Hacking Linux (Tips, Tricks and Installations)

Installation of Mod_Security

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

It is also an open source project that aims to make the web application firewall technology available to everyone.

Perform following steps to install mod_security on a linux server

1. Login to the server through SSH and su to the root user.
2. First your going to start out by grabbing the latest version of mod_security (Tar.gz) from the URL: http://www.modsecurity.org/download/

3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-.tar.gz
cd mod_security-/

4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/

APACHE 2.x users
cd apache2/

5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c

6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico
with nano depending on what you have
vi /usr/local/apache/conf/httpd.conf

8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
(altho any of the IfModules would work fine)

9. Now add this
================================

# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"

================================

10. Save and exit the file

11. Restart Apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start