Use ModSecurity to protect and review your Web server (1)

ModSecurity is a free and open-source Apache module that can act as WAF ). It has rich features, powerful communities, and business support options. Therefore, it is essential for any production Apache Web server that provides non-static content and needs to be reviewed.

The main function of ModSecurity is to provide reliable protection and stay away from various online threats. It does not shift the focus of security away from the application, but adds global features. To configure the rule, you only need to specify the rules for each part of the client-server communication, including the request header, request body, response header, and response body. Therefore, ModSecurity can prevent attacks against interpreters such as Web servers, PHP, Perl, ASP, and Web applications.

ModSecurity can be a step ahead of software developers to mitigate zero-day attacks and provide protection against security vulnerabilities. Recently, it has used rules to effectively prevent Range headers in Apache byte ranges) denial of Service Security Vulnerabilities and Java floating point value denial of service attacks.

While checking the complete communication flow, ModSecurity can also log it, which means the software can be used for review and troubleshooting. The full log function adds overhead to the Web server, so this function is usually enabled only when the problem needs to be debugged. However, comprehensive logs and reviews are essential to some enterprises that place high importance on security.

Once ModSecurity encounters a matching condition, it can take extremely strict operations. These operations may be destructive, such as blocking transactions, or non-destructive, such as logging data. Once the conditions are met, it can execute Linux commands, which greatly extends the ModSecurity function and provides Linux with all the capabilities to process transactions. It can concatenate rules to apply more complex conditions. Its accounting algorithm can be used to replace ModEvasive and prevent a large number of requests and denial of service attacks.

ModSecurity Installation

You can obtain ModSecurity by downloading the official repository of the Debian-based release. For CentOS and other Red Hat-based releases, ModSecurity exists in the EPEL repository http://fedoraproject.org/wiki/EPEL), but if you want to get the latest version with the latest features, you need to perform a manual installation. The following describes how to install CentOS 6:

1. Make sure that httpd and httpd-devel are installed together with all their dependencies.

2. Enable unique_id_module in Apache. To this end, edit the/etc/httpd/conf/httpd. conf file and cancel the comment containing LoadModule unique_id_module modules/mod_unique_id.so. You must reload Apache to make the change take effect.

3. download the latest version of ModSecurity from the http://www.modsecurity.org/download/ of the project website.

4. Extract the downloaded package and go to the newly created directory modsecurity-apache_2.x.x where x. x is the latest branch of ModSecurity.

5. Complete the standard steps of the security source software package: configuration, compilation, and installation.

6. If the preceding command is successfully executed, ModSecurity will be installed on the system. A new Apache module will appear in/etc/httpd/modules/mod_security2.so, while the executable file of ModSecurity will appear
In/usr/local/modsecurity/bin.

7. Install the new ModSecurity module and edit the configuration file/etc/httpd/conf/httpd. conf of Apache. Find LoadModule and find the part that loads all modules. Add LoadModule security2_module modules/mod_security2.so at the end of this section.

8. Restart Apache. Run apachectl-D DUMP_MODULES | grep security to ensure that ModSecurity is correctly installed and find security2_module (shared) in the output ).

Now, ModSecurity has been installed, but it has not been enabled or configured. Now you may wish to configure it.