{"id":163,"date":"2012-06-11T04:21:30","date_gmt":"2012-06-11T04:21:30","guid":{"rendered":"http:\/\/rmohan.com\/?p=163"},"modified":"2012-07-29T07:24:30","modified_gmt":"2012-07-28T23:24:30","slug":"mod-security","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=163","title":{"rendered":"Mod Security"},"content":{"rendered":"

Mod Security <\/strong><\/p>\n

Mod security has a default configuration file, and comes with a core rule set. The configuration works with include files which work for the modsecurity part like this:<\/p>\n

httpd.conf
\n|
\n|– default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests
\n| `–conf.d\/mod_security2.conf . . . . enable mod-security default configuration
\n|
\n`–conf.d\/modsecurity\/*.conf . . . . . . add the core rule set<\/p>\n

Since this include structure is not enabled by default (because the core rule set is not enabled by default) we have to include the core rule set manually.<\/p>\n

Create the correct directories and copy the core rule set config files to this directory:<\/p>\n

reverseproxy:\/usr\/share\/doc\/packages\/apache2-mod_security2\/rules # mkdir \/etc\/apache2\/conf.d\/modsecurity
\nreverseproxy:\/usr\/share\/doc\/packages\/apache2-mod_security2\/rules # cp *.conf \/etc\/apache2\/conf.d\/modsecurity
\nreverseproxy:\/usr\/share\/doc\/packages\/apache2-mod_security2\/rules # cd \/etc\/apache2\/conf.d\/modsecurity<\/p>\n

reverseproxy:\/etc\/apache2\/conf.d\/modsecurity # ll
\n-rw-r–r– 1 root root 12325 Jan 31 14:03 modsecurity_crs_10_config.conf
\n-rw-r–r– 1 root root 5164 Jan 31 14:03 modsecurity_crs_20_protocol_violations.conf
\n-rw-r–r– 1 root root 3538 Jan 31 14:03 modsecurity_crs_21_protocol_anomalies.conf
\n-rw-r–r– 1 root root 2496 Jan 31 14:03 modsecurity_crs_23_request_limits.conf
\n-rw-r–r– 1 root root 6399 Jan 31 14:03 modsecurity_crs_30_http_policy.conf
\n-rw-r–r– 1 root root 2720 Jan 31 14:03 modsecurity_crs_35_bad_robots.conf
\n-rw-r–r– 1 root root 28726 Jan 31 14:03 modsecurity_crs_40_generic_attacks.conf
\n-rw-r–r– 1 root root 2463 Jan 31 14:03 modsecurity_crs_45_trojans.conf
\n-rw-r–r– 1 root root 8268 Jan 31 14:03 modsecurity_crs_50_outbound.conf<\/p>\n

Add the include line for the core rule set in the httpd.conf:<\/p>\n

# Include Mod Security Core Rule Set
\nInclude \/etc\/apache2\/conf.d\/modsecurity\/*.conf<\/p>\n

Now we will configure the config files themselves to run modsecurity first in DetectionOnly
\nmode to prevent the risk for false positives. We also set the logfiles correctly:<\/p>\n

vi \/etc\/apache2\/conf.d\/mod_security2.conf:
\n# Basic configuration options
\n#SecRuleEngine On
\nSecRuleEngine DetectionOnly<\/p>\n

vi \/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_10_config.conf:
\nSecRuleEngine DetectionOnly
\nSecAuditLog \/var\/log\/apache2\/modsec_audit.log
\nSecDebugLog \/var\/log\/apache2\/modsec_debug.log
\nSecDebugLogLevel 3<\/p>\n

Now restart apache:<\/p>\n

reverseproxy:\/var\/log\/apache2 # \/etc\/init.d\/apache2 start
\nStarting httpd2 (prefork) [Mon Jan 31 14:30:35 2011] [warn] worker http:\/\/10.10.12.20\/start already used by another worker
\n[Mon Jan 31 14:30:35 2011] [warn] worker http:\/\/10.10.12.20\/start already used by another worker<\/p>\n

