Some time ago, I changed my setup from nginx + spawn-fcgi to nginx + apache so I could play with mod_security. Well, one of my clients got pwned by some sql injection vulnerability, so I finally got to put it in practice.

In a nut shell, mod_security is an apache module that scans http(s) traffic for suspicious strings. It can catch suspicious strings entering apache or leaving apache. It’s a firewall for http(s), it blocks bad traffic, and lets good traffic pass through.

mod_security is one of those applications that doesn’t fit the package model well. I guess it comes in two parts, the apache module and the rules. Packages don’t seem to even attempt to manage the rules, you download them separately and they come with a util to update them. Then you have your local rules that add to, disable, or override the upstream rules to fit your environment.

In ubuntu, the mod_security package is a little outdated, it always will be, especially on LTS, and it’s one of those packages that needs constant updates. The clever and motivated security researchers eventually find weakness in mod_security which are addressed in updates. So you either use the packages, and hope fixes are backported in a timely manner, which hasn’t appeared to of happened in ubuntu, or you install by source.

Installing by source increases your workload and moves the burden of keeping it up to date to yourself. But it’s a pretty straightforward process, and if you have only one or two machines to admin, it’s no issue.

It’s basically a matter of downloading the source, checking the signature, running apt-get build-dep libapache-mod-security, untaring, ./configure; make;make test;make install, then enable the module in apache. It’s pretty well covered in the docs and blogs found in google.

That takes care of the module, but it does nothing without the rules. I downloaded the core rules from OWASP. There some documentation in the package, but there’s a few gotchas, so I’ll try and document step by step the process I went through.

1. unpack the rules in your home directory
2. sudo mkdir /etc/apache2/modsecurity_crs/
3. cd modsecurity-crs_2.1.2
   sudo cp -a *_rules *.example /etc/apache2/modsecurity_crs/
4. cd /etc/apache2/modsecurity_crs/
   sudo mv modsecurity_crs_10_config.conf{.example,}
5. You have to edit modesecurity_crs_10_config.conf and uncomment a few lines, I think the main one being SecRuleEngine.
6. I created two files in /etc/apache2/mods-available
   0modsecurity.conf
   <IfModule security2_module>
Include modsecurity_crs/*.conf
Include modsecurity_crs/base_rules/*.conf
</IfModule>
   0modsecurity.load
   LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
7. sudo a2enmod 0modsecurity
8. create a file called /etc/apache2/modsecurity_crs/modsecurity_localconfig.conf with the following
   SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir

9. Make all the directories in /var/log/modsecurity, which have to be owned by www-data
   sudo mkdir -p /var/log/modsecurity/{SecUploadDir,SecAuditLog,SecAuditLogStorageDir,SecDebugLog,SecDataDir,SecTmpDir}
sudo chown -R www-data: /var/log/modsecurity

That will do for now, I think. To modify the rules I feel it’s best to slow down and buy a book for learning, I’m not sure docs and blogs are the best way to learn this, but it’s up to your learning style. I keep updated by following @ModSecurity on twitter.

We were given a server to play with to do whatever we wanted, hosted in a US data centre. It was running RHEL 4.x, I could have worked with that, but it didn’t look like it was on a support contract, I wasn’t able to update it, anyway.

I thought about trying to convert it to centos, but realised it would be more fun to upgrade it to ubuntu gutsy.

Quick steps from memory

1. swapoff -a
2. mkfs.ext3 /dev/VolGroup00/LogVol01 (old swap)
3. mount /dev/VolGroup00/LogVol01 /mnt
4. wget debootstrap.deb (from gutsy)
5. ar x debootstrap.deb
6. tar -C / -xzf data.tar.gz
7. debootstrap –arch=i386 gutsy /mnt
8. chroot /mnt
9. mount proc, edit /etc/fstab and /etc/network/interfaces
10. apt-get install ubuntu-minimal ubuntu-standard linux-image postfix openssh-server plus a few other packages, some that were recommends.
11. copied gutsy /boot/* to the real /boot and created a new entry in menu.lst
12. created an account and uploaded some ssh keys
13. probably some steps I’ve forgotten
14. reboot

Easy peasy, just waiting for it to come up, it’s been 5 hours now, still waiting. Must be the slowest booting server ever.

Guess I’ll be calling the states now. :’(