How To Install mod_security/mod_security2 On SuSE Linux Enterprise Server 10 (SLES10)
Introduction
The Apache module mod_security is a very powerful security module. Combined with predefined rules, you can close many security wholes on your server, opened by bad written php or perl apps.
Unfortunately mod_security is not part of the SLES10 distribution. To install mod_security to have to install some 3rd party modules. This guide helps you to install mod_security on SLES10. It also helps you to remove the module, by building RPM packages you can easily uninstall.
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
Install Apache2
First of all you have to install apache2. This is very simple with the following command.
yast2 -i apache2
Install requried build packages
Some modules are required to build the mod_security module. Install the following packages:
yast2 -i libxml2-devel pcre-devel apache2-devel curl-devel gcc gcc-c++
Apache2-devel is required for apxs2. curl-devel is optional.
Get and Install checkinstall (for packaging)
To keep track of installed software and enable the user to uninstall and update software, checkinstall can build RPM, DEBIAN (DEB) and Slackware packages. Instead of executing "make install" just run "checkinstall" and checkinstall catches all files, that would be installed by "make install".
Get checkinstall from http://www.asic-linux.com.mx/~izto/checkinstall/download.php.
wget http://www.asic-linux.com.mx/~izto/checkinstall/files/source/checkinstall-1.6.1.tgz
make
make install
checkinstall
cp /usr/src/packages/RPMS/i386/checkinstall-1.6.1-1.i386.rpm .
rpm -ivh checkinstall-1.6.1-1.i386.rpm
Get and Install liblua
The LUA programming language is used by mod_security for configuration. You must compile LUA as shared module.
Get LUA from http://www.lua.org/ftp/lua-5.1.3.tar.gz.
wget http://www.lua.org/ftp/lua-5.1.3.tar.gz
tar -zxvf lua-5.1.3.tar.gz
cd lua-5.1.3
make linux
checkinstall
[...]
1 - Summary: [ The LUA programming language ]
2 - Name: [ lua ]
3 - Version: [ 5.1.3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ Development/Languages/Lua ]
7 - Architecture: [ i386 ]
8 - Source location: [ http://www.lua.org/ftp/lua-5.1.3.tar.gz ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ lua ]
[...]
cp /usr/src/packages/RPMS/i386/lua-5.1.3-1.i386.rpm ..
rpm -ivh ../lua-5.1.3-1.i386.rpm
Now you have to build a shared library from the liblua archive.
cd /usr/local/lib
gcc -shared -o liblua.5.1.3.so /usr/local/lib/liblua.a
ln -s liblua.5.1.3.so liblua.so
Get and Install mod_security
Get mod_security from http://www.modsecurity.org/download/direct.html.
Documentation about the installation can be found here: http://www.modsecurity.org/documentation/index.html.
cd modsecurity-apache_2.5.2
cd apache2
./configure
make
checkinstall
...
1 - Summary: [ mod_security application level firewall ]
2 - Name: [ apache2-mod_security ]
3 - Version: [ 2.5.2 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ Productivity/Networking/Web/Servers ]
7 - Architecture: [ i386 ]
8 - Source location: [ http://www.modsecurity.org/download/ ]
9 - Alternate source location: [ ]
10 - Requires: [ apache2 libxml2 ]
11 - Provides: [ mod_security ]
cp /usr/src/packages/RPMS/i386/apache2-mod_security-2.5.2-1.i386.rpm ../../
rpm -ivh ../../apache2-mod_security-2.5.2-1.i386.rpm
Configure Apache2 for mod_security
# /etc/apache2/conf.d/mod_security.conf
LoadFile /usr/lib/libxml2.so
LoadFile /usr/local/lib/liblua.so
LoadModule security2_module /usr/lib/apache2/mod_security2.so
Include modsecurity/*.conf
LoadModule unique_id_module /usr/lib/apache2/mod_unique_id.so
Extract and Configure Core Rules
Get the core rules from http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.0.tar.gz.
cd /etc/apache2
mkdir modsecurity
cd modsecurity
tar -zxvf ../modsecurity-core-rules_2.5-1.6.0.tar.gz
Modify modsecurity_crs_10_config.conf to meet the location of your config files:
vi modsecurity_crs_10_config.conf
SecAuditLog=...
SecDebugLog=...
Restart Apache and Test your Webpage
First restart apache to get the current configuration:
rcapache restart
To test the installation, write a simple (insecure) PHP script like this:
file $text=$_GET['file'];
echo "Content of File $text";
echo `cat $text`;
?>
Then access it to try opening insecure files:
http://ip.of.your.server.de/index.php?file=/etc/passwd
You should get ERROR 501 in your browser and the SecAuditLog file should show:
[...]
GET /index.php?file=/etc/passwd HTTP/1.1 ...
[...]
Message: Access denied with code 501 (phase 2). Pattern match "(?:\b(?:\.(?:ht(?:access|passwd|group
)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" at ARGS:file. [file "/etc/apache2/modsecu
rity/modsecurity_crs_40_generic_attacks.conf"] [line "114"] [id "950005"] [msg "Remote File Access A
ttempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"]
Caveats
- When accessing your server via IP, a rule in modsecurity_crs_21_protocol_anomalies.conf denies this. Edit the file and look for "Check that the host header is not an IP address".
Links and References
- mod_security home page: http://www.modsecurity.org/
- LUA home page: http://www.lua.org/
- Checkinstall home page: http://www.asic-linux.com.mx/~izto/checkinstall/
- Author's home page: http://www.elconas.de
