Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice.
In a nut shell, mod_security is an apache module that scans http(s) traffic for suspicious strings. It can catch suspicious strings entering apache or leaving apache. It’s a firewall for http(s), it blocks bad traffic, and lets good traffic pass through.
mod_security is one of those applications that doesn’t fit the package model well. I guess it comes in two parts, the apache module and the rules. Packages don’t seem to even attempt to manage the rules, you download them separately and they come with a util to update them. Then you have your local rules that add to, disable, or override the upstream rules to fit your environment.
In ubuntu, the mod_security package is a little outdated, it always will be, especially on LTS, and it’s one of those packages that needs constant updates. The clever and motivated security researchers eventually find weakness in mod_security which are addressed in updates. So you either use the packages, and hope fixes are backported in a timely manner, which hasn’t appeared to of happened in ubuntu, or you install by source.
Installing by source increases your workload and moves the burden of keeping it up to date to yourself. But it’s a pretty straightforward process, and if you have only one or two machines to admin, it’s no issue.
It’s basically a matter of downloading the source, checking the signature, running apt-get build-dep libapache-mod-security, untaring, ./configure; make;make test;make install, then enable the module in apache. It’s pretty well covered in the docs and blogs found in google.
That takes care of the module, but it does nothing without the rules. I downloaded the core rules from OWASP. There some documentation in the package, but there’s a few gotchas, so I’ll try and document step by step the process I went through.
- unpack the rules in your home directory
- sudo mkdir /etc/apache2/modsecurity_crs/
- cd modsecurity-crs_2.1.2
sudo cp -a *_rules *.example /etc/apache2/modsecurity_crs/ - cd /etc/apache2/modsecurity_crs/
sudo mv modsecurity_crs_10_config.conf{.example,} - You have to edit modesecurity_crs_10_config.conf and uncomment a few lines, I think the main one being SecRuleEngine.
- I created two files in /etc/apache2/mods-available
0modsecurity.conf
<IfModule security2_module>
Include modsecurity_crs/*.conf
Include modsecurity_crs/base_rules/*.conf
</IfModule>
0modsecurity.load
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so - sudo a2enmod 0modsecurity
- create a file called /etc/apache2/modsecurity_crs/modsecurity_localconfig.conf with the following
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
- Make all the directories in /var/log/modsecurity, which have to be owned by www-data
sudo mkdir -p /var/log/modsecurity/{SecUploadDir,SecAuditLog,SecAuditLogStorageDir,SecDebugLog,SecDataDir,SecTmpDir}
sudo chown -R www-data: /var/log/modsecurity
That will do for now, I think. To modify the rules I feel it’s best to slow down and buy a book for learning, I’m not sure docs and blogs are the best way to learn this, but it’s up to your learning style. I keep updated by following @ModSecurity on twitter.
Related posts: