Google Site SearchFN Site Search FN Blog Login FN Blog Login
Site Navigation:
 
 

HOWTO: Enhancing Apache with mod_security

by Jorge A Gallegos on Sep 09, 2004

Intro

People sometimes ask if fedoranews.org contains information for desktop purposes only, if its intended so the proverbial "Joe User" can navigate as he sees fit thru his fedora box... It is not.

The information in FN.org is free(dom), and as such, many topics are covered and many programs pass through these humble pages.

Today we are going server side, today we are focusing in how we can enhance our site's security against attacks/exploits, being those SQL Injection, Cross Site Scripting and other niceties that people tend to do from time to time.

Why?

Like probably quite a few of you, I run and admin some websites (some for fun, some for work), and as many of you surely do, some of these websites are mounted on a CMS. CMS are not the 8th wonder of the world, however some of them are pretty good, and they save you a lot of time by automating tons of tasks... however, as in every piece of code there exists, all of them are insecure and buggy (in fact, every piece of software is insecure and buggy to a degree)

So, searching for tools and ways to prevent people from breaking into my site without authorization, I began my search and found a great piece of software: mod_security for Apache.

What?

Yes, you read that correctly, this will be about an apache add-on module that enhances security server wide. As the official site points out:

"ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks."

This will guide you through the steps to build the mod_security as a dynamic shared object into Apache web server in Fedora Core 2 (though it's pretty easy to replicate the steps for any other distro/version and any other apache version)

Requirements:
The mod_security module requires the httpd-devel package to be installed in the system, any stock RPM for FC2 should be enough for this.

How?

You need basically 2 things:

  • The source for mod_security (here)
  • A basic set of rules, which will be packaged in the RPM (here)

Once you have these files, you'll just need to unpack the tarball:

[gallegosja@gallegosja gallegosja]$ tar -xvzf mod_security-1.8.4.tar.gz
go to the apache 2 module (you can enter the apache1 directory for the module for apache 1.x too) inside the recently unpacked directory and run apxs (you will need root permissions to do this):
[gallegosja@gallegosja gallegosja]$ cd mod_security-1.8.4/apache2/
[gallegosja@gallegosja apache2]$ sudo /usr/sbin/apxs -cia mod_security.c
/bin/sh /usr/lib/apr/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -march=i386 -mcpu=i686 -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0 -I/usr/include/httpd  -c -o mod_security.lo mod_security.c && touch mod_security.slo
/bin/sh /usr/lib/apr/build/libtool --silent --mode=link gcc -o mod_security.la -rpath /usr/lib/httpd/modules -module -avoid-version    mod_security.lo
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL='/bin/sh /usr/lib/apr/build/libtool' mod_security.la /usr/lib/httpd/modules
/bin/sh /usr/lib/apr/build/libtool --mode=install cp mod_security.la /usr/lib/httpd/modules/
cp .libs/mod_security.so /usr/lib/httpd/modules/mod_security.so
cp .libs/mod_security.lai /usr/lib/httpd/modules/mod_security.la
cp .libs/mod_security.a /usr/lib/httpd/modules/mod_security.a
ranlib /usr/lib/httpd/modules/mod_security.a
chmod 644 /usr/lib/httpd/modules/mod_security.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/httpd/modules
 
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'
 
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/httpd/modules/mod_security.so
[activating module `security' in /etc/httpd/conf/httpd.conf]
[gallegosja@gallegosja apache2]$
Restart your apache web server...
[gallegosja@gallegosja apache2]$ sudo /sbin/service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[gallegosja@gallegosja apache2]$

This just restarted your apache server, and placed a file in /etc/httpd/conf.d/mod_security.conf with a set of general rules... very general rules. You will need to change several of these rules and activate/deactivate some of them, you might find this conf file a little bit more useful

Where?

The mod_security.conf file is located in the conf.d directory of the apache configuration directory, and the logs (if you downloaded the .conf file provided above) in /var/log/httpd/audit_log, otherwise you can define in the .conf file where to dump the logs

The configuration file contains a very basic set of rules and although they're quite useful for a simple site, more complex rules might be in order for your site's specific needs. If you need more information on how you can create new rules or modify existing rules, read the documentation in the /usr/share/doc/mod_security-1.8.4 directory or read it online at the project's home page.

Jorge A Gallegos