Mehr Sicherheit für den Apache2 – mod_security

mod_security ist ein Apache-Modul welches eine Art Application-Firewall/Intrusion-Detection bereitstellt. Die Installation ist zwar nicht elegant aber der Funktionsumfang dafür recht groß.

 

HP: http://www.modsecurity.org/

 

Vorbedingungen:
/usr/local/src # tar xzf httpd-2.2.4.tar.gz
/usr/local/src # cd httpd-2.2.4
/usr/local/src/httpd-2.2.4 # ./configure && make
/usr/local/src/httpd-2.2.4 # cp srclib/pcre/pcre.h /usr/local/apache2/include/

Wir brauchen die „pcre.h“-Headerdatei aus den Sourcen die (in diesem Sonderfall, leider) normal nicht mitinstalliert wird.

 

/usr/local/src # wget http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz
/usr/local/src # tar xzf modsecurity-apache_2.1.1.tar.gz
/usr/local/src # cd modsecurity-apache_2.1.1/apache2/
/usr/local/src/modsecurity-apache_2.1.1/apache2 # vi Makefile

top_dir = /usr/local/apache2

/usr/local/src/modsecurity-apache_2.1.1/apache2 # make
/usr/local/src/modsecurity-apache_2.1.1/apache2 # cp .libs/mod_security2.so /usr/local/apache2/modules/
/usr/local/src/modsecurity-apache_2.1.1/apache2 # make clean
/usr/local/src/modsecurity-apache_2.1.1/apache2 # vi /usr/local/apache2/conf/httpd.conf

LoadModule security2_module modules/mod_security2.so

Include conf/modsecurity/*.conf


Das war die Installation an sich.

 

Jetzt kommt die Konfig:
/usr/local/src/modsecurity-apache_2.1.1/apache2 # mkdir -p /usr/local/apache2/conf/modsecurity
/usr/local/src/modsecurity-apache_2.1.1/apache2 # cd /usr/local/apache2/conf/modsecurity
/usr/local/apache2/conf/modsecurity # vi modsecurity.conf


# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 32 126

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:406"

# Redirect user on filter match
#SecFilter xxx redirect:http://www.disney.com

# Execute the external script on filter match
#SecFilter yyy log,exec:/usr/local/apache2/bin/report-attack.pl

# Prevent path traversal (..) attacks
SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags
SecFilter "<( |\n)*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|\n)+>"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"


/usr/local/apache2/conf/modsecurity # wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz
/usr/local/apache2/conf/modsecurity # tar xzf modsecurity-core-rules_2.1-1.4.tar.gz
/usr/local/apache2/conf/modsecurity # vi modsecurity_crs_10_config.conf

SecServerSignature „Apache/2“
SecUploadDir /var/tmp/apache/sec_upload
SecDataDir /var/tmp/apache/sec_data
SecTmpDir /var/tmp/apache/sec_tmp

/usr/local/apache2/conf/modsecurity # mkdir /var/tmp/apache/sec_upload /var/tmp/apache/sec_data /var/tmp/apache/sec_tmp
/usr/local/apache2/conf/modsecurity # chown -R www:www /var/tmp/apache
/usr/local/apache2/conf/modsecurity # chmod 700 /var/tmp/apache
/usr/local/apache2/conf/modsecurity # /etc/init.d/apache restart

Viel Glück!

Die Konfig modsecurity.conf, modsecurity_crs_10_config.conf und die Restlichen *.conf Dateien sollte man dringlichst reviewen und an seine eigenen Bedürfnisse anpassen sonst könnte es ggf. unangenehm werden!