Documentation Core Rule Set<\/p>\n

Core Rule Set Structure & Usage
\n====================================<\/p>\n

To activate the rules for your web server installation:<\/p>\n

1) You may want to edit and customize modsecurity_crs_10_config.conf.
\nAdditionally you may want to edit modsecurity_crs_30_http_policy.conf
\nwhich enforces an application specific HTTP protocol usage.<\/p>\n

2) Add the following line to your httpd.conf (assuming
\nyou’ve placed the rule files into conf\/modsecurity\/):<\/p>\n

Include conf\/modsecurity\/*.conf<\/p>\n

3) Restart web server.<\/p>\n

4) Make sure your web sites are still running fine.<\/p>\n

Core Rule Set Content
\n=========================<\/p>\n

In order to provide generic web applications protection, the Core Rule Set
\nuses the following techniques:<\/p>\n

1. HTTP protection – detecting violations of the HTTP protocol and a locally
\ndefined usage policy.<\/p>\n

2. Common Web Attacks Protection – detecting common web application security
\nattack.<\/p>\n

3. Automation detection – Detecting bots, crawlers, scanners and other surface
\nmalicious activity.<\/p>\n

4. Trojan Protection – Detecting access to Trojans horses.<\/p>\n

5. Errors Hiding – Disguising error messages sent by the server<\/p>\n

In addition the rule set also hints at the power of ModSecurity beyond
\nproviding security by reporting access from the major search engines to your
\nsite.<\/p>\n

HTTP Protection – This first line of protection ensures that all abnormal HTTP
\nrequests are detected. This line of defense eliminates a large number of
\nautomated and non targeted attacks as well as protects the web server itself.
\nCommon Web Attacks Protection Rules on the second level address the common web
\napplication security attack methods. These are the issues that can appear in
\nany web application. Some of the issues addressed are:<\/p>\n

– SQL Injection
\n– Cross-Site Scripting (XSS)
\n– OS Command execution
\n– Remote code inclusion
\n– LDAP Injection
\n– SSI Injection
\n– Information leak
\n– Buffer overflows
\n– File disclosure<\/p>\n

Automation Detection – Automated clients are both a security risk and a
\ncommercial risk. Automated crawlers collect information from your site, consume
\nbandwidth and might also search for vulnerabilities on the web site. Automation
\ndetection is especially useful for generic detection of comments spam.<\/p>\n

Trojan Protection – ModSecurity Core Rule Set detects access to back doors
\ninstalled on a web server. This feature is very important in a hosting
\nenvironment when some of this backdoors may be uploaded in a legitimate way and
\nused maliciously. In addition the Core Rule Set includes a hook for adding
\nan Anti-Virus program such as ClamAV for checking file uploads.<\/p>\n

Errors Hiding – If all fails, the Core Rule Set will detect errors sent by
\nthe web server. Detecting and blocking errors prevents attackers from
\ncollecting reconnaissance information about the web application and also server
\nas a last line of defense in case an attack was not detected eariler.<\/p>\n

Few Word of Caution
\n——————-<\/p>\n

As with every new technology, using the ModSecurity Core Rule Set requires some caution:<\/p>\n

– Every Rule Set can have false positive in new environments and any new
\ninstallation should initially use the log only Rule Set version or if no such
\nversion is available, set ModSecurity to Detection only using the SecRuleEngine
\nDetectionOnly command.<\/p>\n

After running ModSecurity in a detection only mode for a while review the evens
\ngenerated and decide if any modification to the rule set should be made before
\nmoving to protection mode.<\/p>\n

From the mod security manual:<\/p>\n

SecRuleEngine<\/p>\n

Description: Configures the rules engine.
\nSyntax: SecRuleEngine On|Off|DetectionOnly
\nExample Usage: SecRuleEngine On
\nProcessing Phase: Any
\nScope: Any
\nVersion: 2.0.0
\nDependencies\/Notes: This directive can also be controlled by the ctl action (ctl:ruleEngine=off) for per rule processing.
\nPossible values are:
\n* On – process rules.
\n* Off – do not process rules.
\n* DetectionOnly – process rules but never intercept transactions, even when rules are configured to do so.<\/p>\n

Mod Security Handling False Positives
\nMod security is now configured as detection only. For now, we keep it like this, closely monitoring the mod security logfiles for false positives. When we are sure there are no more false positives (or at least nothing our customers will notice) we can set the SecRuleEngine to On.<\/p>\n

This blog also explains how to deal with false positives: Handling False Positives
\nMod Security Troubleshooting<\/p>\n

Starting httpd2 (prefork) [Mon Jan 31 14:20:51 2011] [warn] worker http:\/\/10.10.12.20\/start already used by another worker
\n[Mon Jan 31 14:20:51 2011] [warn] worker http:\/\/10.10.12.20\/start already used by another worker
\nSyntax error on line 53 of \/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_10_config.conf:
\nInvalid command ‘SecRuleEngine’, perhaps misspelled or defined by a module not included in the server configuration<\/p>\n

The command line was:
\n\/usr\/sbin\/httpd2-prefork -f \/etc\/apache2\/httpd.conf -DSSL<\/p>\n

‘Solution:’ The module mod_security is not enabled. Check for the module with the command ‘httpd2 -M’. If the module is really not there, add the module in \/etc\/sysconfig\/apache2.<\/p>\n

reverseproxy:\/var\/log\/apache2 # \/etc\/init.d\/apache2 restart
\n[Mon Jan 31 14:29:23 2011] [warn] worker http:\/\/10.10.12.20\/start already used by another worker
\n[Mon Jan 31 14:29:23 2011] [warn] worker http:\/\/10.10.12.20\/start already used by another worker
\nSyntax error on line 191 of \/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_10_config.conf:
\nModSecurity: Failed to open the audit log file: \/srv\/www\/logs\/modsec_audit.log<\/p>\n

‘Solution:’ The directory specified for the logs does not exist. Create the directory with this command:<\/p>\n

reverseproxy:\/var\/log\/apache2 # mkdir -p \/srv\/www\/logs\/<\/p>\n

or change the location to \/var\/log\/apache2. Of course, the same message can be displayed for \/srv\/www\/logs\/modsec_debug.log.
\nTesting Mod Security
\nYou can test if mod security is running correctly by going to the index file of your website by ip-address and adding ‘?file=\/etc\/passwd’ to the url:<\/p>\n

https:\/\/10.10.10.20\/start\/index.html?file=\/etc\/passwd<\/p>\n

This will be noticed, and displayed in the log (not stopped, remember, we’re running in DetectionOnly mode):<\/p>\n

