 Mod_security is a Web Application Firewall. It protects your Web server from SQL injection and many other attacks, and in the latest version, it stops some Incomplete HTTP Request attacks. Installing mod_security We will install the archive's version. Start Ubuntu and log in. From the Menu bar, click Applications, Accessories, Terminal. Ping ubuntu.com and make sure you are getting replies. If you are not, you need to fix your networking before you can proceed. In the Terminal window, execute this command (when you are prompted to, enter your password): sudo apt-get install libapache-mod-security Creating the modsecurity Configuration File In the Terminal window, execute this command: sudo gedit /etc/apache2/conf.d/modsecurity2.conf Enter these three lines: <ifmodule mod_security2.c> Include modsecurity-rules/*.conf </ifmodule> Save the file. Adding Rules Modsecurity has no effect without rules, which describe the commands to block. We'll use a basic rule set that stops common attacks. In the Terminal window, execute these commands: cd /tmp wget http://downloads.sourceforge.net/project/mod-security/modsecurity-apache/2.5.12/modsecurity-apache_2.5.12.tar.gz tar -xzf modsecurity-apache_2.5.12.tar.gz cd modsecurity-apache_2.5.12 sudo mkdir /etc/apache2/modsecurity-rules sudo cp rules/*.conf /etc/apache2/modsecurity-rules/ sudo cp rules/base_rules/* /etc/apache2/modsecurity-rules/ Restarting Apache In the Terminal window, execute this command: sudo /etc/init.d/apache2 restart The commands: a2dismod mod-security a2enmod mod-security will unload and reload apache's mod-security module. Testing modsecurity To test modsecurity, we will use curl to send HTTP requests to the Apache server. One of the modsecurity default rules is to reject requests with a User Agent of "Nessus"--I suppose this is intended to deny information to attackers who use automated scanners. In the Terminal window, execute these commands: sudo apt-get install curl -y curl -i http://localhost/ This requests your default Web page, which loads normally, with a status of HTTP/1.1 200 OK, In the Terminal window, execute this command: curl -i http://localhost/ -A Nessus You should see a 403 Forbidden response, as shown below on this page. Modsecurity has blocked the request, because the User Agent identifies it as a Nessus scan. More Security tips In Apache web. For instance, we add the following content to our httpd.conf file: <Directory /> AllowOverride None </Directory> <Directory /> Order Deny,Allow Deny from all </Directory> In the file /etc/apache2/conf.d/security, we should have: ServerTokens Prod ServerSignature Off TraceEnable Off Si necessiteu resoldre algun dubte, poseu-vos en contacte a través d'aquest enllaç. |
|
13. ModSecurity (2.5.12) in Apache |