Sebastian Mogilowskis Blog

Just another blog about administration, linux and other stuff

Secure Apache 2 with mod-security 2 on Debian Lenny

This article describes how to install mod_security2 on Debian Lenny. It should work on Etch, too.

On the http://www.modsecurity.org website there is a link to the mod_security2 pakets for Debian. (Community-Produced Binary packages)

Note: You should check this website for the latest versions and change the example “wget” commands in this howto.

1. Download the pakets and install via dpkg:

wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/2.5.x/etch/libapache2-mod-security2_2.5.5-1~etch1_amd64.deb
wget http://etc.inittab.org/~agi/debian/libapache-mod-security2/2.5.x/etch/mod-security2-common_2.5.5-1~etch1_all.deb

dpkg -i mod-security2-common_2.5.5-1~etch1_all.deb libapache2-mod-security2_2.5.5-1~etch1_amd64.deb

Note: You may need an other paket than amd64 !!!

2. Create a subfolder for the mod_security rules in the Apache config folder:

mkdir /etc/apache2/modsecurity2
chmod 600 /etc/apache2/modsecurity2

3. Download the rulsets from http://www.modsecurity.org/download/direct.html

wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz

and extract the files and move the “conf” files to mod security:

tar vfx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/modsecurity2/

4. You have to create a symlink to fit Apache log directory to the Debian logs.

(Or fix all rules :-))

ln -s /var/log/apache2 /etc/apache2/logs

5. Enable modsecurity

a2enmod mod-security

6. Configuration

Edit “/etc/apache2/conf.d/mod_security”:

        # mod_security configuration directives
        # ...
        # Turn the filtering engine On or Off
        SecFilterEngine On

        # Some sane defaults
        #Check if URL characters where encoded
        SecFilterCheckURLEncoding On
        #Check UTF-8 encoding
        SecFilterCheckUnicodeEncoding Off

        #Allow 1 byte characters
        # Accept almost all byte values
        SecFilterForceByteRange 0 255

      
        # Server masking is optional
        # SecServerSignature "Microsoft-IIS/0.0"

        SecAuditEngine RelevantOnly
        # The name of the audit log file
        SecAuditLog /var/log/apache2/audit_log

        # You normally won't need debug logging
        # Debug level set to a minimum
        SecFilterDebugLog /var/log/apache2/modsec_debug_log
        SecFilterDebugLevel 0

        # Should mod_security inspect POST payloads
        SecFilterScanPOST On

        # By default log and deny suspicious requests
        # with HTTP status 500
        SecFilterDefaultAction "deny,log,status:500"

7. Now you can restart your Apache webserver:

/etc/init.d/apache2 restart

8. Links:

http://www.modsecurity.org
http://www.howtoforge.com/apache_mod_security
http://www.debuntu.org/2006/08/13/86-secure-your-apache2-with-mod-security

, , , , , , , , , ,

4 thoughts on “Secure Apache 2 with mod-security 2 on Debian Lenny

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.