less modsec_debug.log<\/p>\n

[31\/Jan\/2011:15:46:31 +0100] [10.10.10.20\/sid#7f0c98cffdc8][rid#7f0c98feb488][\/start\/0100_NavigationPublic.html][2] Warning. Pattern match “^[\\d\\.]+$” at REQUEST_HEADERS:Host. [
\nfile “\/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_21_protocol_anomalies.conf”] [line “60”] [id “960017”] [msg “Host header is a numeric IP address”] [severity “CRITICAL”] [ta
\ng “PROTOCOL_VIOLATION\/IP_HOST”]
\n[31\/Jan\/2011:15:46:42 +0100] [10.10.10.20\/sid#7f0c98cffdc8][rid#7f0c98fe2908][\/start\/index.html][2] Warning. Pattern match “^[\\d\\.]+$” at REQUEST_HEADERS:Host. [file “\/etc\/apach
\ne2\/conf.d\/modsecurity\/modsecurity_crs_21_protocol_anomalies.conf”] [line “60”] [id “960017”] [msg “Host header is a numeric IP address”] [severity “CRITICAL”] [tag “PROTOCOL_VIOL
\nATION\/IP_HOST”]
\n[31\/Jan\/2011:15:46:42 +0100] [10.10.10.20\/sid#7f0c98cffdc8][rid#7f0c98fe2908][\/start\/index.html][2] Warning. Pattern match “(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|glob
\nal\\.asa|httpd\\.conf|boot\\.ini)\\b|\\\/etc\\\/)” at ARGS:file. [file “\/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_40_generic_attacks.conf”] [line “114”] [id “950005”] [msg “Remote
\nFile Access Attempt”] [data “\/etc\/”] [severity “CRITICAL”] [tag “WEB_ATTACK\/FILE_INJECTION”]
\n[31\/Jan\/2011:15:46:42 +0100] [10.10.10.20\/sid#7f0c98cffdc8][rid#7f0c98fe2908][\/start\/index.html][2] Warning. Pattern match “(?:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|
\nc)\\.exe)|t(?:racer(?:oute|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+)\\b|c(?:md(?:(?:32)?\\.exe\\b|\\b\\W*?\\\/c)|d(?:\\b\\W*?[\\\\\/]|\\W*?\\.\\.)|hmod.{0,40}?\\+.
\n{0,3}x))|[\\;\\|\\`]\\W*? …” at ARGS:file. [file “\/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_40_generic_attacks.conf”] [line “133”] [id “950006”] [msg “System Command Injectio
\nn”] [data “\/passwd”] [severity “CRITICAL”] [tag “WEB_ATTACK\/COMMAND_INJECTION”]<\/p>\n

less modsec_audit.log:<\/p>\n

Message: Warning. Pattern match “^[\\d\\.]+$” at REQUEST_HEADERS:Host. [file “\/etc\/apache2\/conf.d\/modsecurity\/modsecurity_crs_21_protocol_anomalies.conf”] [line “60”] [id “960017”]
\n[msg “Host header is a numeric IP address”] [severity “CRITICAL”] [tag “PROTOCOL_VIOLATION\/IP_HOST”]
\nApache-Handler: proxy-server
\nStopwatch: 1296487473036980 19376 (997 2882 -)
\nProducer: ModSecurity for Apache\/2.5.6 (http:\/\/www.modsecurity.org\/); core ruleset\/1.6.1.
\nServer: Apache\/2.2.10 (Linux\/SUSE)<\/p>\n

Mod Security Resources<\/strong><\/p>\n

http:\/\/www.modsecurity.org\/
\nhttp:\/\/www.modsecurity.org\/documentation\/faq.html
\nhttp:\/\/www.modsecurity.org\/documentation\/modsecurity-apache\/2.5.12\/html-multipage\/introduction.html
\nInstall Modsecurity
\nInstall core rule set<\/p>\n

 <\/p>\n

MY SET OF RULES TO DEFEND THE WEB SERVER
\nSecFilterEngine On<\/p>\n

# Make sure that URL encoding is valid
\nSecFilterCheckURLEncoding On<\/p>\n

# Unicode encoding check
\nSecFilterCheckUnicodeEncoding On<\/p>\n

# Only allow bytes from this range
\nSecFilterForceByteRange 0 255<\/p>\n

# Only log actionable requests
\nSecAuditEngine RelevantOnly<\/p>\n

# The name of the audit log file
\nSecAuditLog \/var\/log\/apache2\/audit_log<\/p>\n

# Debug level set to a minimum
\nSecFilterDebugLog \/var\/log\/apache2\/modsec_debug_log
\nSecFilterDebugLevel 2<\/p>\n

# Should mod_security inspect POST payloads
\nSecFilterScanPOST On<\/p>\n

# By default log and deny suspicious requests
\n# with HTTP status 500
\nSecFilterDefaultAction “deny,log,status:500”<\/p>\n

# Add custom secfilter rules here<\/p>\n","protected":false},"excerpt":{"rendered":"

Mod Security <\/p>\n

Mod security has a default configuration file, and comes with a core rule set. The configuration works with include files which work for the modsecurity part like this:<\/p>\n

httpd.conf | |– default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests | […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/163"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=163"}],"version-history":[{"count":6,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":827,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions\/827"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}