What is mod_security?


ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

How to install?

First your going to start out by grabbing the latest version of mod_security

wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz


Next we untar the archive and cd into the directory:

tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/


Now you need to determine which version of apache you use:

APACHE 1.3.x
cd apache1/
APACHE 2.x
cd apache2/


Lets Compile the module now:

/usr/local/apache/bin/apxs -cia mod_security.c


Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:

cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup


Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have


pico /usr/local/apache/conf/httpd.conf


we need to now look for somehting in the config, do this by holding control and pressing W and you are going to search for

<IfModule mod_dir.c> (altho any of the IfModules would work fine)


<IfModule mod_security.c>
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:406"
SecFilter /boot
SecFilter /dev
SecFilter /etc
SecFilter /initrd
SecFilter /lib
SecFilter /lost+found
SecFilter /misc
SecFilter /mnt
SecFilter /proc
SecFilter /root
SecFilter /sbin
SecFilter /scripts
SecFilter /tmp
SecFilter /usr/local/apache
SecFilter /usr/local/cpanel
SecFilter /usr/local/mysql
SecFilter /var
SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
SecFilter /misc/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /scripts/
SecFilter /tmp/
SecFilter /usr/local/apache/
SecFilter /usr/local/cpanel/
SecFilter /usr/local/mysql/
SecFilter /var/
SecFilter /bin/cc
SecFilter /bin/gcc
SecFilter "<[[:space:]]*script"
SecFilter "<(.|\n)+>"
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
</IfModule>


restart apache:

/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start



I hope this was helpful. Im not very good with tutorials but i hope you gathered enough from this to beable to install it :D

Great work.. will be handy ;)
Does this require any aditional lines be added to each sites httpd entry, such as mod_user.c?

Plus you may want to make the first thing to do be
cd /usr/local/apache/bin/ (I believe) then wget the file there.

I would not suggest installing this module if you use frontpage extensions.

<edit>signature removed</edit>

I also recieved an error using "SecFilter /proc" with mrtg. Mrtg includes a /processes.html. Just a heads up.

Originally posted by TheVoice
I would not suggest installing this module if you use frontpage extensions.

Frontpage will work if you don't use the mod_security configuration or "rulesets" as presented here as I find it not practical in real life as many things won't be working and lots of your clients will be making noise if you host several sites... IMO... no offense intended ;)

It's the configuration that's the issue that everyone skips over. I'd love to see someone publish some cool rulesets that allow FP and other things to work in a shared environment without a problem.

<edit>signature removed</edit>

thread cleaned

Will this work on Cpanel servers?

working on a new rulesets to be posted soon.

Here's a great thread related to this how-to: http://www.webhostingtalk.com/showthread.php?s=&threadid=215612

Includes some rulesets also

Just installed this, and it seems to be breaking some forum software here is what was found in the audit log

Host: XXXX.XXX
Referer: http://www.XXXXXXX.XXXX/forums/portal.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
mod_security-message: Access denied with code 406. Pattern match "/misc" at THE_REQUEST.
mod_security-action: 406

HTTP/1.1 406 Not Acceptable
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Any clue what the deal is :? I had acunett set it up so whatever rules they put in are what I'm using I can post those if you guys need me too

<edit>signature removed</edit>

Locate your mod_security ruleset for the one I highlighted in red then comment it out to disable that:
mod_security-message: Access denied with code 406. Pattern match "/misc" at THE_REQUEST.
Then restart apache ;)

how to know that mod_security already working?
i have been installing mod_security but it seem it doesn't work.

How you install it and which rulesets you have used? Without those info, how we can suggest you?

Originally posted by choon
Locate your mod_security ruleset for the one I highlighted in red then comment it out to disable that:

Then restart apache ;)

Thanks Choon I didn't think of that :blush:

selective and request (SecFilterSelective THE_REQUEST) based rules for mod_security do result in far less issues with web applications breaking and still provide the same level of security by modsec.

<<< Signature removed >>>

Here is a nice tweak if your've got APF installed. I've put into my installation and it works nicely.

Set your default filter action to:
SecFilterDefaultAction "pass,exec:/home/mod_security.php"

Then create a script

#!/usr/bin/php -q
<?
$msg = "Hello Admin\n";
$msg .= "\n";
$msg .= "The Mod Security module has detected the following running query that has triggered off an error.\n";
$msg .= "\n";
$msg .= "DOMAIN NAME : " . $_SERVER["HTTP_HOST"] . "\n";
$msg .= "URL : " . stripslashes($_SERVER["REQUEST_URI"]) . "\n";
$msg .= "REMOTE IP : " . $_SERVER["REMOTE_ADDR"] . "\n";
$msg .= "ERROR : " . stripslashes($_SERVER["HTTP_MOD_SECURITY_MESSAGE"]) . "\n";
$msg .= "DATE : " . date("[D M j H:i:s Y]", time()) . "\n";

// block access
exec("/etc/apf/apf -d " . $_SERVER["REMOTE_ADDR"]);

// email admin
mail("webmaster@domain.com", "Security Monitor - Intrusion Alert", $msg);
?>

The Linux guy I think your tutorials are easy to follow, to the point and great! Thank you very much.

How can I install this on Plesk 7. There isn't any file called /usr/local/apache/bin/apxs. I tried to install on /usr/local/psa/admin/bin/apxs but It gives error. The apxs file only there. We are using RedHat ES3.

