Thursday, January 13, 2011

mod_security, apache httpd, glassfish - Part 4

Part 4, mod_sec install.

One dependency that I missed downloading earlier was libXML2.  This is a dependency for mod_security.  If you wish, you can also install lua and curl.  Lua is needed if you plan to write your own rules and want to use the new lua engine.  I'm not really planning on writing rules, the base rules are pretty good.  As for curl, it is only needed if you want to send logs to a central repo like loglogics.  Since I don't have that kind of infrastructure setup, I won't worry about that in these posts.  If you wish to install those, simple follow the install instructions and then edit the configure to point to the locations in which you have installed the dependencies.

For now, navigate over to and download libXML2.

./configure --prefix=/path/to/deps/ --enable-shared 

Now we can install mod_security

CC="gcc -m64" ./configure --prefix=/path/to/deps/ --with apxs=/path/to/httpd/bin/apxs --with-pcre=/path/to/deps/bin/pcre-config --with-apr=/path/to/deps/bin/apr-1-config --with-apu=/path/to/deps/bin/apu-1-config --with-libxml=/path/to/deps/bin/xml2-config

When you untared the mod_security files, there was a rules directory.  We are going to copy that directory to /path/to/httpd/conf/rules.  Next, you are going to copy the modsecurity_crs_10_config.conf.example to the same file name minus the example part.  The purpose of this series of articles is not to go through an indepth setup of mod_security.  Just enough to get it working.  You are going to go into the file you just copied and make the following change.

# Review your SecRuleEngine settings.  If you want to
# allow blocking, then set it to On however check your SecDefaultAction setting
# to ensure that it is set appropriately.
#SecRuleEngine DetectionOnly 
SecRuleEngine On

This is basically going to turn the rules engine on.  You may want to put it on detection only if you are testing a legacy app.  We are going to create another file by the name of modsecurity_crs_10_global_config.conf.  In this file, we are going to basically setup some more mod_security rules.

SecServerSignature "Microsoft-IIS/6.0"
SecDebugLog /cardlock/httpd/logs/modsec_debug.log 
SecDebugLogLevel 3 

Basically this just sets the server to identify itself as IIS 6.  This is a little "security through obscurity".  Hopefully a few script kiddies will get deterred by this.

We need to add the following to our httpd.conf
<ifmodule security2_module>
 Include conf/rules/modsecurity_crs_10_global_config.conf

We need to now actually apply these rules to our site that we have just created.  In our site.conf, we should add the following.

Include conf/rules/modsecurity_crs_10_config.conf
Include conf/rules/base_rules/*.conf
Include conf/rules/optional_rules/*.conf

When you startup your httpd now, you may get some "syntax" errors inside the mod_security configuration files. I just go in an delete/comment out the line in question. This is obviously okay if you are not using the technology the line pertains to. For example, you can probably safely comment out any php rules if you are not using php in your website. One in particular is about a data file missing for comment spam. You can go and get it (say google) or you can just deal with the line that is causing the issue.

After you startup apache, you will notice that the modsec_debug.log is getting populated. Feel free to test out mod_security. You can either use a tool like w3af, or just try putting sql injection as a parameter. You should see mod_security block it.