This discussion of mod_security refers to mod_security 2.x on Apache 2.x.
mod_security 2.x only works with Apache 2.x. It is not backward compatible with Apache 1.x.
Back on our Internet Servers page we showed you how to change a couple security settings to reduce the amount of information about your server that is given out to potential hackers. However, this doesn’t do anything for HTTP-targeted attacks.
If your firewall is properly configured to only allow port 80 traffic to your Web server there are still dangers that can come in on port 80, the most common being malformed URLs. There’s an Apache IDS (Intrusion Detection System) module that can keep an eye out for suspicious and malformed requests and block them. The mod_security module is no longer included with Debian due to a licensing snit so you have to get it from the package maintainer. Add the following line to your /etc/apt/sources.list file:
http://etc.inittab.org/~agi/debian/libapache-mod-security2/ ./
After adding this line you’ll need to run the commands:
gpg –keyserver pgpkeys.mit.edu –recv-keys C514AF8E4BA401C3
gpg –export -a C514AF8E4BA401C3 | apt-key add -
to pull down the maintainer’s public key because the packages are digitally signed. Then run the update command:
apt-get update
to make apt aware of the packages available at this site. To see the name of the package that got added to the available inventory run the command:
apt-cache search mod-security
To install and enable the module simply enter the command:
apt-get install libapache-mod-security
This will not only add the module files to the /etc/apache2/mods-available directory but also adds the sym link to it in the /etc/apache2/mods-enabled directory and restarts Apache. Unfortunately that doesn’t do us much good because there is no configuration file yet.
Below is a sample mod-security configuration file which you can use as is. The first part of the file configures the module’s operation while the second part of the file adds the filtering rules it should use. You can copy/paste the following into a file with a name like “mod-security.conf” and then FTP that file (using ASCII mode) to your server.
Note that there are drastic differences between mod_security 1.x
configuration statements and mod_security 2.x configuration statements.
Most configuration examples available on the Web are for version 1.x.
The example below is for 2.x because that’s the version available on
the package maintainer’s site. If you want to customize your
configuration be sure to use the 2.x statements.
<IfModule security2_module>
# *** MODULE CONFIG
# Turn the filtering engine On
SecRuleEngine On
# Only log suspicious requests
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/apache2/modsec_audit.log
# Debug level set to a minimum (0) – 9 is max
SecDebugLogLevel 0
SecDebugLog /var/log/apache2/modsec_debug.log
# Should mod_security inspect POST payloads
SecRequestBodyAccess On
# By default log and deny suspicious requests
# with HTTP status 403
SecDefaultAction deny,log,status:403,phase:2
# *** FILTER RULES
SecRule REQUEST_URI /etc/passwd
SecRule REQUEST_URI /bin/ls
SecRule REQUEST_URI /bin/uname
SecRule REQUEST_URI /usr/bin/whoami
SecRule REQUEST_URI cdx20/tmp
SecRule REQUEST_URI wgetx20
# Make sure that URL encoding is valid
SecRule ARGS “@validateUrlEncoding”
# Unicode encoding check
SecRule ARGS “@validateUtf8Encoding”
# Only allow bytes from this range
SecRule ARGS:text “@validateByteRange 0 255″
# Block Santy.A worm
SecRule ARGS:highlight %27
# Block drop table SQL injection attack
SecRule REQUEST_URI “drop[[:space:]]table”
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply “text/html” as Content-Type
SecRule REQUEST_METHOD “!^(GET|HEAD)$” chain
SecRule REQUEST_HEADERS:Content-Type
“!(^application/x-www-form-urlencoded$|^multipart/form-data;)”
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD “^(GET|HEAD)$” chain
SecRule REQUEST_HEADERS:Content-Length “!^$”
# Require browser headers from all user agents
SecRule “REQUEST_HEADERS:USER_AGENT|HTTP_HOST” “^$”
# Require Content-Length to be provided with every POST request
SecRule REQUEST_METHOD “^POST$” chain
SecRule REQUEST_HEADERS:Content-Length “^$”
# Don’t accept transfer encodings we know we don’t handle
SecRule REQUEST_HEADERS:Transfer-Encoding “!^$”
</IfModule>
Once you get the file FTPed up to your server copy it into the /etc/apache2/conf.d directory so that Apache reads it when it starts. Don’t forget to restart Apache after getting this file in place with the command:
/etc/init.d/apache restart
You can test it out to make sure it’s working by entering a URL which contains the text of one of the “SecRule REQUEST_URI” entries. For example, if your server’s IP address is 192.168.1.80 enter the following in a browser’s address bar:
http://192.168.1.80/bin/uname
You should get the Apache “Forbidden” error page.
You can write a lot of your own rules, including only allowing certain types of traffic from certain addresses. If you want to allow for special access and get granular with your access control, check out the documentation at modsecurity.org.
Perimeter Security
The most common means of protecting a network is using a firewall (or two in the case of a DMZ which was illustrated back on the Firewall page). The biggest problem with firewalls is that people think they’re more than they actually are. A firewall’s major strength is protecting against traffic-based attacks (DoS, etc). If you let people into your network from the outside, the firewall has no way of differentiating between a legitimate user and a hacker. A firewall is not a substitute for strong OS and application security.
If you’re going to use a firewall package on a Debian system, keep in mind that the firewall is the application. As such, a system-based firewall won’t offer much security if the underlying OS isn’t hardened. (This is why the NetMax commercial firewall product includes the OS piece. It allows them to ensure the OS is properly configured.)
If you want to have Internet servers or provide remote access using a VPN server, be sure to use a DMZ configuration with two firewalls. In cases where critical or confidential business information is at risk, use stateful firewalls and IDS (Intrusion Detection System) software.
An IDS has been referred to as the burglar alarm of the network. See our Snort page on how to set one up.