Facebook
Twitter
A
atomicmak
Guest
Can anyone exper please post a easy guide on how to install mod_security and configure it ?
step by step?
step by step?
-
If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
CentOS2Alma discussion
E
energylevel
Guest
D
DCoats
Guest
this is a very simple task.
cd /etc/apache2
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -xzvf modsec*
cd modsec*
pico INSTALL (will tell you how to install it.)
basically...........
cd apache2
apxs -cia mod_security.c
apachectl stop
apachectl start
then go grab some rule sets
I recommend got-root rules
http://www.gotroot.com/mod_security+rules
so
wget http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz
I extracted the rules to /etc/apache2/Includes/modsecurity
create a basic /etc/apache2/Includes/modsecurity.conf
because *.conf in the Includes dir gets loaded.
then create the logfile specified above
mkdir /var/log/modsecurity
touch /var/log/modsecurity/audit_log
apachectl graceful
killall -HUP syslogd
READ the docs so you know whats happening!
Now by watching the logfile, when you notice something is being blocked, that you don't want blocked. Simply note the ruled id and go to exclude.conf (note that it was loaded before all the other rules) and create your own exclude rule for that rule id. you will see how in the already excluded rules. Another thing I will go ahead and mention for you is that you can "allow all for specific people/IP's in the rules if you would like. using
#allow all from a few ip's for whoever
SecFilterSelective REMOTE_ADDR ^x.x.x.x$ nolog,allow
SecFilterSelective REMOTE_ADDR ^x.x.x.x$ nolog,allow
for each IP you want to allow.
additionally if you have clients that simply do not want to be protected by your modsecurity rule sets then they can simply add
SecFilterEngine Off to a .htaccess file in their web dir.
cd /etc/apache2
wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz
tar -xzvf modsec*
cd modsec*
pico INSTALL (will tell you how to install it.)
basically...........
cd apache2
apxs -cia mod_security.c
apachectl stop
apachectl start
then go grab some rule sets
I recommend got-root rules
http://www.gotroot.com/mod_security+rules
so
wget http://www.gotroot.com/downloads/ftp/mod_security/apache2/apache2-gotrootrules-latest.tar.gz
I extracted the rules to /etc/apache2/Includes/modsecurity
create a basic /etc/apache2/Includes/modsecurity.conf
because *.conf in the Includes dir gets loaded.
then create the logfile specified above
mkdir /var/log/modsecurity
touch /var/log/modsecurity/audit_log
apachectl graceful
killall -HUP syslogd
READ the docs so you know whats happening!
Now by watching the logfile, when you notice something is being blocked, that you don't want blocked. Simply note the ruled id and go to exclude.conf (note that it was loaded before all the other rules) and create your own exclude rule for that rule id. you will see how in the already excluded rules. Another thing I will go ahead and mention for you is that you can "allow all for specific people/IP's in the rules if you would like. using
#allow all from a few ip's for whoever
SecFilterSelective REMOTE_ADDR ^x.x.x.x$ nolog,allow
SecFilterSelective REMOTE_ADDR ^x.x.x.x$ nolog,allow
for each IP you want to allow.
additionally if you have clients that simply do not want to be protected by your modsecurity rule sets then they can simply add
SecFilterEngine Off to a .htaccess file in their web dir.
C
Chris@
Guest
Thanks for posting this, but I don't have an /etc/apache2 directory or any apache2 directory anywhere on my server. Where should I install this? Running CentOS on one server and RHEL on another.
D
DCoats
Guest
Just install to your apache directory weather it is /etc/apache /etc/apache2 /etc/apache21 /usr/local/etc/apache2 /usr/local/psa/apache
C
Chris@
Guest
I don't have a directory with the word "apache" in it anywhere on my server (other than the apache/apache2 directory that was created when I untared mod_security).
atomicturtle
Golden Pleskian
We include mod_security with ASL, for those of you looking for a short cut.
D
DCoats
Guest
Chris , I don't know where your apache directory is on your box, It is up to you as an administrator to know your apache directory. where is your httpd.conf ?
C
Chris@
Guest
I was able to get mod_security installed by following the instructions at gotroot.com (although I did have one snag, I tried putting modsecurity.conf in /etc/httpd/conf.d but it did nothing; I specifically had to add "Include /etc/httpd/conf.d/modsecurity.conf" to my httpd.conf).
