Apache and mod_secure2 (Modsecure)

There comes a time when preaching and asking nicely about securing websites on a community server is finished.  I was looking for a global method of restricting what was uploaded to the server when I came across mod_secure. This Apache module sits at the perimeter and scans all the data entering and leaving the Apache service. Its almost like an application level IPS/IDS.  There are several books available and a ton of online documentation so support seems ok and the whole thing works a bit like SpamAssassin for Apache as far as I can see. Enough waffle, installation from ports:

Installation from Ports

cd /usr/ports/www/mod_secure
make install

At the end of the install you’ll see some instructions, so first thing is to add the module to the httpd.conf file:

ee /usr/local/etc/apache22/httpd.conf

# add
LoadModule unique_id_module libexec/apache22/mod_unique_id.so

# restart apache
/usr/local/etc/rc.d/apache22 restart

Next we need to do 2 things to get going, first the scanner needs to be activated and then we need to add some rules.

cd  /usr/local/etc/apache22/Includes/mod_security2/
cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
ee modsecurity_crs_10_config.conf

# change the SecRuleEngine to:
SecRuleEngine On
# Add this line if there is no entry for SecDataDir
SecDataDir /tmp

cd /usr/local/etc/apache22/Includes/
ee ee mod_security2.conf

# add the second Include line

<IfModule security2_module>
    Include etc/apache22/Includes/mod_security2/*.conf
    Include etc/apache22/Includes/mod_security2/base_rules/*.conf

# restart apache
/usr/local/etc/rc.d/apache22 restart

At this point I’d check that the web sites are still working! All the output is logged to the error log(s) which depends on where you have them configured, if at all. Here is an example entry:

[Thu Nov 03 21:30:10 2011] [error] [client] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "28"] [id "960008"] [rev "2.0.10"] [msg "Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "XXXXXXXXXXXXXX"] [uri "/"] [unique_id "TrMH4qwQAOYAAAjEnesAAAAl"]

This is our Nagios server doing an http test against the ip of the server. As the test does not send a host header, apache would normally display the default site (the first one listed in the vhosts list) however now with mod_security, no dice!


I’d like to see an audit logs so i can see what happening to the whole system rather than just 1 vhost. I just want the log to show when the filter was triggered and would like the log in /var/log which needs to be rotated with newsyslog.

e /usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_10_config.config
# add
SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec.log

ee /etc/newsyslog.conf
# add
/var/log/modsec.log                     600  7     *    @T00  JC

Well that should start me off!

This entry was posted in Apache, FreeBSD Administration and tagged , , , . Bookmark the permalink.

Leave a Reply