Adventures with ModSecurity

I saw a reference to ModSecurity while reading the following article on Slashdot: Writing Hardened Web Applications?. It is an Apache web server firewall module that is designed to look for and reject malicious access attempts. What follows are the trials and tribulations of installing it on debian.

Note: The web server is restarted after each configuration change below.

  1. Find the package and install it in debian: libapache-mod-security
  2. Have the web server not restart because of the following error: “(EAI 2)Name or service not known: mod_unique_id: unable to find IPv4 address”
  3. Figure out that an entry needed to be added to /etc/hosts for the servers IPv4 address and hostname.
  4. Configure ModSecurity using the example config files in /usr/share/doc/mod-security-common/examples/rules/.
  5. Get the following error: “Unable to retrieve collection (name “global”, key “global”). Use SecDataDir to define data directory first.”
  6. Set SecDataDir in modsecurity_crs_10_config.conf using the example from the reference manual. Repeat previous error do to directory permissions.
  7. Set SecDataDir to /tmp. Finally start up without complaining.
  8. While looking through one of the security rules, find a bug and retrieve the latest rule set from owasp.org.
  9. Configure the new rule set in modsecurity_crs_10_config.conf by following the instructions in INSTALL and setting SecRuleEngine DetectionOnly to prevent rejections during testing.
  10. Get the following error in modsecurity_crs_20_protocol_violations.conf: “Unknown variable REQBODY_ERROR”
  11. Comment out the 2 lines in modsecurity_crs_20_protocol_violations.conf that reference REQBODY_ERROR.
  12. Test using the following URL: “http://yourwebsite.com/test.vbs” and get a detection message in the web server error log.
  13. See the following error message from regular website traffic: “Rule execution error – PCRE limits exceeded (-8)”
  14. Determine that the following 2 lines needed to be added to modsecurity_crs_10_config.conf: “SecPcreMatchLimit 150000” “SecPcreMatchLimitRecursion 150000”
  15. See the following error message from regular website traffic: “SQL injection attempts …”
  16. Determine that it was rejecting legitimate requests that happened to have “div” in the URL or “2or” in the session cookie.
  17. Disable the SQL injection rule by removing the links in activated_rules/ with “rm *sql_injection*”

After running in test mode for a couple of days, set SecRuleEngine On

Test with the following url and make sure the request is rejected: “http://yourwebsite.com/?a=ftp://127.1.1.1”

References

Update: 8 Jan 2012

I wrote my own custom rule to catch hack attempts via certain php page names such as phpmyadmin.

Then I implemented log-guardian to monitor the web server error log files for hack attempts and write a message to authfail so that it will smoke the ip address (drop it in iptables) after 4 hack attempts.

30 thoughts on “Adventures with ModSecurity”

  1. Does your site have a contact page? I’m having trouble locating it but, I’d like to send you an email. I’ve got some creative ideas for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it grow over time.

  2. Greetings I am so thrilled I found your blog, I really found you by error, while I was researching on Google for something else, Regardless I am here now and would just like to say kudos for a incredible post and a all round enjoyable blog (I also love the theme/design), I don’t have time to read through it all at the minute but I have saved it and also added in your RSS feeds, so when I have time I will be back to read much more, Please do keep up the excellent work.

  3. Nice post. I learn something more challenging on different blogs everyday. It will always be stimulating to read content from other writers and practice a little something from their store. I’d prefer to use some with the content on my blog whether you don’t mind. Natually I’ll give you a link on your web blog. Thanks for sharing.

  4. Hey! This is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!

  5. Please let me know if you’re looking for a article writer for your blog. You have some really good articles and I believe I would be a good asset. If you ever want to take some of the load off, I’d love to write some material for your blog in exchange for a link back to mine. Please blast me an e-mail if interested. Kudos!

  6. Undeniably consider that that you stated. Your favourite reason seemed to be on the internet the easiest thing to consider of. I say to you, I certainly get irked at the same time as people think about worries that they just don’t recognise about. You controlled to hit the nail upon the top and also outlined out the entire thing without having side effect , folks could take a signal. Will likely be again to get more. Thanks

  7. It’s the best time to make some plans for the longer term and it is time to be happy. I’ve learn this put up and if I may I wish to recommend you some attention-grabbing things or advice. Maybe you can write next articles relating to this article. I wish to learn more things approximately it!

  8. I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.

  9. I cling on to listening to the rumor talk about getting free online grant applications so I have been looking around for the best site to get one. Could you tell me please, where could i get some?

  10. Hello. I have checked your brucemyers.com and i see you’ve got some duplicate content so
    probably it is the reason that you don’t rank hi in google.
    But you can fix this issue fast. There is a tool that rewrites articles like human, just search in google:
    miftolo’s tools

  11. Just had my first round of setting up modsecurity on debian squeeze and it was quite different from what im used to (Arch and Gentoo).

    Had massive problems with false positives generated from the backend of WordPress Admin which kills some functionality. And discovered that creating a global exclude file and excluding /admin.php will resolve the issue. Excluding certain rules will not, since you will find yourself excluding the majority of the core rules :p. Not super happy about excluding /admin.php however it is non accessible if u are not logged in and authenticated.

Leave a Reply

Your email address will not be published. Required fields are marked *