I have another problem though, I am using the default exclude.conf and rules.conf ruleset from gotroot.com. It seems to work fine, but now no one can post a Web link when they send mail via Horde (a link that includes http:// in the front). I also noticed vBulletin is now not allowing the http:// links either. Can someone tell me what I can do to correct this? Yes I'm planning on reading the docs and customizing my own ruleset in the future, but for now I would just like to get this up and running quickly.
One other less-important question, I noticed that when I was using all of the rulesets from gotroot.com (the blacklists and other things) my server slowed way down when serving pages (web pages were taking 3x longer to load) and it was putting a load on the server, especially if I would hit the reload button in my browser. In modsecurity.conf I commented out everything except for exclude.conf and rules.conf and that seems to have fixed things (although the pages still take a fraction of a second longer to load, based on a Javascript page loading timer and several trials, but this is perfectly acceptible). I admit this machine is low-end (single-processor PIII), but I had read the mod_security has almost no overhead, yet I'm definitely seeing significant overhead when all those rules are loaded. Is this normal, or is something perhaps misconfigured with my installation?
I have another problem though, I am using the default exclude.conf and rules.conf ruleset from gotroot.com. It seems to work fine, but now no one can post a Web link when they send mail via Horde (a link that includes http:// in the front). I also noticed vBulletin is now not allowing the http:// links either. Can someone tell me what I can do to correct this? Yes I'm planning on reading the docs and customizing my own ruleset in the future, but for now I would just like to get this up and running quickly.
One other less-important question, I noticed that when I was using all of the rulesets from gotroot.com (the blacklists and other things) my server slowed way down when serving pages (web pages were taking 3x longer to load) and it was putting a load on the server, especially if I would hit the reload button in my browser. In modsecurity.conf I commented out everything except for exclude.conf and rules.conf and that seems to have fixed things (although the pages still take a fraction of a second longer to load, based on a Javascript page loading timer and several trials, but this is perfectly acceptible). I admit this machine is low-end (single-processor PIII), but I had read the mod_security has almost no overhead, yet I'm definitely seeing significant overhead when all those rules are loaded. Is this normal, or is something perhaps misconfigured with my installation?
atomicturtle
Golden Pleskian
Definitely not true about the low-overhead, theres no such thing as a free lunch when you're doing content filtering. 
We do run every single rule on the gotroot.com box (around 20,000) plus we use 2 separate RBL's (did you know mod_sec could do that? ). That being said, the newer versions of mod_security can't handle that many rules, on the newer OS's. We're running GR in a unique environment, RH9 w/ a 2.6 kernel. Theres something about this configuration thats letting the box perform exceedingly well, take centos4 on the same box and it has a pretty severe memory leak that will eventually hang the box.
The ruleset we've put together for ASL shouldn't kill your typical PSA box. Unfortunately unless you're running RH9 w/ a 2.6 kernel then using all our rules is probably not going to work on anything other than a really low use web server. Thats the state today, we're working on finding out why our box can handle it, and once we do, I'll be putting together whatever packages (apache, etc) we need for a high performance environment to handle the full/future rulesets.
We do run every single rule on the gotroot.com box (around 20,000) plus we use 2 separate RBL's (did you know mod_sec could do that?
). That being said, the newer versions of mod_security can't handle that many rules, on the newer OS's. We're running GR in a unique environment, RH9 w/ a 2.6 kernel. Theres something about this configuration thats letting the box perform exceedingly well, take centos4 on the same box and it has a pretty severe memory leak that will eventually hang the box. The ruleset we've put together for ASL shouldn't kill your typical PSA box. Unfortunately unless you're running RH9 w/ a 2.6 kernel then using all our rules is probably not going to work on anything other than a really low use web server. Thats the state today, we're working on finding out why our box can handle it, and once we do, I'll be putting together whatever packages (apache, etc) we need for a high performance environment to handle the full/future rulesets.
C
Chris@
Guest
ART: I'm running RH9 with a 2.4 kernel. This is a very low-use server. If I pump the refresh button on my browser I can get the load up to 1.5 which is not bad, but the thing that makes the full ruleset (with the blacklists) unusable for me is the slow page load times (again, it takes about 3x longer for a page with many small graphic elements).
Regarding the problems I was having with not being able to post URLs in Horde or vBulletin, I traced it to this rule:
#really broad furl_fopen attack sig
#tune this for your system
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecFilterSelective ARGS "(ht|f)tps?:/" chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
I removed that whole thing and now I'm able to post URLs in Horde and vBulletin. But is this a crucial rule that I should try to tweak instead of leaving it out altogether? Any suggestions on tweaking it so it doesn't cause false positives in Horde and vBulletin when posting URLs?
