CentOS 5.2 ModSecurity Installation

While this guide is CentOS specific, it contains enough detail to be adaptable to most other distributions.

ModSecurity is essentially a firewall for Apache, it checks all traffic against a set of rules which detect and prevent potentially malicious activity. There are three parts to this ModSec installation.

1. ModSecurity
2. mlogc
3. ModSecurity Console

Modsecurity is the ‘firewall’, mlogc is responsible for sending logs to the management console.

The console can be downloaded from BREACH, I used the Windows version for simplicity. Each console installation can support multiple sensors (ModSec installations), so it provides centralised monitoring. The console installation isn’t covered here, theres nothing to it – download, install, create sensors – done. Just make sure to install a valid license (BREACH offer a free 3 sensor license)

Versions used:

Apache: 2.2.3
ModSecurity: 2.5.7

Install Dependencies:

yum install httpd-devel libxml2 libxml2-devel curl-devel pcre-devel gcc-c++

note: curl-devel is only required for mlogc

Download and Installation

wget http://www.modsecurity.org/download/modsecurity-apache_2.5.7.tar.gz

or, get the latest from http://www.modsecurity.org/download/direct.html

Stop Apache

service httpd stop

Untar it and install:

tar -xvzf modsecurity-apache_2.5.7.tar.gz

cd modsecurity-apache_2.5.7/apache2/

./configure
make
make mlogc
make install

Configuration

Configure mlogc:

Copy the binary from mlogc-src/ to /usr/local/bin/

cp mlogc-src/mlogc /usr/local/bin/

Copy the default config to /etc/

cp mlogc-src/mlogc-default.conf /etc/mlogc.conf

Edit the configuration file: /etc/mlogc.conf:

Change the following:

#URL TO CONSSOLE LOG RECEIVER
ConsoleURI          https://CONSOLE_IP_ADDRESS:8886/rpc/auditLogReceiver

#SENSOR CREDENTIALS
SensorUsername      "SENSOR_USERNAME"
SensorPassword      "SENSOR_PASSWORD"

The above values need to reflect the Console installation and sensor configuration, also ensure the port is correct, it should be either 8886 or 8888. Save and exit

Configure ModSecurity:

Edit httpd.conf and add the following

# ModSecurity

Include conf/modsecurity/*.conf
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

Still in the httpd.conf, go down to the main server configuration section and add:

# ModSecurity Configuration


    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # Unicode encoding check
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 0 255

    # Only log suspicious requests
    SecAuditEngine RelevantOnly

    # Debug level set to a minimum
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # By default log and deny suspicious requests
    # with HTTP status 500
    SecFilterDefaultAction "deny,log,status:500"

    # Use ReleventOnly auditing
    SecAuditEngine RelevantOnly

    # Must use concurrent logging
    SecAuditLogType Concurrent

    # Send all audit log parts
    SecAuditLogParts ABIDEFGHZ

    # Use the same /CollectorRoot/LogStorageDir as in mlogc.conf
    SecAuditLogStorageDir /var/log/mlogc/data

    # Pipe audit log to mlogc with your configuration
    SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"

Save and Exit.

Copy rules to Apache directory

mkdir /etc/httpd/conf/modsecurity

from the rules direcotry:

cp *.conf /etc/httpd/conf/modsecurity

make necessary changes to modsecurity_crs_10_config.conf (mainly the logging section – use values from httpd.conf)

# Log files structure

SecAuditLogType Concurrent
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
SecAuditLogStorageDir /var/log/mlogc/data

SecAuditLogParts "ABIDEFGHZ"

Create mlogc logs direcotry and configure permissions

mkdir /var/log/mlogc
mkdir /var/log/mlogc/data

chown :apache /var/log/mlogc
chown :apache /var/log/mlogc/data

chmod g+w /var/log/mlogc
chmod g+w /var/log/mlogc/data

Restart Apache

service httpd start

Confirm ModSecurity is running:

tail /var/log/httpd/error_log

[Wed Oct 22 21:37:45 2008] [notice] ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/) configured.
[Wed Oct 22 21:37:45 2008] [notice] Digest: generating secret for digest authentication ...
[Wed Oct 22 21:37:45 2008] [notice] Digest: done
[Wed Oct 22 21:37:46 2008] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations

Done! Generate some suspicous traffic (ie. run an nmap scan against port 80) and check the console for alerts.

Files to check if things don’t work:

/var/log/httpd/error_log /var/log/mlogc/mlogc-error.log /var/log/messages

Also check the Administrative Events in the Console.

Resources:

http://www.modsecurity.org/documentation/faq.html
http://www.modsecurity.org/projects/rules/index.html
http://www.modsecurity.org/projects/modsecurity/apache/index.html
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#installation
http://www.modsecurity.org/blog/archives/2007/03/modsecurity_con_1.html

About this entry

You’re currently reading “CentOS 5.2 ModSecurity Installation,” an entry on Powered By Apathy

Published:: 10.25.08 / 12pm

Category:: Linux/BSD, Security

Tags:

johnny 12.31.08 / 1pm

Thanks for good post

Michel 2.19.09 / 5pm

Thanks, helped me a lot!

Security by Obscurity: Or How to Run Your Server on Caffeine | Geek Technica 7.6.09 / 9pm

[...] which is as simple as selecting the right package for your platform and installing it with dpkg. Installing from source can be a bit tricky but its worth the trouble. After you have successfully installed mod_security [...]

argo 12.23.09 / 1am

good job!

Powered By Apathy

CentOS 5.2 ModSecurity Installation

About this entry

4 Comments

Have your say

Recently

Categories