WebTracker.one

 
Login
Site Stats
Tools
Whois
Whois
Email Whois
Fingerprint
Logout
Contact
Lost Password
 
Smiley






JavaScript is disabled by your browser. Many features will not work.












ModSecurity

ModSecurity is a web application firewall. I'll say up front that caution must be exercised with ModSecurity. Many of the OWASP rules interfere with scripts and break websites. Unless you use it sparingly and judiciously, you're better off without it. (The Fail2Ban hacker script I presented earlier can block a lot of bad actors without interfering with your website.)

Here is how to go about implementing ModSecurity for a Linux site running Apache.

Install the software:

sudo apt install libapache2-mod-security2


Restart Apache:

sudo systemctl restart apache2


Make new copies of the .conf file and the mapping file with usable names:

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

sudo cp /etc/modsecurity/unicode.mapping.dpkg-dist/ etc/modsecurity/unicode.mapping


Pull up the ModSecurity configuration file for edit:

sudo nano /etc/modsecurity/modsecurity.conf


Make the following changes to the ModSecurity config file (the first change is to turn ModSecurity to on and the second change is to improve performance):

SecRuleEngine DetectionOnly to
SecRuleEngine on

SecResponseBodyAccess on to
SecResponseBodyAccess off


Enable the ModSecurity security2 module for the Apache web server:

sudo a2enmod security2


Perform an Apache config test to make everything is OK:

sudo apache2ctl -t


Restart Apache:

sudo systemctl restart apache2


Download the OWASP Core Rule Set to your home directory:

wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.zip


Unzip the file:

unzip FileName.zip


Look through the rules folder for those rules that interest you:

/home/your_name/coreruleset-3.3.0/rules


You don't want to use all the rules. They will break your website.

If you see a rule that you want to try, copy it to /etc/modsecurity:

cp /home/your_name/coreruleset-3.3.0/rules/REQUEST-912-DOS-PROTECTION.conf /etc/modsecurity/REQUEST-912-DOS-PROTECTION.conf


The ModSecurity security2 module tells the system which rules to implement:

/etc/apache2/mods-enabled/security2.conf


The module contains this line of code that shows the folder(s) containing the active rules:

IncludeOptional /etc/modsecurity/*.conf


The security2 module is saying that .conf rules in the /etc/modsecurity folder will be implemented. Active rules can be in any folder, as long as security2.conf module states the path. If rules reside in another directory that is not listed by security2, such as your home directory, these rules will not be implemented.

In my case, I'm only using the DOS Protection rule. I doubt that I use any more.

In case you want to know if ModSecurity is working, various sites have provided the following test. Go to your SSL config file. In my case:

/etc/apache2/sites-available/webtracker.one-le-ssl.conf


Enter the following code before the VirtualHost close out line:

SecRuleEngine On
SecRule ARGS:testparam '@contains test' 'id:999,deny,status:403,msg:'Test Successful''


Perform an Apache config test to make everything is OK:

sudo apache2ctl -t


Restart Apache:

sudo systemctl restart apache2


Go to your web browser and enter your site name with the following Get variable: In my case, webtracker.one/?testparam=test. If ModSecurity is working, you will receive a 403 error.

You can go back and delete the lines of code that you added to your SSL config file.

     * posted by Robert on Sun, Jul 17, 2022



ModSecurity

Reply 1:

ModSecurity generates Apache audit log entries at the following location:

/var/log/apache2/modsec_audit.log


The logs record a series of events. Each event begins with an audit log header that shows the following information:

  1. Timestamp
  2. Unique transaction ID
  3. Source IP address
  4. Source port
  5. Destination IP address
  6. Destination port

Here is an example:

[20/Jul/2022:00:01:53.467058 - -0400] Ytd-MfeOX4by2mlMs4VPngAAAAY 52.30.171.229 41180 104.236.122.237 443


The mackerel.toolbar.netcraft.com originating at port 41180 from IP address 52.30.171.229 is connecting to my site at port 443.

The information following the audit log header varies per event. In the case of Netcraft, they generated an HTTP/1.1 400 Bad Request error.

Looking through the logs, I see several entries that were generated by myself due to coding errors. For instance, I saw this message:

Apache-Error: [file './sapi/apache2handler/sapi_apache2.c'] [line 353] [level 3] PHP Parse error: syntax error, unexpected token '<', expecting end of file in /var/www/webtracker.one/test.php on line 14

     * posted by Robert on Wed, Jul 20, 2022



ModSecurity

Reply 2:

As a quick note, ModSecurity blocked me from importing SQL files into the MySQL database. So I turned it off. As simple as this - sudo a2dismod security2.

That was the end of my experiment with ModSecurity.

     * posted by Robert on Tue, Jul 26, 2022

Return to Weblog



© 2023 WebTracker.one
 
➤