In the journey of rebuilding my dedicated server to create a secured cloud server, I was trying to find out what are the potential issues, besides network intrusion through various ports, and services on my server. I found numbers ranging from 70% to 85% of all intrusions actually occur by way of applications. Specifically, I am running many php and a couple Perl applications. Not to mention, I was allowing MySql to be accessed external to my machine in the past.
As I googled various options to secure Apache, I found mod_security module (http://www.modsecurity.org/).
So I started off by trying several different tutorials (listed below). So it all seemed fairly straight forward from the examples.
- Install the plugin: yum, rpm or compile
- Load module in mod_security.conf: or directly into httpd.conf
- Load Rules: define them manually, and/or load them from additional configuration files
I spent several very long days trying to get this to work.
The first time I tried to get this to work, I just got the plugin from the CentOS yum repository. Then I configured the plugin, no errors where thrown, and Apache seemed to be working fine. I wanted to try to understand how to test or verify what I have done.
I first used a simple example from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/ that has you create simple php file on your server
<em>//bad.php <? $secret_file = $_GET['secret_file']; include ( $secret_file); ?></em>
then try to access that page with a rogue command:
At first I kept getting a blank page, then I added some html that would print <h2>bad.php</h2> just to ensure the page was loaded. The page was succeeding, and not giving a 403 error as expected. I then tried to use the curl command that was given on the example
Well, what I did not see will hurt me… Well, It has already!
Ok, so I setup mod_security what’s going on then?
Well, the example I ended up did not Load any libraries as documented in the modsecurity.org install guide. I thought, these examples (several of them), all professed to work, why does mine not work?
The answer has not been easy, and unfortunately, not 100% clear either. I will list through the 3 main items I had trouble with and the solution I found to finally get this to work
1. Correctly loading x86_64 libraries.
As I described an issue with several different libraries in the blog http://baselogic.com/blog/archives/294 This was effecting many items in my server configuration. I also found that my libxml2 was having issues while I was hacking different configurations to get something to either work, or to throw some errors. Once this issue was solved, I go to thinking about my second issue:
2. Get correct mod_security module for x86_64.
As with my libxml2 and other libraries, I started tracking down what version of mod_security I was actually running. I was running a version I got through some means in one of these tutorials. Then I found an updated module from Jason Litka (http://www.jasonlitka.com/2007/08/24/mod-security-packages-now-available/). The install went fine, and even came with a new configuration file and rules. But then I kept getting errors trying run a configcheck on Apache:
<em>Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of /etc/httpd/conf.d/mod_security.conf: Cannot load /etc/httpd/modules/mod_security2.so into server: /etc/httpd/modules/mod_security2.so: <strong>undefined symbol: ap_get_server_banner</strong></em>
I was not the only person that was having this issue.
The solution alluded to trying to rebuild apache and other modules, and I was not interested in compiling Apache to get this to work. I wanted to use yum as much as possible. So I kept researching, and quickly realized that the latest version I could find via any yum repository, was 2.5.0, yet on modsecurity.org, the latest available version was 2.5.9 ion source version, as I did not see x86_64 CentOS listed for the update version.
Well, I downloaded this package and installed this manually because I had no other choice. But it was very easy. Now even though at the time I did not know it, this issue was resolved.
3. Find the Configuration that properly works.
After installing x86_64 version of mod_security, I still was unable to get even a simple test to work, thus my module was not working.
After several really long days hacking at various options over and over again. I was quite frustrated that, what I thought to be a simple configuration and module was such an issue to resolve. This is the part of the solution that is not 100% clear to me. I believe I had tried this configuration before, but somehow on m=one of my hacks, this configuration worked:
LoadFile /usr/lib64/libxml2.so LoadFile /usr/lib64/liblua.so.5.0 #Load mod_unique_id and mod_security 2 LoadModule unique_id_module modules/mod_unique_id.so LoadModule security2_module modules/mod_security2.so <IfModule mod_security2.c> Include modsecurity.d/*asl*.conf #Enable mod_security SecRuleEngine On SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace #Log Configuration SecAuditEngine RelevantOnly SecAuditLogParts ABCFHZ SecAuditLogType Serial SecAuditLog logs/mod_security2.log #SecAuditLogStorageDir logs/audit SecAuditLogRelevantStatus ^(?:5|4\d[^4]) #General Settings #SecTmpDir /temp #SecUploadDir /temp/uploads #SecUploadKeepFiles RelevantOnly #Rules </IfModule>
Now finally, I was able to get the desired result:
<em>[[code]]czo5ODpcInVzZXIxQGhvbWUjIDxzdHJvbmc+Y3VybCAtaSBcXFwiaHR0cDovL3d3dy55b3VyZG9tYWluLmNvbS9iYWQucGhwP3NlY3JldHtbJiomXX1fZmlsZT0vZXRjL3Bhc3N3ZFxcXCI8L3N0cm9uZz5cIjt7WyYqJl19[[/code]]</em><em> HTTP/1.1 403 Forbidden Date: Thu, 30 Apr 2009 17:20:03 GMT Server: Apache Content-Length: 283 Content-Type: text/html; charset=iso-8859-1</em> <em><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <strong><title>403 Forbidden</title></strong> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /bad.php on this server.</p> <hr> <address>Apache Server at yourdomain.com Port 80</address> </body></html></em>
Although x86_64 seems to not be widely used and supported with many tutorials, I can say that once I was able to get this plugin working, I was able to quickly and easily see the benefits from various web application intrusions. I also gained a better insight as to how to identify OS issues and how to notice them next time.
- ModSecurity: http://www.modsecurity.org
- How-To Forge: http://www.howtoforge.com/apache_mod_security
- Jason Litka: http://www.jasonlitka.com/2007/08/24/mod-security-packages-now-available/
- My Whiteboard: http://www.my-whiteboard.com/linux-admin/protect-your-web-server-from-security-attacks-using-modsecurity.html
- Atomic: http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules