ISPCONFIG and MOD_SECURITY

[MyLinux]

Hi friends,
I am relatively newbie to ispconfig.Please le me know whether there is any conflict or problem in installing mod_secirty apache module on ISPConfig web hosting servers.
Regards,

[till]

Quote:

Originally Posted by MyLinux

Hi friends,
I am relatively newbie to ispconfig.Please le me know whether there is any conflict or problem in installing mod_secirty apache module on ISPConfig web hosting servers.
Regards,

I think it has not been tested yet. Generally ISPConfig does not make problems when you install additional apache modules that can not be configured trough the web interface.

[dspx2006]

Quote:

Originally Posted by MyLinux

Hi friends,
I am relatively newbie to ispconfig.Please le me know whether there is any conflict or problem in installing mod_secirty apache module on ISPConfig web hosting servers.
Regards,

The thing is that for a newbie it is quite difficult to figure out what and where to change in the configuration of the ISPConfig to accept mod_security. I have had some trouble myself figuring that out (I am new to ISPConfig but not new to Apache configurations). So this is what I did after some hours of working (and no help on the net...).

First of all, perhaps it is useful to remind people that ISPConfig uses its own apache (apart from system's default).
For instance my LAMP Ubuntu server brings an apache2 while ISPConfig 2.2.6 comes with Apache 1.3.37.
There are two apache configurations to secure:
1. the one ISPConfig uses (1.3.37)
2. the one used for the websites hosted, the same with system's Apache (my case latest Apache 2 from Ubuntu)
For securing 2. just

Code:

apt-get install libapache2-mod-security

add rules to /etc/apache2/mods-available/ in a separate file (you can use the rules from www.modsecurity.org) and ln -s to mods-enabled
Than restart apache2.


For securing 1, see below:

Get the latest mod-security. Mine was 1.9.4:

Code:

wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -zxvf modsecurity-apache_1.9.4.tar.gz

2. go to the module you need to install in apache

Code:

cd modsecurity-apache_1.9.4/apache1/

3. now you need to install the module by using apxs. First find where ISPConfig established its basic directory, by searching after ispconfig_httpd

Code:

locate ispconfig_httpd

Copy the mod_security.c to the path obtained above

Code:

cp mod_security.c /path/to/ispconfig_httpd/mod_security.c

Now cd to the location of the ispconfig_httpd (where there is also apxs, the one we need)

Code:

cd /path/to/ispconfig_httpd/

Stop ispconfig

Code:

/etc/init.d/ispconfig_server stop

Backup your ispconfig_httpd

Code:

cp ispconfig_httpd ispconfig_httpd_bk

Rename ispconfig_httpd to httpd (so that apxs recongnizes the httpd)

Code:

mv ispconfig_httpd httpd

Load the module

Code:

apxs -cia mod_security.c

Rename httpd back to ispconfig_httpd

Code:

mv httpd ispconfig_httpd

Keep fingers crossed and start ispconfig

Code:

/etc/init.d/ispconfig_server start

If something goes wrong, change ispconfig_httd_bk to ispconfig_httpd and restart /etc/init.d/ispconfig_server restart.
If nothing wrong happened you can see that ispconfig started and now you are using mod_security in your apache. Remember, anyway, that mod_security is useless if you don't add rules to your httpd.conf to handle the mod-security. go to

Code:

cd ../conf

Add the rules to httpd.conf:

Code:

<IfModule mod_security.c>
    # mod_security rules which you can find here
    # http://www.modsecurity.org/download/modsecurity-rules-current.tar.gz
    # you can include the chosen file directly by:
    # Include file
    # ...
</IfModule>

That's about it. From now on read the manuals on www.modsecurity.org to learn about the rules.

p.

[till]

Quote:

First of all, perhaps it is useful to remind people that ISPConfig uses its own apache (apart from system's default). For instance my LAMP Ubuntu server brings an apache2 while ISPConfig 2.2.6 comes with Apache 1.3.37.
This also means that it is useless to try "the easy way" by apt-get install libapache2-mod-security (since this will install mod-security only for your default apache 2).

Thats not correct. ISPConfig uses the apache2 from your linux installation. Running "apt-get install libapache2-mod-security" is enough to install mod_security.

The mod_security you installed will not secure the websites on your server, it will secure only connections on port 81 to the controlpanel frontend. I will not say that running mod_security on the controlpanel is a bad idiea, but it is maybe not that what you wanted.

[dspx2006]

I'm afraid you are right! I have actually been mislead by phpMyAdmin's php_info() which only showed mod_security after I did all I described above. But you are right since phpMyAdmin also comes through ISPConfig's port 81.
So, mea culpa!
The above information only applies to securing the ISPConfig's apache.
I have edited the post to correct the confusion.

Thanks for clearing that up, Till!

[st2xo]

Here´s a very usefull url for mod_securtiy.
http://www.heise.de/security/artikel/69070
(in german language!)