1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

mod_security - Is it running? Is it configured properly?

Discussion in 'Plesk for Linux - 8.x and Older' started by criticman, Jan 2, 2006.

  1. criticman

    criticman Guest

    Alright, so I am moved to my new server and not looking forward to being hacked again, so....

    I have installed mod_security and configured it according to gotroot.

    Basically, I have yet to see a log be created for audit_log. I am wondering if there is a way to see if mod_security is actually installed and running properly. I would hate to be hacked only to find out that it was not running properly.


    Distro: FC 3
    Plesk: 7.5.4

    ======CONTENTS OF modsecurity.conf=======
    <IfModule mod_security.c>

    # Only inspect dynamic requests
    #SecFilterEngine DynamicOnly

    SecFilterEngine On

    # Reject requests with status 500
    SecFilterDefaultAction "deny,log,status:500"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckCookieFormat On
    SecFilterCheckUnicodeEncoding Off
    SecFilterNormalizeCookies On
    # enable version 1 (RFC 2965) cookies
    SecFilterCookieFormat 1

    SecServerResponseToken Off

    #If you want to scan the output, uncomment these
    #SecFilterScanOutput On
    #SecFilterOutputMimeTypes "(null) text/html text/plain"

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    #fake server banner - NOYB used - no one needs to know what we are using
    SecServerSignature "NOYB"

    #SecUploadDir /tmp
    #SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/httpd/audit_log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog /var/log/httpd/modsec_debug_log

    #And now, the rules
    #Remove any of these Include lines you do not use or have rules for.

    #First, add in your exclusion rules:
    #These MUST come first!
    Include /etc/modsecurity/exclude.conf

    #Application protection rules
    Include /etc/modsecurity/rules.conf

    #Comment spam rules
    Include /etc/modsecurity/blacklist.conf

    #Bad hosts, bad proxies and other bad players
    Include /etc/modsecurity/blacklist2.conf

    #Bad clients, known bogus useragents and other signs of malware
    Include /etc/modsecurity/useragents.conf

    #Known bad software, rootkits and other malware
    Include /etc/modsecurity/rootkits.conf

    #Signatures to prevent proxying through your server
    #only rule these rules if your server is NOT a proxy
    Include /etc/modsecurity/proxy.conf

    #Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
    Include /etc/modsecurity/apache2-rules.conf

  2. Who-m3

    Who-m3 Guest

    Everything seems to be ok. Only thing I don't see is where you load the module (LoadModule mod_secuirty mod_security.so). May want to make sure your primary httpd.conf has that loaded, or add it to the mod_security file in /etc/httpd/conf.d/mod_security.conf...

    (Mine appears as...)

    LoadModule security_module modules/mod_security.so

    <IfModule mod_security.c>
    with ... having all my extra stuff...
  3. criticman

    criticman Guest

    In httpd.conf....

    LoadModule security_module /usr/lib/httpd/modules/mod_security.so

    So it is loaded. Restarting apache brings no errors, so module should be loaded without error.
  4. Who-m3

    Who-m3 Guest

    Appears to be. I know a way to test it if you'd like.. Drop me a pm through the site, I got a script that used to fail the default rules. I had to search for a while to write the fix.
  5. criticman

    criticman Guest

    Alright, a phpinfo() shows the Loaded Modules under apache2handler...this does indeed list mod_security.

    So, basically, will any logs be generated by mod_security without an outright hack attempt?

    If that is the case, what would be a harmless POST hack for PHP I could try that mod_security should catch, stop, and report?
  6. Who-m3

    Who-m3 Guest

    That should do the trick...