HOWTO: Enhancing Apache with mod_security
People sometimes ask if fedoranews.org contains information for desktop purposes only, if its intended so the proverbial "Joe User" can navigate as he sees fit thru his fedora box... It is not.
The information in FN.org is free(dom), and as such, many topics are covered and many programs pass through these humble pages.
Today we are going server side, today we are focusing in how we can enhance
our site's security against attacks/exploits, being those SQL Injection, Cross
Site Scripting and other niceties that people tend to do from time to time.
Like probably quite a few of you, I run and admin some websites (some for fun, some for work), and as many of you surely do, some of these websites are mounted on a CMS. CMS are not the 8th wonder of the world, however some of them are pretty good, and they save you a lot of time by automating tons of tasks... however, as in every piece of code there exists, all of them are insecure and buggy (in fact, every piece of software is insecure and buggy to a degree)
So, searching for tools and ways to prevent people from breaking into my site
without authorization, I began my search and found a great piece of software:
mod_security for Apache.
Yes, you read that correctly, this will be about an apache add-on module that
enhances security server wide. As the official site points out:
This will guide you through the steps to build the mod_security as a dynamic
shared object into Apache web server in Fedora Core 2 (though it's pretty easy
to replicate the steps for any other distro/version)
You need basically 2 things:
* The source for mod_security (here)
Once you have these files, you'll just need to unpack the tarball:
[gallegosja@gallegosja gallegosja]$ tar -xvzf mod_security-1.8.4.tar.gz
go to the apache 2 module inside the recently unpacked directory and run apxs (you will need root permissions to do this):
[gallegosja@gallegosja gallegosja]$ cd mod_security-1.8.4/apache2/
If you ever happen to want to link against installed libraries
See any operating system documentation about shared libraries for
Restart your apache web server...
[gallegosja@gallegosja apache2]$ sudo /sbin/service httpd restart
This just restarted your apache server, and placed a file in /etc/httpd/conf.d/mod_security.conf
with a set of general rules... very general rules. You will need to change
several of these rules and activate/deactivate some of them, you might find
conf file a little bit more useful.
The mod_security.conf file is located in the conf.d directory of the apache configuration directory, and the logs (if you downloaded the .conf file provided above) in /var/log/httpd/audit_log, otherwise you can define in the .conf file where to dump the logs
The configuration file contains a very basic set of rules and although they're quite useful for a simple site, more complex rules might be in order for your site's specific needs. If you need more information on how you can create new rules or modify existing rules, read the documentation in the /usr/share/doc/mod_security-1.8.4 directory or read it online at the project's home page.
Jorge A Gallegos
Copyright © 2003-2004 FedoraNEWS.ORG
Questions or problems regarding this web site should be directed to firstname.lastname@example.org.
Copyright © 2008 Art Beckman. All rights reserved.
Last Modified: March 9, 2008