Sunday, December 26, 2010

Installing and configuring mod_security-Ubuntu 9.04

This how-to is reported to work in Ubuntu 8.04-10.10 as well.

What is mod_security you ask ?

Mod Security can significantly increase the security of your Apache installation.
What Is ModSecurity?

ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

It is also an open source project that aims to make the web application firewall technology available to everyone.

Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).
First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.

“Insecure” Example 1 – curl

Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).
bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>

Looks like this in your browser (the famous It works! page)

See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?

“Insecure” Example 2 – bad .php

For this I will ask you to create a file “/var/www/insecure.php”
Put the following code in the file :
# vim /var/www/insecure.php
< ? $secret_file = $_GET['secret_file'];
include ( $secret_file); ? >;

Note: I had to put a space at the front of the php tag “<; ?”, remove it.

Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd

I shall use curl in this example:
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh


Install and configure mod_secure

There was a time when installing mod_security was a bit difficult, now it is as easy as :
sudo apt-get -y install libapache-mod-security
The “hard part” is that we need to configure mod_security and obtain a few rules.

Configure mod_security

Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.
#vim /etc/apache2/conf.d/modsecurity2.conf
< ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
< /ifmodule>

Note: I had to add a space at the front of the tag “< ifmodule mod_security2.c>” and “< /ifmodule>”, remove them.

By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs

sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs
Download and install rules
Download rules from here

As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.
sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz

Enable mod_security:

sudo a2enmod mod-security
Now restart Apache
That’s it :)

Testing mod_security

“Secure” Example 1 – curl
bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>

Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )

“Secure” Example 2 – bad .php
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1
< html>< head>
< title>501 Method Not Implemented< /title>
< /head>< body>
< h1>Method Not Implemented< /h1>
< p>GET to /insecure.php not supported.< br />
< /p>
< hr>
< address>Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80< /address>
< /body>< /html>

Looks like this in your browser:
"501 Method Not Implemented
Method Not Implemented"
GET to /insecure.php not supported.Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80
Ah 501 Error looks much better then the contents of /etc/passwd :)
Where to go from here ?

1. Monitor your logs :
tail /var/log/apache2/mod_security/modsec_audit.log
2. Learn / edit your mod_security rules : ModSecurity Reference Manual

3. Delete bad.php, LOL
sudo rm -rf /var/www/insecure.php

I hope you enjoyed and learned from this tutorial :)

"This is just a copy cat of the post from
All credit should go to the respective author. I tried the method in Ubuntu 10.10 and it works fine."

Some of the rules may deny the access to you applications (eg: phpmyadmin/drupal etc). Test the rules well before you implement.