mod_security: Building an Application Firewall

by Mike on April 26, 2009

in Web Server

Building an Application Firewall

You have built a rock solid firewall, tested it with nmap scanning for ports that were open, locked down SSH with port knocking, restricted outgoing ports with iptables, setup psad to block attacks, and tcp_wrappers to limit access so you are set right?  Well, not exactly…. in fact, you may be dead in the water.  That new Joomla site that you are so proud of is toast today… and you cannot figure out why it got cracked.

Unfortunately, the increasing number of attacks at the HTTP layer has exposed your site to sql injection that brought your site down.  The typical defense mechanisms used today work at the TCP/IP level and just are not capable of working with the HTTP level.  The solution, build a reverse proxy with mod_security, or use mod_security on your existing web server to protect your site from attacks at the HTTP level.

Installation from Source
Point your browser to http://www.modsecurity.org/download/index.html and download the current version of  modsecurity.  Once you have it downloaded to your server move it to the /usr directory so you can install it.

mv modsecurity-apache_2.5.x.tar.gz /usr

Before you get too far be sure to download the necessary applications so you can compile the program.  This may take you awhile as you will need to install all of the dependencies as well.

# yum install gcc cpp libxml2 httpd-devel gcc-c++ pcre-devel libxml2-devel

Now unpack the file and move into the directory that is created.

# tar zxvf modsecurity*
cd modsecurity-apache_2.5.9/apache2

Run the configure script.

./configure

Compile with make.

make

Install ModSecurity.

make install

The libraries will be  installed in:
/usr/lib/httpd/modules

Set your permissions for the library.
chmod 755 /usr/lib/httpd/modules/mod_security2.so

Edit the /etc/httpd/conf/httpd.conf file and add these lines.

LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so

Now you need to set up the rules for modsecurity.  The Core Rule Set provides protection from unknown vulnerabilities.  In order to set up the rules you will need to create a directory called:

/etc/httpd/conf.d/modsecurity

Edit the /etc/httpd/conf/httpd.conf file to include the configuration files in the directory you created.

Include conf.d/*.conf
Include conf.d/modsecurity/*.conf

Download the rules and place them in the /etc/httpd/conf.d/modsecurity folder.  Unpack the rules:

#tar zxvf modsecurity-core-rules_2.5.*

You should see the rules in this directory, something like this:

CHANGELOG
LICENSE
modsecurity_crs_10_config.conf
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_50_outbound.conf
optional_rules
README

Previous post:

Next post: