Download and install modsec2
cd /usr/src/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.12.tar.gz
tar -zxf modsecurity-apache_2.5.12.tar.gz
cd modsecurity-apache_2.5.12/apache2
./configure --with-apxs=/usr/local/apache/bin/apxs
make
make install
You can see the module mod_security2.so has been added to /usr/local/apache/modules/ directory.
Now we ned to configure modsec2. Create a file called /usr/local/apache/conf/modsec2.conf and enter the text below
vi /usr/local/apache/conf/modsec2.conf
LoadModule security2_module modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
# "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
Include "/usr/local/apache/conf/apache2-modsec/rootkits.conf"
</IfModule>
You must add modsec rules to the files modsec2.user.conf and rootkits.conf. You can downoad rules from here.
http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/
Add the following line inside httpd.conf file.
Include "/usr/local/apache/conf/modsec2.conf"
Check if the apache syntax is correct.
/etc/rc.d/init.d/httpd configtest
If syntax Ok, do a graceful restart of apache
/etc/rc.d/init.d/httpd graceful
To test, add the following rule to the file /usr/local/apache/conf/apache2-modsec/rootkits.conf and take the urls as below to see if it gives modsec error.
SecRule REQUEST_URI "/bin" "deny,log,status:406"
http://main_IP/bin
No comments:
Post a Comment