Highland
03-13-2006, 07:29 PM
Even with a normal firewall running mod_security is a must as this catches attempts to hijack your web server.
1. Install Apache Developer
You'll need the httpd-devel package. You can get this via yum
#yum install httpd-devel
or by up2date
#up2date httpd-devel
up2date may require to install some PGP keys first but you will be prompted to do so.
2. Download mod_security (http://www.modsecurity.org/download/index.html)
I would go with the latest stable release. Once untarred descend into the apache2 directory and run this command and then stop and restart Apache
#/usr/sbin/apxs -cia mod_security.c
Now mod_security is installed
3. Download the Apache 2 ruleset (http://gotroot.com/tiki-index.php?page=mod_security+rules) from Got Root
Untar it and move it to /etc/modecurity
#mv apache2 /etc/modsecurity
4. Make a modsecurity.conf file
Now we need to tell Apache what to load. So we make a conf file using our text editor (hopefully pico but vi would work too). We need to make this file inside /etc/httpd/conf.d/ directory. I used the one suggested by Got Root (http://gotroot.com/tiki-index.php?page=Setup+of+mod_security)
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>
Restart Apache and you're done
1. Install Apache Developer
You'll need the httpd-devel package. You can get this via yum
#yum install httpd-devel
or by up2date
#up2date httpd-devel
up2date may require to install some PGP keys first but you will be prompted to do so.
2. Download mod_security (http://www.modsecurity.org/download/index.html)
I would go with the latest stable release. Once untarred descend into the apache2 directory and run this command and then stop and restart Apache
#/usr/sbin/apxs -cia mod_security.c
Now mod_security is installed
3. Download the Apache 2 ruleset (http://gotroot.com/tiki-index.php?page=mod_security+rules) from Got Root
Untar it and move it to /etc/modecurity
#mv apache2 /etc/modsecurity
4. Make a modsecurity.conf file
Now we need to tell Apache what to load. So we make a conf file using our text editor (hopefully pico but vi would work too). We need to make this file inside /etc/httpd/conf.d/ directory. I used the one suggested by Got Root (http://gotroot.com/tiki-index.php?page=Setup+of+mod_security)
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
#SecFilterEngine DynamicOnly
SecFilterEngine On
# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1
SecServerResponseToken Off
#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "NOYB"
#SecUploadDir /tmp
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
Include /etc/modsecurity/exclude.conf
#Application protection rules
Include /etc/modsecurity/rules.conf
#Comment spam rules
Include /etc/modsecurity/blacklist.conf
#Bad hosts, bad proxies and other bad players
Include /etc/modsecurity/blacklist2.conf
#Bad clients, known bogus useragents and other signs of malware
Include /etc/modsecurity/useragents.conf
#Known bad software, rootkits and other malware
Include /etc/modsecurity/rootkits.conf
#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
Include /etc/modsecurity/proxy.conf
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
Include /etc/modsecurity/apache2-rules.conf
</IfModule>
Restart Apache and you're done