Building an Application Firewall
You have built a rock solid firewall, tested it with nmap scanning for ports that were open, locked down SSH with port knocking, restricted outgoing ports with iptables, setup psad to block attacks, and tcp_wrappers to limit access so you are set right? Well, not exactly…. in fact, you may be dead in the water. That new Joomla site that you are so proud of is toast today… and you cannot figure out why it got cracked.
Unfortunately, the increasing number of attacks at the HTTP layer has exposed your site to sql injection that brought your site down. The typical defense mechanisms used today work at the TCP/IP level and just are not capable of working with the HTTP level. The solution, build a reverse proxy with mod_security, or use mod_security on your existing web server to protect your site from attacks at the HTTP level.
Installation from Source
Point your browser to http://www.modsecurity.org/download/index.html and download the current version of modsecurity. Once you have it downloaded to your server move it to the /usr directory so you can install it.
mv modsecurity-apache_2.5.x.tar.gz /usr
Before you get too far be sure to download the necessary applications so you can compile the program. This may take you awhile as you will need to install all of the dependencies as well.
# yum install gcc cpp libxml2 httpd-devel gcc-c++ pcre-devel libxml2-devel
Now unpack the file and move into the directory that is created.
# tar zxvf modsecurity*
Run the configure script.
Compile with make.
The libraries will be installed in:
Set your permissions for the library.
chmod 755 /usr/lib/httpd/modules/mod_security2.so
Edit the /etc/httpd/conf/httpd.conf file and add these lines.
LoadModule security2_module modules/mod_security2.so
Now you need to set up the rules for modsecurity. The Core Rule Set provides protection from unknown vulnerabilities. In order to set up the rules you will need to create a directory called:
Edit the /etc/httpd/conf/httpd.conf file to include the configuration files in the directory you created.
Download the rules and place them in the /etc/httpd/conf.d/modsecurity folder. Unpack the rules:
#tar zxvf modsecurity-core-rules_2.5.*
You should see the rules in this directory, something like this: