SAMBA/LDAP
Postfix Mail Server
HA Clustering
Warning: Parameter 3 to mb_videobot() expected to be a reference, value given in /home/www/virtual/susethailand.com/htdocs/libraries/joomla/event/dispatcher.php on line 136
Apache2+mod_security
Written by Mr. Sontaya Photibut Saturday, 02 May 2009 14:58
Securing Apache Web Server with mod_security V.2.5.6
1. Downloading & verifying mod_security
# wget http://www.modsecurity.org/download/modsecurity-apach e_2.5.6.tar.gz
--10:36:17-- http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz
=> `modsecurity-apache_2.5.6.tar.gz'
Resolving www.modsecurity.org... 80.68.84.129
Connecting to www.modsecurity.org|80.68.84.129|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,079,094 (1.0M) [application/x-tar]
100%[=======================================>] 1,079,094 69.96K/s ETA 00:00
10:36:33 (68.76 KB/s) - `modsecurity-apache_2.5.6.tar.gz' saved [1079094/1079094]
2. Verifying MD5 checksum
# md5sum modsecurity-apache_2.5.6.tar.gz
eb9e80a232269378752aa5b81f3e99f8 modsecurity-apache_2.5.6.tar.gz
# gpg --keyserver pgp.mit.edu --recv-key 971B7E08
gpg: requesting key 971B7E08 from hkp server pgp.mit.edu
gpg: key 971B7E08: public key "Ivan Ristic <ivanr@webkreator.com>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1
3. Download modesecurity-apache
# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6. tar.gz.asc
--10:41:20-- http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz.asc
=> `modsecurity-apache_2.5.6.tar.gz.asc'
Resolving www.modsecurity.org... 80.68.84.129
Connecting to www.modsecurity.org|80.68.84.129|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189 [text/plain]
100%[===============================================>] 189 --.--K/s
10:41:21 (13.86 MB/s) - `modsecurity-apache_2.5.6.tar.gz.asc' saved [189/189]
4. Verifying PGP signature
gpg --keyserver pgp.mit.edu --recv-key 46F78EE4
5. GPG modsecurity
# gpg modsecurity-apache_2.5.6.tar.gz.asc
gpg: Signature made Fri Aug 1 02:11:01 2008 ICT using DSA key ID 46F78EE4
gpg: Good signature from "Brian Rectanus <Brian.Rectanus@breach.com>"
gpg: aka "Brian Rectanus <brectanu@breach.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1F42 C34F E7A3 B206 505B B908 CF91 C7E8 46F7 8EE4
6. Verify modsecurity
# gpg --verify modsecurity-apache_2.5.6.tar.gz.asc
gpg: Signature made Fri Aug 1 02:11:01 2008 ICT using DSA key ID 46F78EE4
gpg: Good signature from "Brian Rectanus <Brian.Rectanus@breach.com>"
gpg: aka "Brian Rectanus <brectanu@breach.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 1F42 C34F E7A3 B206 505B B908 CF91 C7E8 46F7 8EE4
7. mod_security dependencies
# yast -i libxml2-devel
# yast -i apache2-devel
# yast -i pcre-devel
8. Installing mod_security
# tar zxvf modsecurity-apache_2.5.6.tar.gz
modsecurity-apache_2.5.6/
modsecurity-apache_2.5.6/apache2/
modsecurity-apache_2.5.6/apache2/.deps
modsecurity-apache_2.5.6/apache2/configure
modsecurity-apache_2.5.6/apache2/apache2.h
modsecurity-apache_2.5.6/apache2/Makefile.in
modsecurity-apache_2.5.6/apache2/msc_logging.h
modsecurity-apache_2.5.6/apache2/modsecurity.h
.
.
.
9. Compiling mod_security source code
# cd modsecurity-apache_2.5.6/apache2/
# ./configure --with-apxs=/usr/sbin/apxs2
# make && make install
10. Enabling mod_security
# vim /etc/apache2/httpd.conf
-->find : Global Environment
-->additional line
# Load libxml2
LoadFile /usr/lib/libxml2.so <--path for 32bit
### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.
# Load libxml2
LoadFile /usr/lib64/libxml2.so <-- path for 64bit
:wq!
# vim /etc/sysconfig/apache2
-->find : APACHE_MODULES="
-->additional line : unique_id security2
APACHE_MODULES="unique_id security2 actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite mod_ldap mod_authnz_ldap"
:wq!
11. Restart Apache2 and Test config
# rcapache2 restart or service apache2 configtest
Syntax OK
12. mod_security policy file
# cd /etc/apache2/
# vim mod_security.conf
--------------------------------------------------
# Basic configuration options
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off
# Debug log
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 0
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288
# Set Server Signature
SecServerSignature "SUSE Linux Enterprise Server "
-------------------------------------------
:wq!
# ls -l mod_security.conf
# vim /etc/apache2/httpd.conf
### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.
# Load libxml2
LoadFile /usr/lib/libxml2.so
# Mod_security policy file
Include /etc/apache2/mod_security.conf
:wq!
# service apache2 configtest
# service apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork)
Finish.
Ref : http://www.novell.com/communities
Subscribe to this comment's feed
