1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>

พื้นที่ลงโฆษณา

Thin Client Server

พื้นที่ลงโฆษณา

Linux Authentication

พื้นที่ลงโฆษณา

Apache2+mod_security

PDF Print E-mail

Written by Mr. Sontaya Photibut Saturday, 02 May 2009 14:58

Securing Apache Web Server with mod_security V.2.5.6

1. Downloading & verifying mod_security

# wget http://www.modsecurity.org/download/modsecurity-apach e_2.5.6.tar.gz

--10:36:17--  http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz

           => `modsecurity-apache_2.5.6.tar.gz'

Resolving www.modsecurity.org... 80.68.84.129

Connecting to www.modsecurity.org|80.68.84.129|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,079,094 (1.0M) [application/x-tar]


100%[=======================================>] 1,079,094     69.96K/s    ETA 00:00


10:36:33 (68.76 KB/s) - `modsecurity-apache_2.5.6.tar.gz' saved [1079094/1079094]


2.  Verifying MD5 checksum

# md5sum modsecurity-apache_2.5.6.tar.gz

eb9e80a232269378752aa5b81f3e99f8  modsecurity-apache_2.5.6.tar.gz

# gpg --keyserver pgp.mit.edu --recv-key 971B7E08

gpg: requesting key 971B7E08 from hkp server pgp.mit.edu

gpg: key 971B7E08: public key "Ivan Ristic <ivanr@webkreator.com>" imported

gpg: no ultimately trusted keys found

gpg: Total number processed: 1

gpg:               imported: 1


3. Download modesecurity-apache

# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6. tar.gz.asc

--10:41:20--  http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz.asc

           => `modsecurity-apache_2.5.6.tar.gz.asc'

Resolving www.modsecurity.org... 80.68.84.129

Connecting to www.modsecurity.org|80.68.84.129|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 189 [text/plain]


100%[===============================================>] 189           --.--K/s


10:41:21 (13.86 MB/s) - `modsecurity-apache_2.5.6.tar.gz.asc' saved [189/189]


4. Verifying PGP signature

gpg --keyserver pgp.mit.edu --recv-key 46F78EE4


5. GPG modsecurity

# gpg modsecurity-apache_2.5.6.tar.gz.asc

gpg: Signature made Fri Aug  1 02:11:01 2008 ICT using DSA key ID 46F78EE4

gpg: Good signature from "Brian Rectanus <Brian.Rectanus@breach.com>"

gpg:                 aka "Brian Rectanus <brectanu@breach.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: 1F42 C34F E7A3 B206 505B  B908 CF91 C7E8 46F7 8EE4


6. Verify modsecurity
# gpg --verify modsecurity-apache_2.5.6.tar.gz.asc

gpg: Signature made Fri Aug  1 02:11:01 2008 ICT using DSA key ID 46F78EE4

gpg: Good signature from "Brian Rectanus <Brian.Rectanus@breach.com>"

gpg:                 aka "Brian Rectanus <brectanu@breach.com>"

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: 1F42 C34F E7A3 B206 505B  B908 CF91 C7E8 46F7 8EE4

 

7. mod_security dependencies

 # yast -i libxml2-devel

 # yast -i apache2-devel

 # yast -i pcre-devel      

 

8. Installing mod_security

# tar zxvf modsecurity-apache_2.5.6.tar.gz

modsecurity-apache_2.5.6/

modsecurity-apache_2.5.6/apache2/

modsecurity-apache_2.5.6/apache2/.deps

modsecurity-apache_2.5.6/apache2/configure

modsecurity-apache_2.5.6/apache2/apache2.h

modsecurity-apache_2.5.6/apache2/Makefile.in

modsecurity-apache_2.5.6/apache2/msc_logging.h

modsecurity-apache_2.5.6/apache2/modsecurity.h

.

.

.

9. Compiling mod_security source code

# cd modsecurity-apache_2.5.6/apache2/

# ./configure --with-apxs=/usr/sbin/apxs2

# make && make install


10. Enabling mod_security

# vim /etc/apache2/httpd.conf

-->find : Global Environment

-->additional line

# Load libxml2

LoadFile /usr/lib/libxml2.so <--path for 32bit


### Global Environment ######################################################

#

# The directives in this section affect the overall operation of Apache,

# such as the number of concurrent requests.


# Load libxml2

LoadFile /usr/lib64/libxml2.so  <-- path for 64bit


:wq!


# vim /etc/sysconfig/apache2

-->find : APACHE_MODULES="

-->additional line : unique_id security2


APACHE_MODULES="unique_id security2 actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 rewrite mod_ldap mod_authnz_ldap"


:wq!


11. Restart Apache2 and Test config

# rcapache2 restart or service apache2 configtest

Syntax OK


12. mod_security policy file

# cd /etc/apache2/

# vim mod_security.conf

--------------------------------------------------

# Basic configuration options

SecRuleEngine On

SecRequestBodyAccess On

SecResponseBodyAccess Off


# Handling of file uploads

# TODO Choose a folder private to Apache.

# SecUploadDir /opt/apache-frontend/tmp/

SecUploadKeepFiles Off


# Debug log

SecDebugLog /var/log/apache2/modsec_debug.log

SecDebugLogLevel 0


# Serial audit log

SecAuditEngine RelevantOnly

SecAuditLogRelevantStatus ^5

SecAuditLogParts ABIFHZ

SecAuditLogType Serial

SecAuditLog /var/log/apache2/modsec_audit.log


# Maximum request body size we will

# accept for buffering

SecRequestBodyLimit 131072


# Store up to 128 KB in memory

SecRequestBodyInMemoryLimit 131072


# Buffer response bodies of up to

# 512 KB in length

SecResponseBodyLimit 524288


# Set Server Signature

SecServerSignature "SUSE Linux Enterprise Server "

-------------------------------------------

:wq!


