilterSelective THE_REQUEST "/_vti_pvt/writeto\.cnf" log,pass
# WEB-FRONTPAGE dvwssr.dll access
SecFilterSelective THE_REQUEST "/dvwssr\.dll" log,pass
# WEB-FRONTPAGE register.htm access
SecFilterSelective THE_REQUEST "/_private/register\.htm" log,pass
# WEB-FRONTPAGE /_vti_bin/ access
SecFilterSelective THE_REQUEST "/_vti_bin/" log,pass
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"
# WEB-MISC .htaccess access
SecFilter "\.htaccess"
# WEB-MISC cd..
SecFilter "cd\.\."
# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"
# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"
# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"
# WEB-MISC cat%20 access
SecFilter "cat\x20"
# WEB-MISC rpm_query access
SecFilterSelective THE_REQUEST "/rpm_query"
# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"
# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"
# WEB-MISC Apache Chunked-Encoding worm attempt
SecFilter "CCCCCCC\: AAAAAAAAAAAAAAAAAAA"
# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"
# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="
# WEB-PHP DNSTools administrator authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_dnstools_administrator=true"
# WEB-PHP DNSTools authentication bypass attempt
SecFilterSelective THE_REQUEST "/dnstools\.php" chain
SecFilter "user_logged_in=true"
# WEB-PHP DNSTools access
SecFilterSelective THE_REQUEST "/dnstools\.php" log,pass
# WEB-PHP Blahz-DNS dostuff.php modify user attempt
SecFilterSelective THE_REQUEST "/dostuff\.php\?action=modify_user"
# WEB-PHP Blahz-DNS dostuff.php access
SecFilterSelective THE_REQUEST "/dostuff\.php" log,pass
# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"
# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"
# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"
|
7. Finally, change to the
/var/log/httpd/ directory, and type in the following command:
Quote:
touch audit_log
Note: This file will be used by mod_security to log any http rejections.
|
That's it. Verify your settings before attempting to restart Apache.
Once you have verified your settings, type in the following command:
Quote:
|
/etc/init.d/httpd restart
|
How To Install Manually mod_security For Apache
Linear Mode