Please help. Thank you.

type "whereis apxs" on plesk 7 it should be in /usr/sbin/apxs

AcuNett, thank you for your reply but I couldn't find apxs file on /usr/sbin/ directory.

Where can I type "whereis apxs" on Plesk 7. Do you mean SSH?

I am very unlucky :(. Please help.

yes type "whereis apxs" in shell.

Have any of you tried 1.8.3?

I upgraded to that and it broke half of my scripts.

Remote denial of service (16 March 2004)
Affects: Apache 2.x branch only, versions 1.7.4 and below
Fixed in: 1.7.5
Impact: Medium


Due to an unhandled error condition it may be possible for an attacker send a specially crafted HTTP request, crashing the web server process. Users are advised to upgrade to the latest release, which fixes the problem.

I haven't done much work with mod_security, but what's the use of staying with 1.7.4?

Hello forum,
my kernel version: 2.4.25
I have downloaded the latest Mod_security 1.8.4 (aug2004) to my top directory, /
ungzipped, cd to mod_security-1.8.4/apache2, and now the results from entering the command :
"/usr/local/apache/bin/apxs -cia mod_security.c"
I recieve "no such file/dir" errors followed by a very long list of errors (Quoted below in part).

any comments or suggestions please, :rolleyes:

root@host [/mod_security-1.8.4/apache2]# /usr/local/apache/bin/apxs -cia mod_security.c
gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -
DMOD_SSL=208119 -DUSE_HSREGEX -DEAPI -fpic -DSHARED_MODULE -I/
usr/local/apache/include -c mod_security.c
mod_security.c:38:19: unixd.h: No such file or directory
mod_security.c:50:20: ap_mpm.h: No such file or directory
mod_security.c:52:17: apr.h: No such file or directory
mod_security.c:53:25: apr_strings.h: No such file or directory
mod_security.c:54:22: apr_hash.h: No such file or directory
mod_security.c:55:22: apr_user.h: No such file or directory
mod_security.c:56:21: apr_lib.h: No such file or directory
mod_security.c:60: error: syntax error before "security_module"
mod_security.c:60: warning: data definition has no type or storage class
mod_security.c:62: error: syntax error before '*' token
mod_security.c:62: warning: data definition has no type or storage class
mod_security.c:63: error: syntax error before '*' token
mod_security.c:63: warning: data definition has no type or storage class
mod_security.c:65: error: syntax error before '*' token
mod_security.c:65: warning: data definition has no type or storage class
mod_security.c:66: error: syntax error before '*' token
mod_security.c:66: warning: data definition has no type or storage class
mod_security.c:286: error: syntax error before "apr_array_header_t"
mod_security.c:286: warning: no semicolon at end of struct or union
mod_security.c:287: warning: data definition has no type or storage class
mod_security.c:295: error: syntax error before "apr_array_header_t"
mod_security.c:295: warning: no semicolon at end of struct or union
mod_security.c:299: error: syntax error before '*' token

After installing mod_security with this ruleset
http://eth0.us/faq/modsec.txt
Apache Status (/scripts2/apachestatus) is showing a blank page in WHM.

Originally posted by station347
I have downloaded the latest Mod_security 1.8.4 (aug2004) to my top directory, /
ungzipped, cd to mod_security-1.8.4/apache2

Try #cd mod_security-1.8.4/apache1

Originally posted by Imago
Try #cd mod_security-1.8.4/apache1

That does seam to have been my problem. Thank you!

If anyone recieves similar errors to mine, mentioned above, your in the wrong apache folder.

A question about Philg's "nice tweak if your've got APF installed." mentioned above.

- is the dir home really a good place to put global php files?

- would that script be safer in perl? running from /scripts?

Thanx again Imago

Ok, I've just seen hosito's perl mail script in the topic "Who uses mod_security?" half way down page one.

Originally posted by markhard
how to know that mod_security already working?
i have been installing mod_security but it seem it doesn't work.

I'd like to know this as well, how can I be sure it's running properly?

Originally posted by nutkenz
I'd like to know this as well, how can I be sure it's running properly?

A lot of new tools a lot of how-to but if you don't know too much I don't advise you installing mod_sec. This tool will cause many many errors that you will have to solved alone, will stop working sites and sometimes leave sites offline it the error page.

If you don't know how to trouble shoot stuff alone don't use this. Hire a admin.

I have an admin, but I'd like to bother him as little as possible.

Anyway: how can I be sure it's running properly?

The linuxguy THX! :-)

i have install mod security how can i test if it is working?

check your audit log

I have created many rules to adjust mod_security for my server, but I cannot allow it to check POST buffer on every request, becuase it will deny too many valid requests, so I need to know how I can scan POST buffer only in some cases - in case of request to some domains or to some scripts only - need to be complicated quiry which will check some parts of original request and will decide whether to check POST buffer and what rules to applly then.

Any help would be greatly appreciated!

thanks for the great tut.. this is really useful.. for newbies..

:s

I just upgraded modsecurity to the latest version (1.9.2) successfully, but found error in error_log like this:

[Thu Jan 26 02:53:48 2006] [error] [client xxx.xxx.xxx.xxx] mod_security: Filtering against POST payload requested but payload is not available [hostname "hostname.domain.com"] [uri "/index.php"]

I have had no issue with my old version (1.8.7). What should I adjust with my config related to the new version?

Thanks you,
-asc-

If you use cpanel you can install mod_security from WHM. It is under Addon Modules.

what is causing this error? I don't know.. :( anyone?