# ls -l mod_security.conf


# vim /etc/apache2/httpd.conf

### Global Environment ######################################################

#

# The directives in this section affect the overall operation of Apache,

# such as the number of concurrent requests.


# Load libxml2

LoadFile /usr/lib/libxml2.so


# Mod_security policy file

Include /etc/apache2/mod_security.conf


:wq!


# service apache2 configtest

# service apache2 restart

Syntax OK

Shutting down httpd2 (waiting for all children to terminate)          done

Starting httpd2 (prefork)


Finish.


Ref : http://www.novell.com/communities

 

 

 


Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 

SUSE Linux Enterprise Cool Solutions

  • Watch the future of Retail

    On YouTube I've published a three-part video of a presentation I did in early July 2010 to IBM retail partners. The sound volume is a bit low, and this was all recorded with a little flip mino camera, so please excuse the bad quality.

    The three video snippets are mainly intended for any of you who want to use Linux in retail as a solution provider and are wondering how solutions from Novell can help you be more successful.

    Nevertheless, especially the first part about how we see the future of the Point of Service might also be interesting to you if you are a decision maker in retail or just curious about how the future in retail IT may look like.

    The new features in SUSE Linux Enterprise Point of Service 11 Service Pack 1 are only mentioned briefly in this presentation. Watch out for more blog posts to come on Service Pack 1.

    This is Joachim Werner blogging live from the SUSE offices in Nuremberg, Germany.

    http://www.youtube.com/watch?v=WdYEeLIou7s
    http://www.youtube.com/watch?v=3Awr3tPpo2Y
    http://www.youtube.com/watch?v=pwwKpoEI9GI

  • Create an Appliance with SUSE Studio -- you could win $10,000

    They're looking for inventive minds to build the most innovative software appliances. Publish your unique appliance to the new SUSE® Gallery™ and enter into a contest to win $10,000!

    The contest runs from July 27 - September 30, 2010, so brush off your mad skills and pop on over here for all the details.

    It must not be too hard.... in the past year, more than 400,000 Linux appliances were built using SUSE Studio, with nearly 3 million downloads. SUSE Gallery is the place to strut your stuff and show off the appliances you have built with SUSE Studio. It also serves as a centralized online showcase where SUSE Studio users can browse and use both commercial and community-oriented appliances.

    Good luck! Make Cool Solutions proud.

  • See us at SHARE, Boston!

    The next SHARE event is approaching quickly - it takes place in Boston from August 1-5 at Hynes Convention Center: http://www.share.org/Events/UpcomingConference/tab...

    If you are attending, don´t miss the chance to meet our experts for System z, and visit us at Booth #319. To name just a few, watch out for Kim Lorusso (IBM Alliance Marketing Manager and Cool Blogger), Patrick Quairoli (Technical Alliance Manager), Marcus Kraft (Linux on mainframe "pioneer" and Product Manager for SUSE Linux Enterprise Server for System z), David Getzin (Partner Executive for IBM), John Jolly (Sys z Architect), and others. Chat with them about the SUSE Linux Enterprise Consolidation Suite tailored for IBM Solution Edition for Enterprise Linux. Don´t know what that is? Read more here: http://www.novell.com/products/systemz/els.html
    And get the latest about the new zEnterprise System - you bet that will be one of the "ruling" topics.

    Or listen to Mike Friesenegger, one of our most experienced Technical Specialists, when he talks about "ASP.NET on zLinux: A New Workload" (Tues Aug 3, 9:30-10:30AM, Room 305) and about how to " Implement the SUSE Linux Enterprise High Availability Extension on System z" (Tues Aug 3, 11AM-12PM, Room 208). And you´ll have the opportunity to hear from customers like Nationwide Insurance why and how they use SLES for System z.

    And as a side note - for those who have travel constraints and cannot attend personally, SHARE offers the option to participate online - just check out http://www.share.org/Events/UpcomingConference/SHA...

  • IBM zEnterprise System - Get the hard facts

    This week on Thursday IBM made a ground-breaking announcement about the revolutionary zEnterprise System - you might have read my article here on Cool Solutions:
    http://www.novell.com/communities/node/11670/ibm-f...

    Curious now about getting details and some hard facts? Just download the data sheet from IBM and see how it works. Want to discuss how this new system relates to SUSE Linux Enterprise ? Leave a comment or drop me an email at chabow@novell.com

    AttachmentSize
    11394070.pdf385.48 KB
  • What do you think about this country/language selector?

    The web team at Novell is tweaking the way people choose the language they want to read the website in. (Of course, this doesn't affect this communities section, which is only provided in English. But it does affect a lot of the marketing pages on novell.com. )

    We'd like your feedback, especially if you like to read the rest of Novell.com in a language other than English. Take a look at this design, and let us know what you think by posting comments.

    Thanks for your input!

    View design here.

Sponsors List