1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

mod_security - Is it running? Is it configured properly?

Discussion in 'Plesk for Linux - 8.x and Older' started by criticman, Jan 2, 2006.

  1. criticman

    criticman Guest

    Alright, so I am moved to my new server and not looking forward to being hacked again, so....

    I have installed mod_security and configured it according to gotroot.

    Basically, I have yet to see a log be created for audit_log. I am wondering if there is a way to see if mod_security is actually installed and running properly. I would hate to be hacked only to find out that it was not running properly.


    Distro: FC 3
    Plesk: 7.5.4

    ======CONTENTS OF modsecurity.conf=======
    <IfModule mod_security.c>

    # Only inspect dynamic requests
    #SecFilterEngine DynamicOnly

    SecFilterEngine On

    # Reject requests with status 500
    SecFilterDefaultAction "deny,log,status:500"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckCookieFormat On
    SecFilterCheckUnicodeEncoding Off
    SecFilterNormalizeCookies On
    # enable version 1 (RFC 2965) cookies
    SecFilterCookieFormat 1

    SecServerResponseToken Off

    #If you want to scan the output, uncomment these
    #SecFilterScanOutput On
    #SecFilterOutputMimeTypes "(null) text/html text/plain"

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    #fake server banner - NOYB used - no one needs to know what we are using
    SecServerSignature "NOYB"

    #SecUploadDir /tmp
    #SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    SecAuditLog /var/log/httpd/audit_log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog /var/log/httpd/modsec_debug_log

    #And now, the rules
    #Remove any of these Include lines you do not use or have rules for.

    #First, add in your exclusion rules:
    #These MUST come first!
    Include /etc/modsecurity/exclude.conf

    #Application protection rules
    Include /etc/modsecurity/rules.conf

    #Comment spam rules
    Include /etc/modsecurity/blacklist.conf

    #Bad hosts, bad proxies and other bad players
    Include /etc/modsecurity/blacklist2.conf

    #Bad clients, known bogus useragents and other signs of malware
    Include /etc/modsecurity/useragents.conf

    #Known bad software, rootkits and other malware
    Include /etc/modsecurity/rootkits.conf

    #Signatures to prevent proxying through your server
    #only rule these rules if your server is NOT a proxy
    Include /etc/modsecurity/proxy.conf

    #Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
    Include /etc/modsecurity/apache2-rules.conf

  2. Who-m3

    Who-m3 Guest

    Everything seems to be ok. Only thing I don't see is where you load the module (LoadModule mod_secuirty mod_security.so). May want to make sure your primary httpd.conf has that loaded, or add it to the mod_security file in /etc/httpd/conf.d/mod_security.conf...

    (Mine appears as...)

    LoadModule security_module modules/mod_security.so

    <IfModule mod_security.c>
    with ... having all my extra stuff...
  3. criticman

    criticman Guest

    In httpd.conf....

    LoadModule security_module /usr/lib/httpd/modules/mod_security.so

    So it is loaded. Restarting apache brings no errors, so module should be loaded without error.
  4. Who-m3

    Who-m3 Guest

    Appears to be. I know a way to test it if you'd like.. Drop me a pm through the site, I got a script that used to fail the default rules. I had to search for a while to write the fix.
  5. criticman

    criticman Guest

    Alright, a phpinfo() shows the Loaded Modules under apache2handler...this does indeed list mod_security.

    So, basically, will any logs be generated by mod_security without an outright hack attempt?

    If that is the case, what would be a harmless POST hack for PHP I could try that mod_security should catch, stop, and report?
  6. Who-m3

    Who-m3 Guest

    That should do the trick...