Building an Application Firewall
You have built a rock solid firewall, tested it with nmap scanning for ports that were open, locked down SSH with port knocking, restricted outgoing ports with iptables, setup psad to block attacks, and tcp_wrappers to limit access so you are set right? Well, not exactly…. in fact, you may be dead in the water. That new Joomla site that you are so proud of is toast today… and you cannot figure out why it got cracked.
Unfortunately, the increasing number of attacks at the HTTP layer has exposed your site to sql injection that brought your site down. The typical defense mechanisms used today work at the TCP/IP level and just are not capable of working with the HTTP level. The solution, build a reverse proxy with mod_security, or use mod_security on your existing web server to protect your site from attacks at the HTTP level.
Installation from Source
Point your browser to http://www.modsecurity.org/download/index.html and download the current version of modsecurity. Once you have it downloaded to your server move it to the /usr directory so you can install it.
mv modsecurity-apache_2.5.x.tar.gz /usr
Before you get too far be sure to download the necessary applications so you can compile the program. This may take you awhile as you will need to install all of the dependencies as well.
# yum install gcc cpp libxml2 httpd-devel gcc-c++ pcre-devel libxml2-devel
Now unpack the file and move into the directory that is created.
# tar zxvf modsecurity*
cd modsecurity-apache_2.5.9/apache2
Run the configure script.
./configure
Compile with make.
make
Install ModSecurity.
make install
The libraries will be installed in:
/usr/lib/httpd/modules
Set your permissions for the library.
chmod 755 /usr/lib/httpd/modules/mod_security2.so
Edit the /etc/httpd/conf/httpd.conf file and add these lines.
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Now you need to set up the rules for modsecurity. The Core Rule Set provides protection from unknown vulnerabilities. In order to set up the rules you will need to create a directory called:
/etc/httpd/conf.d/modsecurity
Edit the /etc/httpd/conf/httpd.conf file to include the configuration files in the directory you created.
Include conf.d/*.conf
Include conf.d/modsecurity/*.conf
Download the rules and place them in the /etc/httpd/conf.d/modsecurity folder. Unpack the rules:
#tar zxvf modsecurity-core-rules_2.5.*
You should see the rules in this directory, something like this:
CHANGELOG
LICENSE
modsecurity_crs_10_config.conf
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_50_outbound.conf
optional_rules
README