mod_security on FC6

[llamy]

Hi,

I was following the Falko's Howto on securing apache with mod_security on a FC6, after instaling mod_security with yum, my mod_security.conf file looks like this :

# Example configuration file for the mod_security Apache module

LoadFile /usr/lib/libxml2.so.2

LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so

<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.

# Basic configuration goes in here
Include modsecurity.d/modsecurity_crs_10_config.conf

# Protocol violation and anomalies.

Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf
Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf

# HTTP policy rules

Include modsecurity.d/modsecurity_crs_30_http_policy.conf

# Here comes the Bad Stuff...

Include modsecurity.d/modsecurity_crs_35_bad_robots.conf
Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf
Include modsecurity.d/modsecurity_crs_45_trojans.conf
Include modsecurity.d/modsecurity_crs_50_outbound.conf

# Search engines and other crawlers. Only useful if you want to track
# Google / Yahoo et. al.

# Include modsecurity.d/modsecurity_crs_55_marketing.conf

# Put your local rules in here.

Include modsecurity.d/modsecurity_localrules.conf
</IfModule>




should i then add the Falko's ruleset after the part # Put your local rules in here.
according to the howto, the Falko's ruleset is the following :



# Example configuration file for the mod_security Apache module

LoadModule security_module modules/mod_security.so

<IfModule mod_security.c>

# Turn the filtering engine On or Off
SecFilterEngine On

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# Cookie format checks.
SecFilterCheckCookieFormat On

# The name of the audit log file
SecAuditLog logs/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Default action set
SecFilterDefaultAction "deny,log,status:406"

# Simple example filter
# SecFilter 111

# Prevent path traversal (..) attacks
# SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags
# SecFilter "<( |\n)*script"

# Prevent XSS atacks (HTML/Javascript injection)
# SecFilter "<(.|\n)+>"

# Very crude filters to prevent SQL injection attacks
# SecFilter "delete[[:space:]]+from"
# SecFilter "insert[[:space:]]+into"
# SecFilter "select.+from"

# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# Some common application-related rules from
# http://modsecrules.monkeydev.org/rules.php?safety=safe

#Nuke Bookmarks XSS
SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catna me|del_mark\&markname|edit_cat\&catname|edit_cat\& catcomment|marks\&catname|uploadbookmarks\&categor y)=(<[[:space:]]*script|(http|https|ftp)\:/)"

#Nuke Bookmarks Marks.php SQL Injection Vulnerability
SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname =.*\&category=.*/\*\*/(union|select|delete|insert)"

#PHPNuke general XSS attempt
#/modules.php?name=News&file=article&sid=1&optionbox =
SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script"

# PHPNuke SQL injection attempt
SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory="

#phpnuke sql insertion
SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/"

# WEB-PHP phpbb quick-reply.php arbitrary command attempt

SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="

#Topic Calendar Mod for phpBB Cross-Site Scripting Attack
SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)"

# phpMyAdmin: Safe

#phpMyAdmin Export.PHP File Disclosure Vulnerability
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."

#phpMyAdmin path vln
SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc"

</IfModule>



Thanks in advance.
Llamy.

[llamy]

i have tried with this :

<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log suspicious requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Debug level set to a minimum
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

</IfModule>



And when i restart apache i have this error :

Starting httpd: Syntax error on line 38 of /etc/httpd/conf.d/mod_security.conf:
Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]

Do you know what to do here? Thanks in advance.

Llamy.

[falko]

Which mod_security version did you install? Since version 2, there's no SecFilterEngine anymore: http://www.modsecurity.org/documenta...tml-multipage/

I'd try the original configuration and then add your custom rules where it says so.

Also take a look here: http://www.howtoforge.com/remo_modsecurity_apache
http://www.howtoforge.com/apache2_mo...ty_debian_etch

[llamy]

Hi Falko,

Thanks for your reply. This is what i get when i do:> yum info mod_security on my FC6 box :

Installed Packages
Name : mod_security
Arch : i386
Version: 2.1.1
Release: 1.fc6
Size : 1.4 M
Repo : installed
Summary: Security module for the Apache HTTP Server

Description:
ModSecurity is an open source intrusion detection and prevention engine
for web applications. It operates embedded into the web server, acting
as a powerful umbrella - shielding web applications from attacks.

Now i think i will go with the second link you gave in your reply:
http://www.howtoforge.com/apache2_mo...ty_debian_etch

and i will let you know.

About the rules that you said that i've been downloaded in this howto link, i think i should put in the rules directory this http://www.modsecurity.org/download/...2.1-1.4.tar.gz

llamy.