ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. from http://www.modsecurity.org/
 
Installing mod_security as DSO is easier, and the procedure is the same for both Apache branches. First unpack the distribution somewhere (anywhere will do, I copy the .c files in my home),

# cd
# wget http://www.modsecurity.org/download/mod_security-1.9.4.tar.gz
# tar -zxfv mod_security-1.9.4.tar.gz
# cd mod_security-1.9.4/apache2

and compile the module with:

apache1apache2
/usr/local/psa/admin/bin/apxs  -cia ~/mod_security.c/usr/sbin/apxs2  -cia ~/mod_security.c

First problem that may occur is the absence of
  • GccThe GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. It is free software distributed by the Free Software Foundation (FSF) under the GNU GPL, and is a key component of the GNU toolchain. It is the standard compiler for the open source Unix-like operating systems, and certain proprietary operating systems derived therefrom such as Mac OS X. [WikiPedia]
  • apache-dev: contains the apxs tool, and required pache heder to compile a module
Both can be installed via YaST2...

Tips: if your apxs2 is not located at /usr/bin/apxs2, you can search it by typing # find / -name apxs2

# /usr/sbin/apxs2  -cia ~/mod_security.c
/usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mcpu=i686 -fmessage-length=0 -Wall -g -fPIC -Wall -fno-strict-aliasing -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2   -c -o /root/mod_security.lo /root/mod_security.c && touch /root/mod_security.slo
/usr/share/apache2/build/libtool --silent --mode=link gcc -o /root/mod_security.la  -rpath /usr/lib/apache2 -module -avoid-version    /root/mod_security.lo
/usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/share/apache2/build/libtool' /root/mod_security.la /usr/lib/apache2
/usr/share/apache2/build/libtool --mode=install cp /root/mod_security.la /usr/lib/apache2/
cp /root/.libs/mod_security.so /usr/lib/apache2/mod_security.so
cp /root/.libs/mod_security.lai /usr/lib/apache2/mod_security.la
cp /root/.libs/mod_security.a /usr/lib/apache2/mod_security.a
ranlib /usr/lib/apache2/mod_security.a
chmod 644 /usr/lib/apache2/mod_security.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/apache2

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/apache2/mod_security.so
apxs:Error: Config file /etc/apache2/httpd2-prefork.conf not found.

Do not take care of the error in blue, since the resulting shared library (mod_security.so) has been automatically copied into /usr/lib/apache2

Copy then the desired rule set (modsecurity-general.conf or modsecurity-php.conf) into /etc/apache2

Edit /etc/apache2/httpd.conf and add the following lines at the end of file, it is also recommended to use the rules from www.GotRoot.com

LoadModule security_module /usr/lib/apache2/mod_security.so
SecFilterEngine On
Include /etc/apache2/modsecurity_rules/modsecurity-general.conf
Include /etc/apache2/modsecurity_rules/modsecurity-hardening.conf

rules set found at http://www.gotroot.com/tiki-index.php?page=mod_security+rules
Include /etc/apache2/modsecurity_rules/gotroot/apache2-rules.conf
Include /etc/apache2/modsecurity_rules/gotroot/badips.conf
Include /etc/apache2/modsecurity_rules/gotroot/blacklist2.conf
Include /etc/apache2/modsecurity_rules/gotroot/blacklist.conf
Include /etc/apache2/modsecurity_rules/gotroot/exclude.conf
Include /etc/apache2/modsecurity_rules/gotroot/jitp.conf
Include /etc/apache2/modsecurity_rules/gotroot/proxy.conf
Include /etc/apache2/modsecurity_rules/gotroot/recons.conf
Include /etc/apache2/modsecurity_rules/gotroot/rootkits.conf
Include /etc/apache2/modsecurity_rules/gotroot/rules.conf
Include /etc/apache2/modsecurity_rules/gotroot/useragents.conf

BUT be carefull with modsecurity-hardening.conf
  1. This fle has to be tuned  for your server: logs files location, advanced rulesets, read carfeully and uncomment TODO if needed
  2. As default mod_security is in learning mode: it log and let the request  pass through (line SecFilterDefaultAction "pass, log"), recommended as soon as You have a good rulesets SecFilterDefaultAction "deny,log,status:500"
 Restart Apache2 by typing
# /etc/init.d/apache2 restart

