UPDATE: there were several bugs in my original version – by Debian standards, ModSecurity is damn hard to configure correctly, mainly because the Debian packager has left out so much that’s essential! This version is fully tested and working…
Mod Security is an awesome, open-source product for Apache that will protect your webserver against attackers, using a custom rules-language that lets you easily filter for any kind of website attack. Even better, it comes with a pre-built (and regularly updated) set of “official” default rules for cutting out the majority of common internet attacks.
But, pretty shocking … I tried 10 different tutorials / HOWTO’s for this, and each one was wrong. Out of the 10, 6 of them lead to fundamentally insecure / misconfigured systems.
Mostly it’s the vendor’s fault for providing huge long-winded webpages in place of basic install instructions. Partly, it’s the Debian packager’s fault for both mis-packaging, and also “forgetting” to document what they’d done (e.g most of the README’s are empty. Grr!). Whatever. Here’s my HOWTO for doing it correctly, and picking up the excellent default security rules, that *should* work with most installs of Debian.
(Also, for future reference, the vendor install docs are empty on their own website. But, if you click random links, you *eventually* find some of the missing pieces)
Before you start
Debian packager screwed up, didn’t document this: the main package has no config files. If you install libapache-mod-security, it also installs mod-security-common (note: no apache mentioned), which contains most of the config for this thing (but still not all). Yeah. It’s a bit odd, but that’s how security-based packages sometimes work, so not that unusual.
Still, the main package SHOULD contain the root config file. It doesn’t – tragically, you have to write that yourself
Partial install: debian packages
All you need is “libapache-mod-security”. This will also pull-down the other packages needed. So far as I can tell, this is *correctly* packaged by the maintainer – I got no errors for missing packages.
Remained of install: config files
The main config file is missing.
Where do you want to put this? (debian packager: please note + fix this!)
…Personally, I’d go for the debian standard location: /etc/apache2/conf.d/
What do you call it? (debian packager: please note + fix this!)
…if you compile the vendor-suppled source-code, it’ll call the file “mod-security2.conf”, so let’s use that.
Contents?
<IfModule mod_security2.c>
# NB: this is the minimal-possible example; see bottom of this post for a more complete example# NB: these are DEBIAN-SPECIFIC – only recommended if you used the official Debian package:
Include /usr/share/doc/mod-security-common/examples/rules/*.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/*.conf
SecDebugLog /var/log/modsec_debug.log
SecAuditLog /var/log/modsec_audit.log</IfModule>
Also, create empty versions of those log files (again, the Debian maintainer is supposed to do this!)
- touch /var/log/modsec_debug.log
- touch /var/log/modsec_audit.log
- chown www-data:www-data /var/log/modsec*
After creating the main config file, don’t forget to do an apache:
/etc/init.d/apache2 restart
to pick up the new config
Add the user-modified config files
Again, this is something that should have been done by the Debian packager – it appears to be necessary as part of the main config if you are following the “official” guidelines (which are optional).
I accidentally discovered this blog post, and used that info to “infer” what these files should be called, and where they should be listed in the main config file.
Create:
- /etc/modsecurity/
- /etc/modsecurity/modsecurity_crs_15_customrules.conf
- /etc/modsecurity/modsecurity_crs_60_customrules.conf
Modify: /etc/apache.d/conf.d/mod-security2.conf
- Anywhere in that ifModule stanza, add:
- Include /etc/modsecurity/*.conf
Finally: local configuration
Personally, I gave up. Any security system where customization is hard is doomed to failure. Instead, I replaced the “Include … *.conf” rules with a manual include of the named files I wanted.
I created a new file in /etc/modsecurity – the only requirement *appears* to be that it ends in “.conf”, but to be safe I named it with the same convention as ModSecurity’s other files: “modsecurity_crs_60_my_anti_spam_rules.conf”.
I put just onehand-made custom rule in there:
# To all those “SEO Marketers” who think they’re clever: leave me alone!
# ADAM: this is written to fast-fail: as soon as it skips past the “domain name” part of the referrer, it quits and lets the request through
# …but if it finds any of these SEO spammers, it’ll 500 them, with no explanation given
# (tested and confirmed working)
SecRule REQUEST_HEADERS:REFERER “http://[^/]*(holdem|poker|casino|porn|seo|miley|seller|pokemon|replica|buy|health|shop|dental|exposed|sex|forex|pussy|realty|sale|pills|download|invest|hosting|videos|cheap)” “t:lowercase,deny,nolog,status:500”
(I got the idea for using ModSecurity for this from this page. I’d never thought of using MS for that – but thought it was a great idea. I scanned some of the local referer logs for common marketing / scam referrers, and used the most-commonly-occurring ones to write the custom rule you see above.
Testing your custom rules
wget is your friend.
e.g.:
wget http://your.website.com –referer=http://seo-bastards-must-die.com
wget http://your.website.com –referer=http://google.com
For the first, you should see a result printed to screen saying “HTTP request sent, awaiting response… 500 Internal Server Error”
For the second, you should see: “HTTP request sent, awaiting response… 200 OK”
Adding mod-security to logrotate
Again … the Debian package should have done this automatically, but tragically doesn’t.
Create the file:
/etc/logrotate.d/mod-security
And set the contents as:
/var/log/modsec_debug.log /var/log/modsec_audit.log {
daily
missingok
rotate 10
compress
delaycompress
notifempty
create 640 www-data adm
}
PS: … for future reference, my personal mod-security2.conf
NB: this is the template I started with, then added lines after the “ADAM: disabling…” line
<IfModule mod_security2.c>
# NB: these are DEBIAN-SPECIFIC – only recommended if you used the official Debian package:
# … this will include the official “normal” settings, including the one that enables the system!
Include /usr/share/doc/mod-security-common/examples/rules/*.conf# ADAM: disabling; instead I’ll add on an individual basis, thanks!
#Include /usr/share/doc/mod-security-common/examples/rules/base_rules/*.conf# Add custom rules from this directory:
Include /etc/modsecurity/*.conf# Tell it where to put logfiles … maybe should be in /var/log/apache2/* ?
SecDebugLog /var/log/modsec_debug.log
SecAuditLog /var/log/modsec_audit.log# Tell it where to put the Data dir it uses for some long-term processing
# (if you omit this, you’ll get your error log for Apache filling up VERY fast with complaints!)
SecDataDir /var/run/modsecurity
</IfModule>