Hi, I was following the Falko's Howto on securing apache with mod_security on a FC6, after instaling mod_security with yum, my mod_security.conf file looks like this : # Example configuration file for the mod_security Apache module LoadFile /usr/lib/libxml2.so.2 LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so <IfModule mod_security2.c> # This is the ModSecurity Core Rules Set. # Basic configuration goes in here Include modsecurity.d/modsecurity_crs_10_config.conf # Protocol violation and anomalies. Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf # HTTP policy rules Include modsecurity.d/modsecurity_crs_30_http_policy.conf # Here comes the Bad Stuff... Include modsecurity.d/modsecurity_crs_35_bad_robots.conf Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf Include modsecurity.d/modsecurity_crs_45_trojans.conf Include modsecurity.d/modsecurity_crs_50_outbound.conf # Search engines and other crawlers. Only useful if you want to track # Google / Yahoo et. al. # Include modsecurity.d/modsecurity_crs_55_marketing.conf # Put your local rules in here. Include modsecurity.d/modsecurity_localrules.conf </IfModule> should i then add the Falko's ruleset after the part # Put your local rules in here. according to the howto, the Falko's ruleset is the following : # Example configuration file for the mod_security Apache module LoadModule security_module modules/mod_security.so <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis SecAuditEngine RelevantOnly # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding On # Only allow bytes from this range SecFilterForceByteRange 1 255 # Cookie format checks. SecFilterCheckCookieFormat On # The name of the audit log file SecAuditLog logs/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Default action set SecFilterDefaultAction "deny,log,status:406" # Simple example filter # SecFilter 111 # Prevent path traversal (..) attacks # SecFilter "\.\./" # Weaker XSS protection but allows common HTML tags # SecFilter "<( |\n)*script" # Prevent XSS atacks (HTML/Javascript injection) # SecFilter "<(.|\n)+>" # Very crude filters to prevent SQL injection attacks # SecFilter "delete[[:space:]]+from" # SecFilter "insert[[:space:]]+into" # SecFilter "select.+from" # Require HTTP_USER_AGENT and HTTP_HOST headers SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^GET$" chain SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" # Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" chain SecFilterSelective HTTP_Content-Length "^$" # Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" # Some common application-related rules from # http://modsecrules.monkeydev.org/rules.php?safety=safe #Nuke Bookmarks XSS SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" #Nuke Bookmarks Marks.php SQL Injection Vulnerability SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" #PHPNuke general XSS attempt #/modules.php?name=News&file=article&sid=1&optionbox= SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" # PHPNuke SQL injection attempt SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" #phpnuke sql insertion SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" # WEB-PHP phpbb quick-reply.php arbitrary command attempt SecFilterSelective THE_REQUEST "/quick-reply\.php" chain SecFilter "phpbb_root_path=" #Topic Calendar Mod for phpBB Cross-Site Scripting Attack SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" # phpMyAdmin: Safe #phpMyAdmin Export.PHP File Disclosure Vulnerability SecFilterSelective SCRIPT_FILENAME "export\.php$" chain SecFilterSelective ARG_what "\.\." #phpMyAdmin path vln SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" </IfModule> Thanks in advance. Llamy.
mod_security i have tried with this : <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # Unicode encoding check SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 0 255 # Only log suspicious requests SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/log/httpd/audit_log # Debug level set to a minimum SecFilterDebugLog /var/log/httpd/modsec_debug_log SecFilterDebugLevel 0 # Should mod_security inspect POST payloads SecFilterScanPOST On # By default log and deny suspicious requests # with HTTP status 500 SecFilterDefaultAction "deny,log,status:500" </IfModule> And when i restart apache i have this error : Starting httpd: Syntax error on line 38 of /etc/httpd/conf.d/mod_security.conf: Invalid command 'SecFilterEngine', perhaps misspelled or defined by a module not included in the server configuration [FAILED] Do you know what to do here? Thanks in advance. Llamy.
Which mod_security version did you install? Since version 2, there's no SecFilterEngine anymore: http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/ I'd try the original configuration and then add your custom rules where it says so. Also take a look here: http://www.howtoforge.com/remo_modsecurity_apache http://www.howtoforge.com/apache2_mod_security_debian_etch
Hi Falko, Thanks for your reply. This is what i get when i do:> yum info mod_security on my FC6 box : Installed Packages Name : mod_security Arch : i386 Version: 2.1.1 Release: 1.fc6 Size : 1.4 M Repo : installed Summary: Security module for the Apache HTTP Server Description: ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding web applications from attacks. Now i think i will go with the second link you gave in your reply: http://www.howtoforge.com/apache2_mo...ty_debian_etch and i will let you know. About the rules that you said that i've been downloaded in this howto link, i think i should put in the rules directory this http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz llamy.
