Monday 24 February 2014

ModSecurity with Apache






ModSecurity is a free, open source web application firewall (WAF).It is an Apache module
Its rich features, strong community, and optional commercial support make it a must for any
production Apache web server that serves non-static content and requires auditing.

Mod Security’s primary function is to offer reliable protection against web threats.
It does not move the focus on security from the application, but rather adds features on a global level.
You can configure it by specifying rules with conditions and actions for every part of the communication
between a client and a server, including the request header, request body, response headers, and response body.
Thus ModSecurity can prevent attacks against the web server, interpreters such as PHP, Perl, and ASP, and web applications.

ModSecurity can mitigate zero-day attacks and provide protection for vulnerabilities before vendors do,
as it did recently with rules for the Apache Range Header DOS vulnerability and Java floating point DOS attack.

While it's inspecting the complete communication flow, ModSecurity can also log it, meaning the software
can be used for auditing and troubleshooting. Full logging adds overhead to the web server, so it is usually
enabled only when problems have to be debugged. However, full logging (and reviewing) is a must in some
organizations that put high emphasis on security.

ModSecurity can take extremely powerful actions once it encounters a matched condition.
Actions can be disruptive, such as blocking transactions, or non-disruptive, such as logging data.
It can execute a Linux command once a condition is met, which significantly extends Mod Security’s
functionality and gives it all the power Linux has for handling a transaction. It can chain rules to apply more complex conditions.
Its accounting algorithms can be used as substitution for Mod-Evasive to stop excessive numbers of requests and DOS attacks.







Install & Compile ModSecurity 2.7.2 with Apache 2.2.25

----------------------------------------------------------------------------------------
1) Stop unwanted Services or settings
----------------------------------------------------------------------------------------
# /etc/init.d/NetworkManager stop
# chkconfig NetworkManager off


Note: Make sure you have configured Network i.e. (IP Address/Netmask/Gateway/DNS)

# vi /etc/sysconfig/selinux
SELINUX=disabled

----------------------------------------------------------------------------------------
2) Open Necessary Ports in iptables (Allow 80 Port in Iptables)
----------------------------------------------------------------------------------------
# vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#/etc/init.d/iptables restart
#chkconfig iptables on


----------------------------------------------------------------------------------------------------
3) Install Dependencies for Apache+ModSecurity
----------------------------------------------------------------------------------------------------
yum install gcc
yum install zlib
yum install zlib-devel
yum install openssl
yum install openssl-devel
yum install pcre
yum install pcre-devel
yum install apr
yum install apr-devel
yum install libxml2
yum install libxml2-devel
yum install expat
yum install expat-devel
yum install curl
yum install curl-devel

Note: Apache should be compile with --enable-unique-id --with-included-apr


-------------------------------------------------------------------------------
4) Compile APR & APR Utils
-------------------------------------------------------------------------------
#APR

#wget http://mirrors.axint.net/apache//apr/apr-1.4.6.tar.gz
#tar -xvzf apr-1.4.6.tar.gz
#cd apr-1.4.6/
#./configure
#make
#make install
#cd ..



Note : if you get error=

rm: cannot remove `libtoolT': No such file or directory issue. then follow the steps.


Edit your configure file

vi /softwares/apr-1.4.6/configure
Change the line

    $RM "$cfgfile"
      to
    $RM -f "$cfgfile"



# APR Utils

#wget http://mirrors.axint.net/apache//apr/apr-util-1.4.1.tar.gz
#tar -xvzf apr-util-1.4.1.tar.gz
#cd apr-util-1.4.1
#./configure --with-apr=/usr/local/apr
#make
#make install


----------------------------------------------------------------------------------------------------
5) Install Apache+Modsecurity (bk_waf)
----------------------------------------------------------------------------------------------------

Stop Existing Apache
#/etc/init.d/httpd stop
#chkconfig httpd off


Download Apache
#wget http://archive.apache.org/dist/httpd/httpd-2.2.25.tar.gz

Extract Tar File
#tar -zxvf httpd-2.2.25.tar.gz
#cd httpd-2.2.25

#./configure --prefix=/opt/apache80_waf1 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling    --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install




## Edit Apache Config File & Check Following Container & Make as per Bellow ##

#vi /opt/apache80_waf1/conf/httpd.conf
Listen 80
User apache
Group apache

#Optional Parameter
ServerName waf.your-server-hostname.com
ServerAdmin admin@your-server-hostname.com



