Support

submit a bug report if you need technical support or have questions.

Documentation

Visit the Wiki extensive and up to date documentation at your fingertips.

Contact Me

Missing images/links, any comments, suggestions, need help? Contact me

I was unable to Install properly OpenSuSE 11.3 with Plesk 10.1.1. This has forced me to install Ubuntu 10.04 LTS and since then also to (re)learn some basic stuff to secure my Linux server. Here are some of my How-To.

ModSecurity is an open source web application firewall (WAF) engine for Apache that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence.

&160;

Install

Using the package manager

apt-get -y install libapache-mod-security

Configure

These are some directories that are needed by ModSecurity to work properly. Run all these commands before continuing:

chown www-data.www-data /var/asl/data/msa
chown www-data.www-data /var/asl/data/audit
chown www-data.www-data /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/* 
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav

Initial setup

Create a new File

vi /etc/apache2/conf.d/00_modsecurity.conf

And put inside

<ifmodule mod_security2.c>
Include /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf
</ifmodule>

Then create new directory that will contains mod security rules

mkdir /etc/apache2/modsecurity.d/
vi /etc/apache2/modsecurity.d/modsecurity_crs_10_config.conf

Content of file modsecurity_crs_10_config.conf

Some default values to hide the server name and signature

 ServerTokens Prod
 ServerSignature Off
 TraceEnable Off

 SecRuleEngine On
 SecRequestBodyAccess On
 SecResponseBodyAccess On
 SecResponseBodyMimeType (null) text/html text/plain text/xml
 SecResponseBodyLimit 2621440
 SecServerSignature Apache
 SecComponentSignature 200911012341
 SecUploadDir /var/asl/data/suspicious
 SecUploadKeepFiles Off
 SecAuditEngine RelevantOnly
 SecAuditLogRelevantStatus "^(?:5|4(?!04))"
 SecAuditLogType Concurrent
 SecAuditLog logs/audit_log
 SecAuditLogParts ABIFHZ
 SecArgumentSeparator "&"
 SecCookieFormat 0
 SecRequestBodyInMemoryLimit 131072
 SecDataDir /var/asl/data/msa
 SecTmpDir /tmp
 SecAuditLogStorageDir /var/asl/data/audit
 SecResponseBodyLimitAction ProcessPartial

 Include /etc/apache2/modsecurity.d/gotroot/*asl*.conf

Getting Initial set of rules from Gotroot

Run these commands to install the latest free but delayed set of ModSecurity Rules from GotRoot.com

The last command restart apache,

cd /etc/apache2/modsecurity.d/gotroot
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.gz
tar zxvf modsec-2.5-free-latest.tar.gz
mv modsec/* .
/etc/init.d/apache2 restart

Watch your logs to see if you have some warning/error like these. This is confirming that ModSecurity is working as expected

[Mon Feb 28 20:52:45 2011] [error] [client 195.8.45.152] 
ModSecurity: Warning. CC# match "\\d{13,16}" at RESPONSE_BODY.
[offset "15816"] [file "/etc/apache2/modsecurity.d/gotroot/11_asl_data_loss.conf"]
[line "33"] [id "340838"] [rev "2"]
[msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules:
Potential credit card number detected in output (not blocked)"]

You can always get new rules by visiting http://updates.atomicorp.com/channels/rules/delayed/