Now it is time to check if mod_security is running       

# tail -f /var/log/apache2/error_log
[Mon Aug 21 18:43:38 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Mon Aug 21 19:01:56 2006] [notice] caught SIGTERM, shutting down
[Mon Aug 21 19:01:57 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Mon Aug 21 19:01:57 2006] [notice] mod_security/1.9.4 configured
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations

links
comments powered by Disqus

You might like also

The Appthority® App Report
The Appthority® App Report for February 2013 provides an overview of the security risks behind 100 free iOS and Android apps. Appthority examined the differences between the Android and iOS app ecosystems; compared app behaviors across five popular app categories (business, education, entertainment, finance, games); and looked at the developers behind these apps. Report Highlights The vast majority of free apps send and receive data to outside parties without encryption. 96% of total apps share data with advertising networks and/or …
2147 Days ago
CryptoParty Handbook v1.1 has been released
CryptoParty is a grassroots global endeavor to introduce the basics of practical cryptography such as the Tor anonymity network, key signing parties, True Crypt, and virtual private networks to the general public. The first draft of the 442-page CryptoParty&160;Handbook (the hard copy of which is available at cost), was pulled together in three days using the book sprint approach, and was released 2012-10-04 under a CC-BY-SA license; it remains under constant revision. The CryptoParty&160;Handbook v1.1 has been released and you …
2191 Days ago
Virtualizes a Linux server on the fly with RSYNC
You'll need a lot of patience...Since there is no VMWARE Converter for Linux...My objective is to virtualizes my Internet server running SUSE in a VMWARE to ease the migration to a more powerful and up to date server. I am using RSYNC since: I have no access to the machine, So I can't stop the server and make a binary images of the disk as the server is in a STRATO data center in Germany (Berlin) I don't like operations …
3839 Days ago
How to Secure Your Windows Computer and Protect Your Privacy
Anybody using internet should really read this article. While targeted at windows users, most of the rules also apply to users of Linux and mac. "Security consultant Howard Fosdick has contributed the latest entry in the 2008 OSNews Article Contest: a highly detailed examination of security and privacy on the Windows platform, and how to use free software tools and a little knowledge to protect your privacy online. Do you know that -- Windows secretly records all the web sites …
3947 Days ago
No Thumbnail was found
I know that Secure, Safe, Fast Linux Hosting sound silly as nothing can be fast and secure at the same time, but I've compiled a list of things that are worth doing if you are maintaining your own server. This list is clearly targeted for people running an open source stack made of Apache, MySQL, PHP and Linux. This list is an ongoing work, thta is why it has also a version number in it (v1.0). As soon as I …
4008 Days ago
Security made easy, automatic scan and update of your installed applications
If you are on the paranoia side, and you better should, if you're using ebanking on an internet connected pc. Secunia is a well known internet site, Secunia is a Danish computer security service provider best known for tracking vulnerabilities in more than 12,400 pieces of software and operating systems. Numbers of "unpatched" vulnerabilities in popular applications are frequently quoted in software comparisons.Secunia also tracks currently active computer viruses. Secunia has gained publicity and a notable reputation with the discovery …
4133 Days ago
No Thumbnail was found
FaF (File Anomaly Finder) is a wrapper for the *nix 'find' utility. It generates audit reports for data matching specific characteristics; such data as setgid/setuid, unowned, and more. The objectives are simply to create a simple anomaly finder that identifies common flawed permissions or otherwise suspicious file system characteristics. The main features of FaF are: simplistic and to the point audit reports easy setup and configuration audits emailed to customizable address or user ideal for web servers or general purpose …
4232 Days ago
No Thumbnail was found
SIM is a system and services monitor for ‘SysVinit’ systems. It is designed to be intuitive and modular in nature, and to provide a clean and informative status system. It does this by consistently verifying that services are online, load averages are in check, and log files are at reasonable sizes. Many other SIM modules sport different and in-depth features to bring a well rounded tool to your disposal to stop otherwise common issues daunting internet hosts. Features: - Service …
4232 Days ago
No Thumbnail was found
Rootkit scanner is scanning tool to ensure you for about 99.9%* you're clean of nasty tools. This tool scans for rootkits, backdoors and local exploits by running tests like: MD5 hash compare Look for default files used by rootkits Wrong file permissions for binaries Look for suspected strings in LKM and KLD modules Look for hidden files Optional scan within plaintext and binary filesRootkit Hunter is released as GPL licensed project and free for everyone to use. …
4233 Days ago
No Thumbnail was found
chkrootkit is a tool to locally check for signs of a rootkit. chkrootkit is a common unix-based program intended to help system administrators check their system for known rootkits. It works by using several mechanisms, including comparison of file signatures to known rootkits, checking for suspicious activity (processes listed in the proc filesystem but not in the output of the 'ps' command. …
4233 Days ago