sexta-feira, julho 15, 2011

Installing ModSecurity 2.6.1-rc1 + CRS (Core Rule Set) 2.2.0

This post will help you how to install and configure ModSecurity Web Application Firewall in your system, with the Core Rule Set 2.2.0. The operations system base is CentOS 5.6.

- Install dependencies:

# yum install gcc openssl-devel openssl apr-util-devel apr-devel pcre pcre-devel libjpeg-devel gd-devel libpng-devel libjpeg gd libpng gettext gettext-devel libmcrypt-devel libmcrypt libxml2 libxml2-devel bison zlib zlib-devel bzip2 bzip2-devel libtool libtool-ltdl readline readline-devel ncurses ncurses-devel curl curl-devel

- Get the source codes:

- Apache:
- Lua:
- ModSecurity:
- Core Rule Set:

- Check the integrity of sources with md5sum or sha1sum

- Install Apache from source:

# ./configure --prefix=/var/www --enable-auth-digest --enable-mime-magic --enable-usertrack --enable-ssl --enable-http --disable-cgi --enable-vhost-alias --disable-userdir --enable-so --enable-unique-id --enable-rewrite --with-z --disable-dav --disable-proxy --enable-deflate --enable-expires --with-pcre=/usr/bin/pcre-config

# make

# make install

- Compile Lua:

# tar xvfz lua-5.1.4.tar.gz
# cd lua-5.1.4
# make all linux
# make install INSTALL_TOP=/usr/local/lua-5.1.4
# cd src
# rm -f lua.o luac.o print.o && gcc -shared -Wall -O2 -o *.o
# cp /usr/local/lua-5.1.4/lib
# ln -s /usr/local/lua-5.1.4 /usr/local/lua
# echo "/usr/local/lua/lib" >> /etc/
# ldconfig

- Compile ModSecurity:

# tar xvfz modsecurity-apache_2.6.1-rc1.tar.gz
# cd modsecurity-apache_2.6.1-rc1
# ./configure --with-apxs=/var/www/bin/apxs --with-lua=/usr/local/lua
# make
# make install

- Install and configure Core Rule Set:

# mkdir /var/www/conf/modsecurity
# mkdir /var/www/conf/modsecurity/crs
# cp modsecurity-apache_2.6.1-rc1/modsecurity.conf-recommended /var/www/conf/modsecurity/modsecurity.conf
# touch /var/www/conf/modsecurity/whitelist.conf

# tar xvfz modsecurity-crs_2.2.0.tar.gz
# cp -a modsecurity-crs_2.2.0/* /var/www/conf/modsecurity/crs

# cd /var/www/conf/modsecurity/crs
# for f in `ls base_rules/` ; do ln -s ../base_rules/$f activated_rules/$f ; done
# cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
# ln -s ../modsecurity_crs_10_config.conf activated_rules/
# ls -l activated_rules/ /* Check simbolic links */

- Configure Apache (httpd.conf)

LoadFile /usr/lib/
LoadFile /usr/local/lua/lib/
LoadModule security2_module modules/
<IfModule security2_module>
Include conf/modsecurity/modsecurity.conf
Include conf/modsecurity/whitelist.conf
Include conf/modsecurity/crs/modsecurity_crs_10_config.conf
Include conf/modsecurity/crs/activated_rules/*.conf

- Edit modsecurity.conf:

SecRuleEngine On
SecAuditLog logs/modsec_audit.log

- Start Apache and check error_log:

[warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[notice] ModSecurity for Apache/2.6.1-rc1 ( configured.
[notice] ModSecurity: APR compiled version="1.2.7"; loaded version="1.2.7"
[notice] ModSecurity: PCRE compiled version="6.6"; loaded version="5.0 13-Sep-2004"
[notice] ModSecurity: LUA compiled version="Lua 5.1"
[notice] ModSecurity: LIBXML compiled version="2.6.26"
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done

- Test your ModSecurity:

Access one url with a blocked estension, like: http://server/test.sql

You will see in apache error_log:

[error] [client] ModSecurity: Access denied with code 403 (phase 2). String match within ".asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/" at TX:extension. [file "/var/www/conf/modsecurity/crs/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "88"] [id "960035"] [msg "URL file extension is restricted by policy"] [data ".alq"] [severity "CRITICAL"] [tag "POLICY/EXT_RESTRICTED"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "localhost"] [uri "/test.SQL"] [unique_id "Th8c038AAAEAAGugG2kAAAAD"]

Now, your work is just in the begining. Now you have to test your application for false positives and false negatives.

If you use Wordpress, joomla, phpbb, etc, check the slr_rules directory. You have to enable it in httpd.conf.