Use mod_security to enhance Apache Security

I. Introduction
Mod_security is an open-source web Application Security Program (or web application firewall) that integrates intrusion detection and defense engine functions ).
It runs as an Apache Web server module to enhance the security of web applications and prevent web Applications
Attackers are exposed to known or unknown attacks.

The system used in this article is Redhat linux Advanced Server Version 3. We recommend that you use the latest stable release of modsecurity,
Now it is 1.8.7. The installation method is to integrate mod_security to Apache Web Server through DSO (dynamic shared object.
(Note: the steps in this article are also applicable to other linux distributions .)

2. Preparation
1. Required software packages
1). apache source code package
:
Http://apache.justdn.org/httpd/apache_1.3.33.tar.gz

2) mod_security source code package
:
Http://www.modsecurity.org/download/...y-1.8.7.tar.gz

3). mod_security basic rules
Http://fedoranews.org/jorge/mod_secu..._security.conf

2. Download and decompress the Apache HTTP package.
We recommend that you obtain a reliable apache HTTP software package from the official apache website.
Download URL: Http://apache.justdn.org/httpd/apache_1.3.33.tar.gz

1) create a directory for storing apache software packages.
# Mkdir-p/usr/local/src/webserver

2) use the wget command to obtain the source code package.
# Wget Http://apache.tarchive.com/httpd/apache_1.3.33.tar.gz
(If you cannot download the file, you can directly save it in your browser or upload it to the webserver directory through ftp)

3) verify the integrity of the downloaded software.
First, download and check the separated signature file apache_1.3.33.tar.gz. md5, and then
Compare the md5 checksum of the md5 Signature file of the software package and the software package.

Check apache_1.3.33.tar.gz. md5 content
# Cat apache_1.3.33.tar.gz.md5
MD5 (apache_1.3.33.tar.gz) = 3dfd2c3778f37a2dfc22b97450a61407

Check the md5 checksum of apache_1.3.33.tar.gz.
# Md5sum apache_1.3.33.tar.gz
3dfd2c3778f37a2dfc22b97450a61407 apache_1.3.33.tar.gz

Compare the md5 checksum content of the preceding two steps to ensure that the apache Software Package is consistent.
Integrity.

4) decompress the source code package. A new directory named apache_1.3.33 is generated under the webserver directory.
# Tar zpxf apache_1.3.33.tar.gz

3. Download and decompress the modsecurity software package.
We recommend that you obtain reliable software packages from the official website of modsecurity.
Download URL: Html "target =_blank> http://www.modsecurity.org/download/index.html

1) Use the wget command to obtain the source code package.
# Wget Http://www.modsecurity.org/download/...y-1.8.7.tar.gz
(If you cannot download the file, you can directly save it in your browser or upload it to the webserver directory through ftp)

# Ls-al modsecurity-1.8.7.tar.gz
-Rw-r -- 1 root 313004 Mar 5 modsecurity-1.8.7.tar.gz

# Pwd
/Usr/local/src/webserver

2) verify the integrity of the downloaded software.
First, download and check the separated signature file modsecurity-1.8.7.tar.gz. md5, and then
Compare the md5 checksum of the md5 Signature file of the software package and the software package.

Download the modsecurity signature file
# Wget Http://www.modsecurity.org/download/...8.7.tar.gz.md5

Check modsecurity-1.8.7.tar.gz. md5 content
# Cat modsecurity-1.8.7.tar.gz.md5
Modsecurity-1.8.7.tar.gz 0dd48656e451c711358c097dc80e0369

Check the md5 checksum of modsecurity-1.8.7.tar.gz.
# Md5sum modsecurity-1.8.7.tar.gz
Modsecurity-1.8.7.tar.gz 0dd48656e451c711358c097dc80e0369

Compare the md5 checksum of the above two steps to ensure that the modsecurity software package is consistent.
Integrity.

3) decompress the source code package, under the webserver directory will generate a new directory modsecurity-1.8.7
# Tar zpxf modsecurity-1.8.7.tar.gz

4. Download The modsecurity rule File
# Cd/usr/local/src/webserver
# Wget Http://fedoranews.org/jorge/mod_secu..._security.conf


3. install Apache and Modsecurity

1. install Apache

Please refer to the article:
Build an Apache HTTP Server using DSO on Redhat Linux 9
Http://bbs.islab.org/showthread.php? T = 370

Note: Steps for installing Apache on Red Hat 9 are also available on other systems.

2. Install Modsecurity

Run apxs in the apache 1.X directory of modsecurity (you must have the root permission to run the following command ).

# Cd/usr/local/src/webserver/modsecurity-1.8.7/apache1

[Root @ reakosys apache1] #/www/bin/apxs-cia mod_security.c
Gcc-DLINUX = 22-DHAVE_SET_DUMPABLE-I/usr/include/gdbm-DUSE_HSREGEX-fpic
-DSHARED_MODULE-I/www/include-c mod_security.c
Gcc-shared-o mod_security.so mod_security.o
[Activating module 'security in/www/conf/httpd. conf]
Cp mod_security.so/www/libexec/mod_security.so
Chmod 755/www/libexec/mod_security.so
Cp/www/conf/httpd. conf/www/conf/httpd. conf. bak
Cp/www/conf/httpd. conf. new/www/conf/httpd. conf
Rm/www/conf/httpd. conf. new

Copy the modsecurity rule file to the conf directory of apache.
# Cd/usr/local/src/webserver
# Cp mod_security.conf/www/conf/

Create log directory
# Mkdir-/var/log/httpd

Modify the apache configuration file
# Vi/www/conf/httpd. conf
Add
Include conf/mod_security.conf

Note: by now, the httpd. conf file already contains the following three lines of code (one or two are automatic, and three are manually added)
LoadModule security_module libexec/mod_security.so
AddModule mod_security.c
Include conf/mod_security.conf

Then restart your Apache Web Server ..
# Apachectl restart
/Usr/sbin/apachectl restart: httpd not running, trying to start
/Usr/sbin/apachectl restart: httpd started

Check whether a log file is generated.
# Ls-al
Total 8
Drwxr-xr-x 2 root 4096 May 22.
Drwxr-xr-x 10 root 4096 May 22 ..
-Rw ------- 1 root 0 May 22 21:18 audit_log
-Rw ------- 1 root 0 May 22 21:18 modsec_debug_log

Modsecurity configuration file mod_security.conf is located in the configuration directory conf of apache, Log File
Yes/var/log/httpd/audit_log.

The modsecurity configuration file contains some basic rule settings, which is sufficient for general websites.
If you have any special requirements, refer to the following URL:
Http://www.modsecurity.org/documentation/index.html

The following describes the configuration file mod_security.conf.


Iv. Modsecurity configuration file

<IfModule mod_security.c>

# Turn the filtering engine On or Off
SecFilterEngine On

Analyze each http Request

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

URL encoding confirmation

# Only allow bytes from this range
SecFilterForceByteRange 32 126

Byte range check to effectively prevent stack overflow attacks (stack overflow attack ).

# The audit engine works independently and
# Can be turned On of Off on the per-server or
# On the per-directory basis
SecAuditEngine RelevantOnly

This effectively resolves the issue of apache logs to a user or Attacker