There comes a time when preaching and asking nicely about securing websites on a community server is finished. I was looking for a global method of restricting what was uploaded to the server when I came across mod_secure. This Apache module sits at the perimeter and scans all the data entering and leaving the Apache service. Its almost like an application level IPS/IDS. There are several books available and a ton of online documentation so support seems ok and the whole thing works a bit like SpamAssassin for Apache as far as I can see. Enough waffle, installation from ports:
Installation from Ports
cd /usr/ports/www/mod_secure make install
At the end of the install you’ll see some instructions, so first thing is to add the module to the httpd.conf file:
ee /usr/local/etc/apache22/httpd.conf ***EDITOR OPENS*** # add LoadModule unique_id_module libexec/apache22/mod_unique_id.so # restart apache /usr/local/etc/rc.d/apache22 restart
Next we need to do 2 things to get going, first the scanner needs to be activated and then we need to add some rules.
cd /usr/local/etc/apache22/Includes/mod_security2/ cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf ee modsecurity_crs_10_config.conf ***EDITOR OPENS*** # change the SecRuleEngine to: SecRuleEngine On # Add this line if there is no entry for SecDataDir SecDataDir /tmp cd /usr/local/etc/apache22/Includes/ ee ee mod_security2.conf ***EDITOR OPENS*** # add the second Include line <IfModule security2_module> Include etc/apache22/Includes/mod_security2/*.conf Include etc/apache22/Includes/mod_security2/base_rules/*.conf </IfModule> # restart apache /usr/local/etc/rc.d/apache22 restart
At this point I’d check that the web sites are still working! All the output is logged to the error log(s) which depends on where you have them configured, if at all. Here is an example entry:
[Thu Nov 03 21:30:10 2011] [error] [client 172.16.0.136] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/usr/local/etc/apache22/Includes/mod_security2/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "28"] [id "960008"] [rev "2.0.10"] [msg "Request Missing a Host Header"] [severity "NOTICE"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "XXXXXXXXXXXXXX"] [uri "/"] [unique_id "TrMH4qwQAOYAAAjEnesAAAAl"]
This is our Nagios server doing an http test against the ip of the server. As the test does not send a host header, apache would normally display the default site (the first one listed in the vhosts list) however now with mod_security, no dice!
I’d like to see an audit logs so i can see what happening to the whole system rather than just 1 vhost. I just want the log to show when the filter was triggered and would like the log in /var/log which needs to be rotated with newsyslog.
e /usr/local/etc/apache22/Includes/mod_security2/modsecurity_crs_10_config.config *** EDITOR OPENS*** # add SecAuditEngine RelevantOnly SecAuditLog /var/log/modsec.log ee /etc/newsyslog.conf # add /var/log/modsec.log 600 7 * @T00 JC
Well that should start me off!