ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.

It shielding web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc.

Advantage
* Remove multiple forward slashes (//).
* Remove self-referenced directories (./).
* Treat \ and / equally (on Windows only).
* Perform URL decoding.
* Replace null bytes (%00) with spaces.

Benefit
* URL encoding validation.
* Unicode encoding validation.
* Byte range verification, where only certain character values are allowed as part of a request.

Action
* deny, deny the request
* allow, stop rule processing and allow the request
* status:nnn, respond with a HTTP status nnn
* redirect:url, redirect the request to the absolute URL url
* exec:cmd, execute a script cmd
* log, log the request to the error log
* nolog, do not log the request
* pass, ignore the current rule match and go to the next rule
* pause:nnn, stall the request for nnn milliseconds. Be very careful with this action; one Apache instance will be busy stalling the request. You could actually help the attackers in creating a denial of service attack.

Other actions affect the flow of the rules, similarly to how mod_rewrite works:

* chain, go to evaluate the next rule in the chain. When one rule fails to trigger an alert the remaining rules from the chain will be skipped.
* skipnext:n, skip the next n rules.

Filtering Rules
* SecFilter keyword
* SecFilterSelective “variable list separated with |” keyword
* SecFilterSelective REMOTE_ADDR “^IP_ADDRESS_HERE$” nolog,allow
* SecFilterSelective HTTP_USER_AGENT “Blend 42”
* SecFilterSelective COOKIE_sessionid “!^(|[0-9]{1,9})$”
* SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
* SecFilterSelective “HTTP_CONTENT_TYPE” multipart/form-data
* SecFilterSelective “HTTP_ACCEPT” “^$” log,pass
* SecFilterSelective REQUEST_URI “login_failed\.php” chain
* SecFilterSelective ARG_username “^ceo$” log,exec:/home/apache/bin/notagain.pl
* SecFilter HTTP_USER_AGENT “Google” nolog,redirect:http://www.google.com
* SecFilter “ARGS|!ARG_html” “<[:space:]*script”

Performance Considerations
* SecFilter DynamicOnly

Installation

1) Stop apache httpd
2) Unpack the ModSecurity
3) ./configure –with-apxs=/path-to-httpd/bin/apxs
4) Make & make test
5) Make Install

6) Load the ModSecurity module with
LoadModule security2_module modules/mod_security2.so
7) Configure ModSecurity
8) Start Apache httpd

Install using yum:
yum install -y mod_security & restart httpd

Install Using apt-get:
apt-get install libapache2-mod-security
a2enmod mod-security
Restart httpd

Basic Configuration

vi /etc/httpd/conf.d/mod_security.conf
SecFilterEngine On
SecAuditEngine RelevantOnly
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 1 255
SecFilterCheckCookieFormat On
SecAuditLog logs/audit_log
SecFilterScanPOST On
SecFilterDefaultAction “deny,log,status:406”
SecFilterSelective “HTTP_USER_AGENT|HTTP_HOST” “^$”
SecFilterSelective REQUEST_METHOD “!^GET$” chain
SecFilterSelective HTTP_Content-Type “!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)”
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
SecFilterSelective HTTP_Transfer-Encoding “!^$”
SecFilterSelective THE_REQUEST “/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)”
SecFilterSelective THE_REQUEST “modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)”
SecFilterSelective THE_REQUEST “/modules\.php\?*name=<[[:space:]]*script”
SecFilterSelective THE_REQUEST “/modules\.php\?*name=Search*instory=”
SecFilterSelective THE_REQUEST “/modules\.php*name=Forums.*file=viewtopic*/forum=.*\’/”
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”
SecFilterSelective THE_REQUEST “/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)”
SecFilterSelective SCRIPT_FILENAME “export\.php$” chain
SecFilterSelective ARG_what “\.\.”
SecFilterSelective REQUEST_URI “/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc”

Note: We can add own rules to the basic configuration.

stopping spam by using mod_rewrite

vi .htaccess file

SecFilterEngine DynamicOnly
SecFilterScanPOST On
SecAuditLog logs/audit_log
SecFilterDefaultAction “deny,log,status:412”

# SecFilter PATTERN [ACTION]
#Rules for Spam
SecFilter “(viagra|mortgage|herbal)”
SecFilter “viagra” “allow,nolog”

#Selective Blocking
#SecFilterSelective LOCATION PATTERN [ACTION]
SecFilterSelective “HTTP_REFERER” “buyviagra.com”
SecFilterSelective “HTTP_REFERER” “(viagra|mortgage|texasholdem)”

# Blocking IP addresses
SecFilterSelective “REMOTE_ADDR” “^83.142.57.250$”

#Scanning POST payloads
#scan the contents of comments, and find attempted spam even there. Use the POST_PAYLOAD location to scan
SecFilterSelective “POST_PAYLOAD” “(mortgage|viagra)”
SecFilterSelective “ARG_url” “(mortgage|viagra)”

Disable mod_security

A quick way to resolve this is to put the following in a .htaccess file in your public or public_html directory:

SecFilterEngine Off

This will disable mod_security for your domain.

Troubleshoot

Debuging Mode
• 0 – no logging.
• 1 – errors (intercepted requests) only.
• 2 – warnings.
• 3 – notices.
• 4 – details of how transactions are handled.
• 5 – as above, but including information about each piece of information handled.
• 9 – log everything, including very detailed debugging information.

grep -n security2_module httpd.conf

Posted by subashstha

Leave a Reply