Skip to main content

Apache and Mod Security

Installing and configuring Mod Security

ModSecurity is an open source application that acts as a web application firewall or an Intrusion Detection and Prevention system. It can but run as an Apache Module or as standalone. ModSecurity is able to increase web based application security from attacks.

Installing ModSecurity

This is simple just run a make install clean in FreeBSD's mod_sec port directory, if you are not running FreeBSD and need the source you can get it from the ModSecurity Site.

Preparing the ModSecurity config file for use with Apache

I have split my httpd.conf file up so I have a separate conf directory in /usr/local/etc/apache you can put your modsecurity.conf directly in that directory but for this example I am going to use /usr/local/etc/apache/conf

# mkdir modsec-rules
# vi modsecurity,conf





AddHandler application/x-httpd-php .php

SecAuditEngine RelevantOnly
SecAuditLog /var/log/modsec/audit_log
SecFilterScanPOST On
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:500"
SecAuditLogRelevantStatus ^5
#
# Rules
#
# RootKits
Include /usr/local/etc/apache/conf/modsec-rules/rootkits.conf
# useragents
Include /usr/local/etc/apache/conf/modsec-rules/useragents.conf
You can download the rules you want to use from GotRoot. Just check which ones are relevant to you and use those rule sets. There are quite a few options that you can implement in your modsecurity.conf file but you will have to test them the wrong rule could make your web page or clients pages unusable.


Add this into your apache config file
Options FollowSymLinks
AllowOverride None
Include etc/apache/conf/modsecurity.conf
Reload your apache config and test to see that the pages still work.
Once again make sure that the modsec log directory is there when you reload apache an audit log file should appear and any odd traffic will appear there by monitoring the log file you can see what is being blocked and take appropriate action if something is being blocked that should not be.

Comments

Popular posts from this blog

Setting up and Installing Rancid on FreeBSD for Cisco Products

Setting up and Installing Rancid on FreeBSD for Cisco Products What is Rancid? Rancid is an application that monitors a devices configuration including software and hardware. The configuration is then stored in a Concurrent Version System or CVS. Most of the time it is used to back up router, switch and firewall configurations, as well as notify you when a configuration has changed, i.e a firewall rule or a routers IP address or access list change. here is an example of the output =================================================================== retrieving revision 1.29 diff -u -4 -r1.29 mpls-jhb-pe1 @@ -288,9 +288,9 @@ ! interface Serial0/0 description Link to Client X bandwidth 2048 - ip address 192.168.1.244 255.255.255.254 + ip address 192.168.1.234 255.255.255.254 ip route-cache flow ip tcp header-compression iphc-format ip tcp compression-connections 256 ! ip ospf message-digest-key 1 md5 the - symbol represents what was removed the + symbol represents what was added The abo

Tacacs+ Install and Config Guide

Tacacs+ Install and Config Guide What is TACACS As per wikipedia Terminal access controller access control system (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Installing Tacacs on FreeBSD This guide is intended to be a basic implementation of TACACS+, so although there are may features I am just going to document what I generally use. Please note that tac_plus is also available from Shrubbery Networks if you would like to install and configure on another platform. You may also want to check out my Rancid How-To Once again its in your ports directory. cd to /usr/ports/net/tac_plus4/ run a "make install clean" Once installed vi /usr/local/etc/rc.d/tac_plus.sh Then Change the following line from NO to YES tac_plus_enable=$ Save the file, then vi /e

Setting up a Cisco 800 series Router for ADSL

Setting up a Cisco 800 series Router for ADSL Not that the Average user would use a Cisco ADSL router, or if they do use a Cisco product it would probably be a Linksys router. Anyway here is the config with comments in between. all comments are in italics You might want to check out the Cisco DYNDNS configuration guide too NOTE: This particular config was done on a Cisco 877 ADSL / DSL router however its known to work on the Cisco 800 series DSL routers in general including the Cisco 827 Cisco 837 Cisco 877W This example is a basic setup for just access to the web you can enable PAT or Port Address Translation on the router to allow access from the outside to a server or something like that. Also this setup is for a Dynamic IP from the ISP you might also want to checko out the how to on setting up SSH login on the router no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname # your router name i.e. Bobs Router ! boot-st