13. ModSecurity (2.5.12) in Apache


Mod_security is a Web Application Firewall.
It protects your Web server from SQL injection and many other attacks, and in the latest version, it stops some Incomplete HTTP Request attacks.

Installing mod_security

We will install the archive's version.

Start Ubuntu and log in. From the Menu bar, click Applications, Accessories, Terminal. Ping ubuntu.com and make sure you are getting replies. If you are not, you need to fix your networking before you can proceed.

In the Terminal window, execute this command (when you are prompted to, enter your password):

sudo apt-get install libapache-mod-security

Creating the modsecurity Configuration File

In the Terminal window, execute this command:

sudo gedit /etc/apache2/conf.d/modsecurity2.conf

Enter these three lines:

<ifmodule mod_security2.c>
Include modsecurity-rules/*.conf

Save the file.

Adding Rules

Modsecurity has no effect without rules, which describe the commands to block.
We'll use a basic rule set that stops common attacks.

In the Terminal window, execute these commands:

cd /tmp

wget http://downloads.sourceforge.net/project/mod-security/modsecurity-apache/2.5.12/modsecurity-apache_2.5.12.tar.gz

tar -xzf modsecurity-apache_2.5.12.tar.gz

cd modsecurity-apache_2.5.12

sudo mkdir /etc/apache2/modsecurity-rules

sudo cp rules/*.conf /etc/apache2/modsecurity-rules/

sudo cp rules/base_rules/* /etc/apache2/modsecurity-rules/

Restarting Apache

In the Terminal window, execute this command:

sudo /etc/init.d/apache2 restart

The commands:

a2dismod mod-security

a2enmod mod-security

will unload and reload apache's mod-security module.

Testing modsecurity

To test modsecurity, we will use curl to send HTTP requests to the Apache server.
One of the modsecurity default rules is to reject requests with a User Agent of "Nessus"--I suppose this is intended to deny information to attackers who use automated scanners.

In the Terminal window, execute these commands:

sudo apt-get install curl -y

curl -i http://localhost/

This requests your default Web page, which loads normally, with a status of HTTP/1.1 200 OK,

In the Terminal window, execute this command:

curl -i http://localhost/ -A Nessus

You should see a 403 Forbidden response, as shown below on this page.
Modsecurity has blocked the request, because the User Agent identifies it as a Nessus scan.

More Security tips

In Apache web.

For instance, we add the following content to our httpd.conf file:

<Directory />
AllowOverride None

<Directory />
Order Deny,Allow
Deny from all

In the file /etc/apache2/conf.d/security, we should have:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Si necessiteu resoldre algun dubte, poseu-vos en contacte a través d'aquest enllaç.