1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>
Image 1

WE Solutions / Our services

  • Previous
  • Next
  • Stop
  • Play

SAMBA/LDAP

Thin Client Server

Postfix Mail Server

Postfix Mail Server

HA Clustering


Warning: Parameter 3 to mb_videobot() expected to be a reference, value given in /home/www/virtual/susethailand.com/htdocs/libraries/joomla/event/dispatcher.php on line 136

Apache2+mod_security

PDF Print E-mail

Written by Mr. Sontaya Photibut Saturday, 02 May 2009 14:58

Securing Apache Web Server with mod_security V.2.5.6

1. Downloading & verifying mod_security

# wget http://www.modsecurity.org/download/modsecurity-apach e_2.5.6.tar.gz

--10:36:17--  http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz

           => `modsecurity-apache_2.5.6.tar.gz'

Resolving www.modsecurity.org... 80.68.84.129

Connecting to www.modsecurity.org|80.68.84.129|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,079,094 (1.0M) [application/x-tar]


100%[=======================================>] 1,079,094     69.96K/s    ETA 00:00


10:36:33 (68.76 KB/s) - `modsecurity-apache_2.5.6.tar.gz' saved [1079094/1079094]


2.  Verifying MD5 checksum

# md5sum modsecurity-apache_2.5.6.tar.gz

eb9e80a232269378752aa5b81f3e99f8  modsecurity-apache_2.5.6.tar.gz

# gpg --keyserver pgp.mit.edu --recv-key 971B7E08

gpg: requesting key 971B7E08 from hkp server pgp.mit.edu

gpg: key 971B7E08: public key "Ivan Ristic <ivanr@webkreator.com>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1


3. Download modesecurity-apache

# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6. tar.gz.asc

--10:41:20--  http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz.asc

           => `modsecurity-apache_2.5.6.tar.gz.asc'

Resolving www.modsecurity.org... 80.68.84.129

Connecting to www.modsecurity.org|80.68.84.129|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 189 [text/plain]


100%[===============================================>] 189           --.--K/s


10:41:21 (13.86 MB/s) - `modsecurity-apache_2.5.6.tar.gz.asc' saved [189/189]


4. Verifying PGP signature

gpg --keyserver pgp.mit.edu --recv-key 46F78EE4


5. GPG modsecurity

# gpg modsecurity-apache_2.5.6.tar.gz.asc

gpg: Signature made Fri Aug  1 02:11:01 2008 ICT using DSA key ID 46F78EE4

gpg: Good signature from "Brian Rectanus <Brian.Rectanus@breach.com>"

gpg:                 aka "Brian Rectanus <brectanu@breach.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: 1F42 C34F E7A3 B206 505B  B908 CF91 C7E8 46F7 8EE4


6. Verify modsecurity
# gpg --verify modsecurity-apache_2.5.6.tar.gz.asc

gpg: Signature made Fri Aug  1 02:11:01 2008 ICT using DSA key ID 46F78EE4

gpg: Good signature from "Brian Rectanus <Brian.Rectanus@breach.com>"

gpg:                 aka "Brian Rectanus <brectanu@breach.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: 1F42 C34F E7A3 B206 505B  B908 CF91 C7E8 46F7 8EE4

 

7. mod_security dependencies

 # yast -i libxml2-devel

 # yast -i apache2-devel

 # yast -i pcre-devel      

 

8. Installing mod_security

# tar zxvf modsecurity-apache_2.5.6.tar.gz

modsecurity-apache_2.5.6/

modsecurity-apache_2.5.6/apache2/

modsecurity-apache_2.5.6/apache2/.deps

modsecurity-apache_2.5.6/apache2/configure

modsecurity-apache_2.5.6/apache2/apache2.h

modsecurity-apache_2.5.6/apache2/Makefile.in

modsecurity-apache_2.5.6/apache2/msc_logging.h

modsecurity-apache_2.5.6/apache2/modsecurity.h

.

.

.

9. Compiling mod_security source code

# cd modsecurity-apache_2.5.6/apache2/

# ./configure --with-apxs=/usr/sbin/apxs2

# make && make install


10. Enabling mod_security

# vim /etc/apache2/httpd.conf

-->find : Global Environment

-->additional line

# Load libxml2

LoadFile /usr/lib/libxml2.so <--path for 32bit


### Global Environment ######################################################

#

# The directives in this section affect the overall operation of Apache,

# such as the number of concurrent requests.


# Load libxml2

LoadFile /usr/lib64/libxml2.so  <-- path for 64bit


:wq!


# vim /etc/sysconfig/apache2

-->find : APACHE_MODULES="

-->additional line : unique_id security2


APACHE_MODULES="unique_id security2 actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite mod_ldap mod_authnz_ldap"


:wq!


11. Restart Apache2 and Test config

# rcapache2 restart or service apache2 configtest

Syntax OK


12. mod_security policy file

# cd /etc/apache2/

# vim mod_security.conf

--------------------------------------------------

# Basic configuration options

SecRuleEngine On

SecRequestBodyAccess On

SecResponseBodyAccess Off


# Handling of file uploads

# TODO Choose a folder private to Apache.

# SecUploadDir /opt/apache-frontend/tmp/

SecUploadKeepFiles Off


# Debug log

SecDebugLog /var/log/apache2/modsec_debug.log

SecDebugLogLevel 0


# Serial audit log

SecAuditEngine RelevantOnly

SecAuditLogRelevantStatus ^5

SecAuditLogParts ABIFHZ

SecAuditLogType Serial

SecAuditLog /var/log/apache2/modsec_audit.log


# Maximum request body size we will

# accept for buffering

SecRequestBodyLimit 131072


# Store up to 128 KB in memory

SecRequestBodyInMemoryLimit 131072


# Buffer response bodies of up to

# 512 KB in length

SecResponseBodyLimit 524288


# Set Server Signature

SecServerSignature "SUSE Linux Enterprise Server "

-------------------------------------------

:wq!


# ls -l mod_security.conf


# vim /etc/apache2/httpd.conf

### Global Environment ######################################################

#

# The directives in this section affect the overall operation of Apache,

# such as the number of concurrent requests.


# Load libxml2

LoadFile /usr/lib/libxml2.so


# Mod_security policy file

Include /etc/apache2/mod_security.conf


:wq!


# service apache2 configtest

# service apache2 restart

Syntax OK

Shutting down httpd2 (waiting for all children to terminate)          done

Starting httpd2 (prefork)


Finish.


Ref : http://www.novell.com/communities

 

 

 


Comments (0)Add Comment

Write comment

security code
Write the displayed characters


busy