comments powered by Disqus

You might like also

Use the latest nginx in Ubuntu 12.04 Precise Pangolin
Official version of nginx for Ubuntu Precise is 1.1.19 but the latest available stable version is 1.2.8 (Changes), In this post I will present you how to update to the latest available version. Thanks to Ondřej Surý,&160; maintainer for some Debian packages, you can have the latest PHP5 maintained by Debian PKG PHP Team in Ubuntu Precise, Quantal , and Lucid. Just run as root the following to use nginx add-apt-repository ppa:ondrej/nginxapt-get update apt-get upgrade apt-get dist-upgrade You can check …
2190 Days ago
Use the latest PHP 5.4 in Ubuntu 12.04 Precise Pangolin
11-Apr-2013 The PHP development team announces the immediate availability of PHP 5.4.14 and PHP 5.3.24. These releases fix about 10 bugs aswell as upgrading the bundled PCRE library. All users of PHP are encouraged to upgrade to PHP 5.4.14. For source downloads of PHP 5.4.14 and PHP 5.3.24 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes are recorded in the ChangeLog. Thanks to Ondřej Surý,&160; maintainer for some Debian packages, you can …
2190 Days ago
Updating PHP5 to PHP 5.3.10 on Ubuntu
Thanks to Nathan Rennie-Waldock. you can have the latest PHP5 5.3.10 running in Ubuntu Oneiric, Natty, Maverick and Lucid. PHP 5.3.10 fixes critical remote code execution vulnerability The vulnerability was introduced by the fix for a hash collision denial-of-service flaw Proof-of-concept code that exploits this vulnerability has already been published online Nathan Rennie-Waldock Personal Package Archives (PPA) is located at https://launchpad.net/~nathan-renniewaldock/+archive/ppa Just run as root the following to use PHP 5.3.10 sudo add-apt-repository ppa:nathan-renniewaldock/ppasudo apt-get update sudo apt-get upgrade Canonical …
2629 Days ago
Vmware Virtual Appliance Ubuntu 11.10 x64 Server
Download and install the latest&160; VMware Player 4.0.2 to run this Virtual Appliance “Ubuntu 11.10 x64 Server” Ready to user stock Ubuntu 64 bit Server 11.10 (Oneiric Ocelot) on Vmware This virtual appliance may be used by multi purpose operations, such as source control management server, development server, ftp server, or for testing some changes before rolling them out against your productive server and so on… &160; &160; Download for FREE&160; Ubuntu 11.10 x64 Server.7z (2.2GB) for Vmware From http://linux.waltercedric.com/ …
2630 Days ago
Vmware Virtual Appliance Ubuntu 11.10 x64 Desktop
Download and install VMware Player 4.0.2 to run this Virtual Appliance “Ubuntu 11.10 x64 Server” Ready to user stock Ubuntu 64 bit Desktop 11.10 (Oneiric Ocelot) on Vmware This virtual appliance may be used by multi purpose operations, such as source control management server, development server, ftp server, and so on… &160; Download for FREE Ubuntu 11.10 x64 Desktop.7z (4.65GB) for Vmware&160; From http://linux.waltercedric.com/ VM Information CPU's : 1 Memory : 1G Disk : 20G Authentication Credentials Username : user …
2630 Days ago
Updating PHP5 to PHP 5.3.9 on Ubuntu 11.10 Oneiric
Thanks to Ondřej Surý,&160; maintainer for some Debian packages, you can have the latest PHP5 maintained by Debian PKG PHP Team in Ubuntu Oneiric, Natty, Maverick and Lucid. Currently it is the previous version 5.3.9, but that’s already a lot better than 5.3.6 (Official in Ubuntu 11.10 Oneiric). I did contact Ondřej to ask him for updating the Personal Package Archive to 5.3.10. Personal Package Archives (PPA) allow you to upload Ubuntu source packages to be built and published as …
2631 Days ago
Install Munin Monitoring in Ubuntu 11.10 Oneiric with nginx
Munin is a networked resource monitoring tool that can help analyze resource trends and "what just happened to kill our performance?" problems. It is designed to be very plug and play. A default installation provides a lot of graphs with almost no work. In Norse mythology Hugin and Munin are the ravens of the god king Odin. They flew all over Midgard for him, seeing and remembering, and later telling him. "Munin" means "memory". …
2632 Days ago
Ubuntu update to the latest nginx 1.1.13
Here is how to update in Ubuntu Oneiric 11.10&160; to the latest development version of nginx (1.1.13). The latest stable version being the 1.0.11 add-apt-repository ppa:chris-lea/nginx-devel apt-get update apt-get upgrade …
2636 Days ago
Updating From Ubuntu 10.04 LTS to Ubuntu 11.10
Make sure that your data are safe and that your backups are working and in a safe place: obviously not on the server you are currently upgrading! While being logged in as root, you’ll have to edit the file /etc/update-manager/release-upgrades and set the value prompt to normal. …
2647 Days ago
Backup Your Ubuntu/Debian Server Automatically
I am using ReoBack for this duty REOBack (pronounced "ray-o-back") is a backup solution designed for Linux users and system administrators. It is designed to be simple to set up, and easy to use. It is great as a quick solution for those who procrastinate about backups. It supports automatic full/incremental backups of files you define, remote backups via NFS or FTP, as well as auto deletion of old backups. And here is my how to install for Debian /Ubuntu …
2871 Days ago