ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.
-
Download tarball from modsecurity.org
Check that you have "httpd-devel" installed.
Backup your original "httpd.conf" file.
After extracting, compile and install from the relevant apache direcoty, via:
# apxs -cia mod_security.cThe module is automatically activated and you should see a similar line in the "httpd.conf" file.
LoadModule security_module modules/mod_security.soAdd the below ruleset to the apache conf file, just below the above LoadModule line.
#
# mod_security ruleset BEGIN
#
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache"
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# Protect against phpBB2 Exploits
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)" "deny,log"
# Exploit phpBB Highlighting Code Execution Attempt
SecFilterSelective THE_REQUEST "&highlight='\.system\("
# Exploit phpBB Highlighting SQL Injection
SecFilterSelective THE_REQUEST "&highlight='\.mysql_query\("
# Exploit phpBB Highlighting Code Execution - Santy.A Worm
SecFilterSelective THE_REQUEST "&highlight='\.fwrite\(fopen\("
# Exploit phpBB Highlight Exploit Attempt
SecFilter "&highlight=\x2527\x252Esystem\("
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
</IfModule>
#
# mod_security ruleset END
#
Restart Apache for the module to be enabled.Check the audit log file located at "/var/log/httpd/audit_log" for any errors or if any legit traffic is being caught and adjust the ruleset accordingly.
Test the setup by running the "run-test.pl" script in the test folder.
Bookmark/Search this post with
