Installation of Mod_Security
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
It is also an open source project that aims to make the web application firewall technology available to everyone.
Perform following steps to install mod_security on a linux server
1. Login to the server through SSH and su to the root user.
2. First your going to start out by grabbing the latest version of mod_security (Tar.gz) from the URL: http://www.modsecurity.org/download/
3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/
5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c
6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico
with nano depending on what you have
vi /usr/local/apache/conf/httpd.conf
8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
================================
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
================================
10. Save and exit the file
11. Restart Apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
0 comments:
Post a Comment