Regarding the problems I was having with not being able to post URLs in Horde or vBulletin, I traced it to this rule:
#really broad furl_fopen attack sig
#tune this for your system
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300018,rev:3,severity:2,msg:'Generic PHP code injection protection via ARGS'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&)" chain
SecFilterSelective ARGS "(ht|f)tps?:/" chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
SecFilterSelective REQUEST_URI "!(/tiki-objectpermissions|aardvarkts/install/index|/do_command|banner_click|wp-login|tiki-view_cache|/horde/index|/horde/services/go|/goto|gallery2?/main|ad-?server/adjs)" "chain,id:300040,rev:1,severity:2,msg:'Generic PHP code injection protection in URI'"
SecFilterSelective REQUEST_URI "\.php(3|4|5)?(\?|&).*=(ht|f)tps?:/" chain
SecFilterSelective HTTP_Referer "!/imp/login\.php"
I removed that whole thing and now I'm able to post URLs in Horde and vBulletin. But is this a crucial rule that I should try to tweak instead of leaving it out altogether? Any suggestions on tweaking it so it doesn't cause false positives in Horde and vBulletin when posting URLs?
D
DCoats
Guest
see how the rules had id's
You can be more broad or more specific if you want, just watch audit_log and exclude what you want to exclude..
you create excludes for the rule matches using the url and rule id.
Code:
#Allow me to do whatever i want
SecFilterSelective REMOTE_ADDR ^my.ip.here.*$ nolog,allow
#Squirrel mail and Horde postings
<LocationMatch "/imp/compose.php">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
#vbulliten1
<LocationMatch "/admincp/moderator.php*">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
#vbulletin2
<LocationMatch "/forums/admincp/moderator.php*">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
#vbulletin3
<LocationMatch "/forums/admincp/admin.php*">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
#vbulletin4
<LocationMatch "/forums/admincp/usergroup.php*">
SecFilterRemove 300013
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>
#vbulletin5
<LocationMatch "/forums/profile.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin6
<LocationMatch "/forums/register.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin7
<LocationMatch "/forums/login.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin8
<LocationMatch "/forums/newreply.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin9
<LocationMatch "/forums/admincp/vbacmps_install.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin10
<LocationMatch "/forums/admincp/options.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin11
<LocationMatch "/forums/newthread.php*">
SecFilterRemove 300018
</LocationMatch>
#vbulletin12
<LocationMatch "/forums/private.php*">
SecFilterRemove 300018
</LocationMatch>atomicturtle
Golden Pleskian
Yeah like I said... rh9 with a 2.6 kernel performs the best. RH9/2.4 does better than say CentOS4 on the same hardware, but still nothing like rh9/2.6.
D
DCoats
Guest
Unless you run freeBSD
atomicturtle
Golden Pleskian
Actually that would be a good test. FreeBSD fanboy comments aside Could you try firing up all the rules from gotroot.com on your box and report back your results? The blacklists are the most brutal on a box, those are the ones that will typically manifest the memory leak.
Could you try firing up all the rules from gotroot.com on your box and report back your results? The blacklists are the most brutal on a box, those are the ones that will typically manifest the memory leak.
B
bmeshier
Guest
K
KudosDesigns
Guest
This memory leak problem with mod security seems to be exactly what is happening to our Plesk box.
We have FC4 running Plesk 8.0.1 and mod_security version 1.94 RPM from yum repository on fedora. It is falling over when it gets a little bit loaded running into (and out of) SWAP space memory - has anyone got mod_security to work in this setup?
We have FC4 running Plesk 8.0.1 and mod_security version 1.94 RPM from yum repository on fedora. It is falling over when it gets a little bit loaded running into (and out of) SWAP space memory - has anyone got mod_security to work in this setup?
atomicturtle
Golden Pleskian
Indeed, unless you're running on RH9 with a 2.6 kernel, you're severely limited in the rulesets you can run. Even Ivan threw in the towel on this one. I suspect aside from us (since we wrote all those rules) we're the only ones that even found a glimmer of hope as to being able to load that many on a single box. We're running every rule (20,000+) on gotroot.com, with nary a leak. Same exact website code, load (Ive gone so far as to replay traffic even), and configurations on anything else and the system quickly leaks out of control.
I have some hunches as to whats doing it, which could involve some restructuring of apache, or some its tertiary support libraries.
I have some hunches as to whats doing it, which could involve some restructuring of apache, or some its tertiary support libraries.
