{"id":2841,"date":"2014-04-13T15:40:29","date_gmt":"2014-04-13T15:40:29","guid":{"rendered":"http:\/\/blog.shineservers.com\/?p=2841"},"modified":"2014-04-13T15:40:29","modified_gmt":"2014-04-13T15:40:29","slug":"set-mod_security-apache-debianubuntu","status":"publish","type":"post","link":"https:\/\/www.shineservers.com\/2014\/04\/13\/set-mod_security-apache-debianubuntu\/","title":{"rendered":"How To Set Up mod_security with Apache on Debian\/Ubuntu"},"content":{"rendered":"

Installing mod_security<\/h2>\n
\n

Modsecurity is available in the Debian\/Ubuntu repository:<\/p>\n

apt-get install libapache2-modsecurity\n<\/code><\/pre>\n
Verify if the mod_security module was loaded.<\/p>\n
apachectl -M | grep --color security\n<\/code><\/pre>\n
You should see a module named\u00a0security2_module (shared)<\/code>\u00a0which indicates that the module was loaded.<\/p>\n
Modsecurity’s installation includes a recommended configuration file which has to be renamed:<\/p>\n
mv \/etc\/modsecurity\/modsecurity.conf{-recommended,}\n<\/code><\/pre>\n
Reload Apache<\/p>\n
service apache2 reload\n<\/code><\/pre>\n
You’ll find a new log file for mod_security in the Apache log directory:<\/p>\n
root@droplet:~# ls -l \/var\/log\/apache2\/modsec_audit.log\n-rw-r----- 1 root root 0 Oct 19 08:08 \/var\/log\/apache2\/modsec_audit.log\n<\/code><\/pre>\n
<\/div>\n
Configuring mod_security<\/h2>\n
\n
Out of the box, modsecurity doesn’t do anything as it needs rules to work. The default configuration file is set to\u00a0DetectionOnly\u00a0which logs requests according to rule matches and doesn’t block anything. This can be changed by editing the\u00a0modsecurity.conf<\/code>\u00a0file:<\/p>\n
nano \/etc\/modsecurity\/modsecurity.conf\n<\/code><\/pre>\n
Find this line<\/p>\n
SecRuleEngine DetectionOnly\n<\/code><\/pre>\n
and change it to:<\/p>\n
SecRuleEngine On\n<\/code><\/pre>\n
If you’re trying this out on a production server, change this directive only after testing all your rules.<\/p>\n
Another directive to modify is\u00a0SecResponseBodyAccess<\/code>. This configures whether response bodies are buffered (i.e. read by modsecurity). This is only neccessary if data leakage detection and protection is required. Therefore, leaving it\u00a0On<\/em>\u00a0will use up droplet resources and also increase the logfile size.<\/p>\n
Find this<\/p>\n
SecResponseBodyAccess On\n<\/code><\/pre>\n
and change it to:<\/p>\n
SecResponseBodyAccess Off\n<\/code><\/pre>\n
Now we’ll limit the maximum data that can be posted to your web application. Two directives configure these:<\/p>\n
SecRequestBodyLimit\nSecRequestBodyNoFilesLimit\n<\/code><\/pre>\n
The\u00a0SecRequestBodyLimit<\/code>\u00a0directive specifies the maximum POST data size. If anything larger is sent by a client the server will respond with a\u00a0413 Request Entity Too Large\u00a0error. If your web application doesn’t have any file uploads this value can be greatly reduced.<\/p>\n
The value mentioned in the configuration file is<\/p>\n
SecRequestBodyLimit 13107200\n<\/code><\/pre>\n
which is 12.5MB.<\/p>\n
Similar to this is the\u00a0SecRequestBodyNoFilesLimit<\/code>\u00a0directive. The only difference is that this directive limits the size of POST data minus file uploads– this value should be “as low as practical.”<\/p>\n
The value in the configuration file is<\/p>\n
SecRequestBodyNoFilesLimit 131072\n<\/code><\/pre>\n
which is 128KB.<\/p>\n
Along the lines of these directives is another one which affects server performance:\u00a0SecRequestBodyInMemoryLimit<\/code>. This directive is pretty much self-explanatory; it specifies how much of “request body” data (POSTed data) should be kept in the memory (RAM), anything more will be placed in the hard disk (just like\u00a0swapping). Since droplets use SSDs, this is not much of an issue; however, this can be set a decent value if you have RAM to spare.<\/p>\n
SecRequestBodyInMemoryLimit 131072\n<\/code><\/pre>\n
This is the value (128KB) specified in the configuration file.<\/p>\n
<\/div>\n
Testing SQL Injection<\/h2>\n
\n
Before going ahead with configuring rules, we will create a PHP script which is vulnerable to SQL injection and try it out. Please note that this is just a basic\u00a0PHP login script\u00a0with no session handling. Be sure to change the MySQL password in the script below so that it will connect to the database:<\/p>\n
