Mod_security2

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

# Install:

 

- Create .../apache2/modules/mod_security2 and copy mod_security2.so and libxml2.dll to this folder

 

- Install the Visual C++ 2008 Redistributable Package 

 

  Download, if you not done it already, from:

 

  www.microsoft.com/downloads/details.aspx?FamilyID=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en

 

 

# Add to your httpd.conf:

 

- LoadModule security2_module modules/mod_security2/mod_security2.so

 

- Enable the module unique_id by uncommenting:

 

  LoadModule unique_id_module modules/mod_unique_id.so

 

 

# Configuration: see the included documentation

 

# A very quick start:

 

SecRuleEngine On

SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

 

SecAuditEngine RelevantOnly

SecAuditLogType Serial

SecAuditLog logs/mod_security2.log

 

 

## -- General rules --------------------

 

SecRule ARGS "c:/" t:normalisePathWin 

SecRule ARGS "/././" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'" 

SecRule ARGS "d:/" t:normalisePathWin

 

## -- phpBB attack --------------------

SecRule ARGS:highlight "(/x27|%27|/x2527|%2527)"

 

 

 

To check your mod_security, add the rule: 

 

Call your site with: 

 

http://www.xxxxcom/?abc=../../ 

 

You should get a access denied,

this triggered by the above rule SecRule ARGS "/././" t:normalisePathWin

 

 

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 

#To activate the rules for your web server installation:

 

  1) You may want to edit and customize modsecurity_crs_10_config.conf. 

     Additionally you may want to edit modsecurity_crs_30_http_policy.conf

     which enforces an application specific HTTP protocol usage.

 

  2) Add the following line to your httpd.conf (assuming

     you've placed the rule files into conf/modsecurity/):

 

     Include conf/modsecurity/*.conf

 

  3) Restart web server.

 

  4) Make sure your web sites are still running fine.

 

  5) Simulate an attack against the web server. Then check

     the attack was correctly logged in the Apache error log,

     ModSecurity debug log (if you enabled it) and ModSecurity

     audit log (if you enabled it).

 

  6) If you configured your audit log entries to be transported

     to ModSecurity Console in real time, check the alert was

     correctly recorded there too.

 

 

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

 

#In order to provide generic web applications protection, the Core Rule Set 

uses the following techniques:

 

1. HTTP protection - detecting violations of the HTTP protocol and a locally 

defined usage policy.

 

2. Common Web Attacks Protection - detecting common web application security 

attack.

 

3. Automation detection - Detecting bots, crawlers, scanners and other surface 

malicious activity.

 

4. Trojan Protection - Detecting access to Trojans horses.

 

5. Errors Hiding - Disguising error messages sent by the server

 

In addition the rule set also hints at the power of ModSecurity beyond 

providing security by reporting access from the major search engines to your 

site.

 

 

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

#IP address cant work issue

Access it to try opening insecure files:

http://ip.of.your.server.de/index.php?file=/etc/passwd

You should get ERROR 501 in your browser and the SecAuditLog file should show:

[...]
GET /index.php?file=/etc/passwd HTTP/1.1 ...
[...]
Message: Access denied with code 501 (phase 2). Pattern match "(?:/b(?:/.(?:ht(?:access|passwd|group
)|www_?acl)|global/.asa|httpd/.conf|boot/.ini)/b|//etc//)" at ARGS:file. [file "/etc/apache2/modsecu
rity/modsecurity_crs_40_generic_attacks.conf"] [line "114"] [id "950005"] [msg "Remote File Access A
ttempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"]

Caveats

• When accessing your server via IP, a rule in modsecurity_crs_21_protocol_anomalies.conf denies this. Edit the file and look for "Check that the host header is not an IP address".