#### Start Apache With Following Command
#/opt/apache80_waf1/bin/apachectl -k restart


####Goto The Download Directory & Delete Extracted Module
#cd ..
#rm -rf /softwares/httpd-2.2.25





----------------------------------------------------------------------------------------------------
6) Install modsecurity
----------------------------------------------------------------------------------------------------
Goto The Download Directory  & Download ModSecurity
#cd /softwares
#wget http://www.modsecurity.org/tarball/2.7.2/modsecurity-apache_2.7.2.tar.gz


Extract Modsecurity
#tar -zxvf modsecurity-apache_2.7.2.tar.gz
#cd modsecurity-apache_2.7.2

Compile Modsecurity
#./configure --with-apxs=/opt/apache80_waf1/bin/apxs --with-apr=/opt/apache80_waf1/bin/apr-1-config --with-apu=/opt/apache80_waf1/bin/apu-1-config
#make
#make CFLAGS=-DMSC_TEST test

Note: If all tests are OK then run below command.
#make install
####Goto The Download Directory & Delete Extracted Module
#cd ..
#rm -rf /softwares/modsecurity-apache_2.7.2

----------------------------------------------------------------------------------------------------
7) Download and Install ModSecurity Rules
----------------------------------------------------------------------------------------------------
Goto The Download Directory  & Download ModSecurity
#cd /softwares
#wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/aaeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz

Extract ModsecurityRules & Do as per Following

#tar -zxvf modsecurity-crs_2.2.5.tar.gz
#mv modsecurity-crs_2.2.5 /opt/modsecurity-rules
#cd /opt/modsecurity-rules
#cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf


Edit Apache Conf File & Do Copy Following Parameters as it is.

#vi /opt/apache80_waf1/conf/httpd.conf

LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so


<IfModule mod_security2.c>
            SecPcreMatchLimit 1000000
            SecPcreMatchLimitRecursion 1000000
            SecDataDir logs/
</IfModule>

ServerName *
            AddDefaultCharset UTF-8
   
            <IfModule mod_security2.c>
                    Include /opt/modsecurity-rules/modsecurity_crs_10_setup.conf
                    Include /opt/modsecurity-rules/base_rules/*.conf
   
                    SecRuleEngine On
                    SecRequestBodyAccess On
                    SecResponseBodyAccess On
            </IfModule>


#### Start Apache With Following Command

#/opt/apache80_waf1/bin/apachectl -k restart


> Verify security2_module is loaded using following command
#/opt/apache80_waf1/bin/httpd -M |  grep security2_module


----------------------------------------------------------------------------------------------------
8) Verify that mod_Security filtered apache traffic
----------------------------------------------------------------------------------------------------
Note 1:
> By default mod_security doesn't allow numeric address in host header,
> So try to access website using IP address rather than domain name, you will get "Access denied with code 403" error.



----------------------------------------------------------------------------------------------------
9) Customize mod_Security Rules
----------------------------------------------------------------------------------------------------
Note 1:
> Customize mod_security rules as per your need

#cd /opt/modsecurity-rules
#cp -r base_rules base_rules_backup
#rm -rf base_rules/*
#cp base_rules_backup/modsecurity_crs_41_xss_attacks.conf   base_rules/


----------------------------------------------------------------------------------------------------
10) Test with mod_Security xss attack Rules
----------------------------------------------------------------------------------------------------

> Try to access following xss attack sample code:

http://IP_ADDRESS/index.html?user=<script>alert(123)</script>





#Check Apache Error & Access Logs.


> You will see Forbidden error in apache error logs for xss attack as follows

[Mon Dec 02 00:37:37 2013] [error] [client 192.168.1.100] ModSecurity: Access
denied with code 403 (phase 2). Pattern match "\\\\balert\\\\b\\\\W*?\\\\(" at
ARGS:user. [file "/opt/modsecurity-rules/base_rules/modsecurity_crs_41_xss_attacks.
conf"] [line "148"] [id "958052"] [rev "2.2.5"] [msg "Cross-site Scripting (XSS)
Attack"] [data "alert("] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [tag
"WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A2"] [tag
"OWASP_AppSensor/IE1"] [tag "PCI/6.5.1"] [hostname "192.168.1.1"] [uri
"/index.html"] [unique_id "UpuI@X8AAAEAAGwWFGsAAAAB"]





> Comment rule number 958052 under /opt/modsecurity-rules/base_rules/modsecurity_crs_41_xss_attacks file
and you will be able to access http://IP_ADDRESS/index.html?user=<script>alert(123)</script> without error

No comments:

Post a Comment