\/var\/www\/login.php<\/code><\/p>\n
<html>\n<body>\n<?php\n    if(isset($_POST['login']))\n    {\n        $username = $_POST['username'];\n        $password = $_POST['password'];\n        $con = mysqli_connect('localhost','root','password','sample');\n        $result = mysqli_query($con, \"SELECT * FROM `users` WHERE username='$username' AND password='$password'\");\n        if(mysqli_num_rows($result) == 0)\n            echo 'Invalid username or password';\n        else\n            echo '<h1>Logged in<\/h1><p>A Secret for you....<\/p>';\n    }\n    else\n    {\n?>\n        <form action=\"\" method=\"post\">\n            Username: <input type=\"text\" name=\"username\"\/><br \/>\n            Password: <input type=\"password\" name=\"password\"\/><br \/>\n            <input type=\"submit\" name=\"login\" value=\"Login\"\/>\n        <\/form>\n<?php\n    }\n?>\n<\/body>\n<\/html>\n<\/code><\/pre>\n
This script will display a login form. Entering the right credentials will display a message “A Secret for you.”<\/p>\n
We need credentials in the database. Create a MySQL database and a table, then insert usernames and passwords.<\/p>\n
mysql -u root -p\n<\/code><\/pre>\n
This will take you to the\u00a0mysql><\/code>\u00a0prompt<\/p>\n
create database sample;\nconnect sample;\ncreate table users(username VARCHAR(100),password VARCHAR(100));\ninsert into users values('jesin','pwd');\ninsert into users values('alice','secret');\nquit;\n<\/code><\/pre>\n
Open your browser, navigate to\u00a0http:\/\/yourwebsite.com\/login.php<\/code>\u00a0and enter the right pair of credentials.<\/p>\n
Username: jesin\nPassword: pwd\n<\/code><\/pre>\n
You’ll see a message that indicates successful login. Now come back and enter a wrong pair of credentials– you’ll see the message\u00a0Invalid username or password.<\/p>\n
We can confirm that the script works right. The next job is to try our hand with SQL injection to bypass the login page. Enter the following for the\u00a0usernamefield:<\/p>\n
' or true -- \n<\/code><\/pre>\n
Note that there should be a space after\u00a0--<\/code>\u00a0this injection won’t work without that space. Leave the\u00a0password\u00a0field empty and hit the login button.<\/p>\n
Voila! The script shows the message meant for authenticated users.<\/p>\n
<\/div>\n
Setting Up Rules<\/h2>\n
\n
To make your life easier, there are a lot of rules which are already installed along with mod_security. These are called CRS (Core Rule Set) and are located in<\/p>\n
root@droplet:~# ls -l \/usr\/share\/modsecurity-crs\/\ntotal 40\ndrwxr-xr-x 2 root root  4096 Oct 20 09:45 activated_rules\ndrwxr-xr-x 2 root root  4096 Oct 20 09:45 base_rules\ndrwxr-xr-x 2 root root  4096 Oct 20 09:45 experimental_rules\ndrwxr-xr-x 2 root root  4096 Oct 20 09:45 lua\n-rw-r--r-- 1 root root 13544 Jul  2  2012 modsecurity_crs_10_setup.conf\ndrwxr-xr-x 2 root root  4096 Oct 20 09:45 optional_rules\ndrwxr-xr-x 3 root root  4096 Oct 20 09:45 util\n<\/code><\/pre>\n
The documentation is available at<\/p>\n
root@droplet1:~# ls -l \/usr\/share\/doc\/modsecurity-crs\/\ntotal 40\n-rw-r--r-- 1 root root   469 Jul  2  2012 changelog.Debian.gz\n-rw-r--r-- 1 root root 12387 Jun 18  2012 changelog.gz\n-rw-r--r-- 1 root root  1297 Jul  2  2012 copyright\ndrwxr-xr-x 3 root root  4096 Oct 20 09:45 examples\n-rw-r--r-- 1 root root  1138 Mar 16  2012 README.Debian\n-rw-r--r-- 1 root root  6495 Mar 16  2012 README.gz\n<\/code><\/pre>\n
To load these rules, we need to tell Apache to look into these directories. Edit the\u00a0mod-security.conf<\/code>\u00a0file.<\/p>\n
nano \/etc\/apache2\/mods-enabled\/mod-security.conf\n<\/code><\/pre>\n
Add the following directives inside\u00a0<IfModule security2_module> <\/IfModule><\/code>:<\/p>\n
Include \"\/usr\/share\/modsecurity-crs\/*.conf\"\nInclude \"\/usr\/share\/modsecurity-crs\/activated_rules\/*.conf\"\n<\/code><\/pre>\n
The\u00a0activated_rules<\/code>\u00a0directory is similar to Apache’s\u00a0mods-enabled<\/code>\u00a0directory. The rules are available in directories:<\/p>\n
\/usr\/share\/modsecurity-crs\/base_rules\n\/usr\/share\/modsecurity-crs\/optional_rules\n\/usr\/share\/modsecurity-crs\/experimental_rules\n<\/code><\/pre>\n
