Friday, September 30, 2011

Deploy modsecurity-apache in Apache HTTP

It's free time for me. To learn something new. I read about ModSecurity and interested about it, So I wanted to install ModSecurity for Apache. It's native implementation of the web application firewall, working as an Apache module. Both major Apache branches are supported.

I just deployed modsecurity-apache in Apache HTTP 2.2. Download modsecurity-apache
This post, I used Apache HTTP 2.2.21 (source).
*** modsecurity 2.x works with Apache 2.0.x or better ***
# ls httpd-2.2.21.tar.bz2
httpd-2.2.21.tar.bz2
# tar jxvf httpd-2.2.21.tar.bz2
# cd httpd-2.2.21
# ./configure --prefix=/usr/local/apache --enable-unique-id --with-included-apr
*** mod_unique_id should be installed --enable-unique-id ***
# make
# make install
*** make sure about pcre-devel, apr-devel, libxml2-devel, libcurl-devel, expat-devel packages installed ***
- Deploy modsecurity-apache
# ls modsecurity-apache_2.6.1.tar.gz
modsecurity-apache_2.6.1.tar.gz
# tar zxvf modsecurity-apache_2.6.1.tar.gz
# cd modsecurity-apache_2.6.1
# ./configure --with-apxs=/usr/local/apache/bin/apxs --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config
# make
# make CFLAGS=-DMSC_TEST test
# make mlogc
# make install
- Check mod_security2.so file
# ls /usr/local/apache/modules/mod_security2.so
/usr/local/apache/modules/mod_security2.so
- Modify httpd.conf file.
A. Load libxml2 and lua5.1
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua-5.1.so
B. Load the ModSecurity module
LoadModule security2_module modules/mod_security2.so
C. Demo for SecAuditEngine
SecAuditEngine On
SecAuditLog logs/audit/audit.log
SecAuditLogParts ABCFHZ
SecAuditLogType Serial
SecAuditLogStorageDir logs/audit
SecAuditLogRelevantStatus ^(?:5|4(?!04))
*** read more at modsecurity-apache_2.6.1/doc/Reference_Manual.html file ***

- Start Apache and test
# /usr/local/apache/bin/apachectl start
In /usr/local/apache/logs/error_log file.
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/) configured.
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity: APR compiled version="1.4.5"; loaded version="1.4.5"
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity: PCRE compiled version="7.8"; loaded version="5.0 13-Sep-2004"
[Fri Sep 30 23:19:47 2011] [warn] ModSecurity: Loaded PCRE do not match with compiled!
[Fri Sep 30 23:19:47 2011] [notice] ModSecurity: LIBXML compiled version="2.7.6"
[Fri Sep 30 23:19:48 2011] [notice] Apache/2.2.21 (Unix) configured -- resuming normal operations
Test about SecAuditEngine : Open browser with URL http://192.168.1.35
Check: /usr/local/apache/logs/audit/audit.log
--4aef2215-A--
[30/Sep/2011:23:20:38 +0700] ToXsVsCoASgAAE3BE10AAAAB 192.168.1.91 54316 192.168.1.35 80
--4aef2215-B--
GET /favicon.ico HTTP/1.1
Host: 192.168.1.35
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.186 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

--4aef2215-F--
HTTP/1.1 200 OK
Last-Modified: Fri, 30 Sep 2011 16:20:24 GMT
ETag: "7202-0-4ae2b00a92976"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: image/x-icon

--4aef2215-H--
Stopwatch: 1317399638159608 16789 (- - -)
Stopwatch2: 1317399638159608 16789; combined=46, p1=0, p2=0, p3=0, p4=0, p5=44, sr=0, sw=2, l=0, gc=0
Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/).
Server: Apache/2.2.21 (Unix)

--4aef2215-Z--
That's simple to deploy modsecurity-apache in HTTP.

No comments: