Wednesday, May 16, 2012

Ubuntu 12.04 LTS 64bit + Apache2 + Mod Security

I've tried installing the ModSecurity binary using apt-get a number of times but I could not get ModSecurity to work e.g. block displaying /etc/passwd content attempts. So I ended up compiling  ModSecurity from source.

What is exactly is ModSecurity?

ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

Moving forward, download the latest stable release from; it's version 2.5.12 as of this writing. In order to compile ModSecurity, install the following:

$ sudo apt-get install automake g++ apache2-threaded-dev dpkg-dev libxml2 libxml2-dev

Once done, proceed compiling ModSecurity.

$ cd /apache2
$ ./configure
$ make
$ sudo make install

Next would be to create the configuration file so that Apache will be able to use the ModSecurity module. Create the /etc/apache2/mods-available/mod_security.load file, and insert the following:

LoadFile /usr/lib/x86_64-linux-gnu/
LoadModule security2_module /usr/lib/apache2/modules/
< IfModule !mod_security2.c >
< /IfModule>
< IfModule mod_security2.c >
Include /etc/apache2/modsecurity_crs/*.conf
< /IfModule >

Afterwards, create the /etc/apache2/modsecurity_crs directory, and copy all core rule sets to the newly created directory.

$ sudo mkdir /etc/apache2/modsecurity_crs
$ sudo cp -R modsecurity-apache_2.5.12/rules/*.conf /etc/apache2/modsecurity_crs/
$ sudo cp -R modsecurity-apache_2.5.12/rules/base_rules/* /etc/apache2/modsecurity_crs/

It's now time to enable the new ModSecurity module, restart Apache enables it.

$ sudo a2enmod mod_security
$ sudo service apache2 restart

Don't forget to check ModSecurity if it's really working. Create /var/www/testsecurity.php file with the following content:

< ?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
? >

Open your favorite browser and type http://localhost/testsecurity.php?secret_file=/etc/passwd , you should see the following:


You don't have permission to access /testsecurity.php on this server.

Otherwise, the content of /etc/passwd file will be displayed which means that ModSecurity is not working.

That's all there is to it!


No comments:

Post a Comment