Symlinks must be created inside the\u00a0activated_rules<\/code>\u00a0directory to activate these. Let us activate the SQL injection rules.<\/p>\n
cd \/usr\/share\/modsecurity-crs\/activated_rules\/\nln -s \/usr\/share\/modsecurity-crs\/base_rules\/modsecurity_crs_41_sql_injection_attacks.conf .\n<\/code><\/pre>\n
Apache has to be reloaded for the rules to take effect.<\/p>\n
service apache2 reload\n<\/code><\/pre>\n
Now open the login page we created earlier and try using the SQL injection query on the username field. If you had changed the\u00a0SecRuleEngine<\/code>\u00a0directive toOn, you’ll see a\u00a0403 Forbidden\u00a0error. If it was left to the\u00a0DetectionOnly\u00a0option, the injection will be successful but the attempt would be logged in the\u00a0modsec_audit.log<\/code>\u00a0file.<\/p>\n
<\/div>\n
Writing Your Own mod_security Rules<\/h2>\n
\n
In this section, we’ll create a rule chain which blocks the request if certain “spammy” words are entered in a HTML form. First, we’ll create a PHP script which gets the input from a textbox and displays it back to the user.<\/p>\n
\/var\/www\/form.php<\/code><\/p>\n
<html>\n    <body>\n        <?php\n            if(isset($_POST['data']))\n                echo $_POST['data'];\n            else\n            {\n        ?>\n                <form method=\"post\" action=\"\">\n                        Enter something here:<textarea name=\"data\"><\/textarea>\n                        <input type=\"submit\"\/>\n                <\/form>\n        <?php\n            }\n        ?>\n    <\/body>\n<\/html>\n<\/code><\/pre>\n
Custom rules can be added to any of the configuration files or placed in modsecurity directories. We’ll place our rules in a separate new file.<\/p>\n
nano \/etc\/modsecurity\/modsecurity_custom_rules.conf\n<\/code><\/pre>\n
Add the following to this file:<\/p>\n
SecRule REQUEST_FILENAME \"form.php\" \"id:'400001',chain,deny,log,msg:'Spam detected'\"\nSecRule REQUEST_METHOD \"POST\" chain\nSecRule REQUEST_BODY \"@rx (?i:(pills|insurance|rolex))\"\n<\/code><\/pre>\n
Save the file and reload Apache. Open\u00a0http:\/\/yourwebsite.com\/form.php<\/code>\u00a0in the browser and enter text containing any of these words: pills, insurance, rolex.<\/p>\n
You’ll either see a 403 page and a log entry or only a log entry based on\u00a0SecRuleEngine<\/code>\u00a0setting. The syntax for\u00a0SecRule\u00a0is<\/p>\n
SecRule VARIABLES OPERATOR [ACTIONS]\n<\/code><\/pre>\n
Here we used the\u00a0chain\u00a0action to match variables\u00a0REQUEST_FILENAME\u00a0withform.php,\u00a0REQUEST_METHOD\u00a0with\u00a0POST\u00a0and\u00a0REQUEST_BODY\u00a0with the regular expression (@rx) string\u00a0(pills|insurance|rolex). The\u00a0?i:\u00a0does a case insensitive match. On a successful match of all these three rules, the\u00a0ACTION<\/em>is to\u00a0deny\u00a0and\u00a0log\u00a0with the msg “Spam detected.” The\u00a0chain<\/em>\u00a0action simulates the logical AND to match all the three rules.<\/p>\n
<\/div>\n
Excluding Hosts and Directories<\/h2>\n
\n
Sometimes it makes sense to exclude a particular directory or a domain name if it is running an application like\u00a0phpMyAdmin\u00a0as modsecurity and will block SQL queries. It is also better to exclude admin backends of CMS applications like WordPress.<\/p>\n
To disable modsecurity for a complete VirtualHost place the following<\/p>\n
<IfModule security2_module>\n    SecRuleEngine Off\n<\/IfModule>\n<\/code><\/pre>\n
inside the\u00a0<VirtualHost><\/code>\u00a0section.<\/p>\n
For a particular directory:<\/p>\n
<Directory \"\/var\/www\/wp-admin\">\n    <IfModule security2_module>\n        SecRuleEngine Off\n    <\/IfModule>\n<\/Directory>\n<\/code><\/pre>\n
If you don’t want to completely disable modsecurity, use the\u00a0SecRuleRemoveById<\/code>\u00a0directive to remove a particular rule or rule chain by specifying its ID.<\/p>\n
<LocationMatch \"\/wp-admin\/update.php\">\n    <IfModule security2_module>\n        SecRuleRemoveById 981173\n    <\/IfModule>\n<\/LocationMatch>\n<\/code><\/pre>\n
<\/div>\n
Further Reading<\/h2>\n
\n
Official modsecurity documentationhttps:\/\/github.com\/SpiderLabs\/ModSecurity\/wiki\/Reference-Manual<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
Related articles across the web<\/h3>\n