MOD_SECURE APACHE 1.9.4 – HOWTO
ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. This is also known as rule based Intrusion Detection System.
It is also an open source project that aims to make the web application firewall technology available to everyone.
(I had tested this on a debian sarge with Apache 1.3)
Create a directory for storing the source file.
$mkdir –p /opt/src
$cd /opt/src
Download the latest stable release from the mirror
modsecurity-apache_1.9.4.tar.gz
Untar the pack
$tar –zxvf modsecurity-apache_1.9.4.tar.gz
$cd mod_security-1.9.4/apache1/
$apxs -cia mod_security.c
Restart your Webserver.
/etc/init.d/httpd restart
If there was no error reporte,your installation successful.
FOLLOWING IS THE CONFIGURATION FILE
(Add to /etc/httpd/httpd.conf)
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 32 126
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
#SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:406"
# Redirect user on filter match
#SecFilter xxx redirect:http://www.webkreator.com
# Execute the external script on filter match
#SecFilter yyy log,exec:/home/ivanr/apache/bin/report-attack.pl
# Simple filter
#SecFilter 111
# Only check the QUERY_STRING variable
#SecFilterSelective QUERY_STRING 222
# Only check the body of the POST request
#SecFilterSelective POST_PAYLOAD 333
# Only check arguments (will work for GET and POST)
#SecFilterSelective ARGS 444
# Test filter
#SecFilter "/cgi-bin/keyword"
# Another test filter, will be denied with 404 but not logged
# action supplied as a parameter overrides the default action
#SecFilter 999 "deny,nolog,status:404"
# Prevent OS specific keywords
#SecFilter /etc/password
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |\n)*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Forbid file upload
#SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
# Only watch argument p1
#SecFilterSelective "ARG_p1" 555
# Watch all arguments except p1
#SecFilterSelective "ARGS|!ARG_p2" 666
# Only allow our own test utility to send requests (or Mozilla)
#SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"
# Do not allow variables with this name
#SecFilterSelective ARGS_NAMES 777
# Do now allow this variable value (names are ok)
#SecFilterSelective ARGS_VALUES 888
# Stop spamming through FormMail
# note the exclamation mark at the beginning
# of the filter - only requests that match this regex will
# be allowed
#
#SecFilterSelective "ARG_recipient" "!@webkreator.com$"
#
# when allowing upload, only allow images
# note that this is not foolproof, a determined attacker
# could get around this
#
#SecFilterInheritance Off
#SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"
#
Restart the Your Web server again
/etc/init.d/httpd restart.