Loading...
 

Apache mod_security

This is a module to enhance security in your apache web server, and therefore, enhancing the protection of tiki sites installed on apache against fairly common external attacks, based on some rules.

You need to invest some little time after its first installation in order to fine tune the rules to reduce the number of "false positives" detected.

  • I.e., some actions from users in tiki sites which might raise an alert or triger a defense action (blocking that page with an error code 500) by means of mod_security, because some text was written by users in some language that mod_security didn't expect.
  • Example: "Měšťáček" (means something like "small town little simple man" in Czech language) use several accented characters in the same word, and mod_security might filter and block them with its default rules.

Installation

Version used in this description: modsecurity-apache_2.6.2

  • Download the archive and place it in your work folder, unzip and untar it.
  • Read the documentation for prerequisites and install the required bits, e.g. liblua5.1.so and libxml2.so.
  • change to the folder and compile mod_security:

Copy to clipboard
mkdir -p /work cd /work wget http://www.modsecurity.org/download/modsecurity-apache_2.6.2.tar.gz gzip -d modsecurity-apache_2.6.2.tar.gz tar xvf modsecurity-apache_2.6.2.tar cd modsecurity-apache_2.6.2 ./configure make make test make install


Get the rules required by mod_security and unzip them. You can always get the latest rules by this, just make sure the changes you maybe do to the rules files when installed don't get lost on updating.

Copy to clipboard
cd tools ./rules-updater.pl -rhttp://www.modsecurity.org/autoupdate/repository/ -prules -Smodsecurity-crs cd rules/modsecurity-crs unzip *.zip


Copy the needed folders to the apache config folder.

Copy to clipboard
mkdir -p /etc/apache2/mod_security cp -R activated_rules /etc/apache2/mod_security/ cp -R base_rules /etc/apache2/mod_security/ cp -R experimental_rules /etc/apache2/mod_security/ cp -R lua /etc/apache2/mod_security/ cp -R optional_rules /etc/apache2/mod_security/ cp -R slr_rules /etc/apache2/mod_security/ cp -R modsecurity_crs_10_config.conf.example /etc/apache2/mod_security/modsecurity_crs_10_config.conf

Configuration


Now tell apache to use the module and configure it accordingly by editing httpd.conf.

httpd.conf
Copy to clipboard
LoadFile /usr/lib/libxml2.so LoadFile /usr/lib/liblua5.1.so LoadModule security2_module /usr/local/modsecurity/lib/mod_security2.so <IfModule security2_module> Include /etc/apache2/mod_security/modsecurity_crs_10_config.conf Include /etc/apache2/mod_security/activated_rules/*.conf </IfModule> # Error page for forbidden pages (big change they got blocked by mod_security) ErrorDocument 403 /forbidden/403.php


Create a required folder for mod_security working data.

Copy to clipboard
mkdir -p /var/log/apache2/secdatadir


Configure mod_security and run it in test mode.

/etc/apache2/mod_security/modsecurity_crs_10_config.conf
Copy to clipboard
[...] # enable test mode, logging only, NO blocking SecRuleEngine DetectionOnly # uncomment THIS line instead to fully enable mod_security # SecRuleEngine On SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log SecDataDir /var/log/apache2/secdatadir # default action: # * sleep 3000 milliseconds (3 seconds) to slow down brute force attacks # * deny access to page (error 403) # * do not log to apache log # * but log to the audit log configured above SecDefaultAction "phase:2,pause:3000,deny,nolog,auditlog" [...]


Create links of all rule files you want to use into activated_rules/.

Rules are to be found in:

  • /etc/apache2/mod_security/base_rules
  • /etc/apache2/mod_security/experimental_rules
  • /etc/apache2/mod_security/lua
  • /etc/apache2/mod_security/optional_rules
  • /etc/apache2/mod_security/slr_rules


Example:

Copy to clipboard
cd /etc/apache2/mod_security/activated_rules/ ln -s ../base_rules/modsecurity_crs_35_bad_robots.conf .


If there are datafile for special rules, link them, too:

Copy to clipboard
ln -s ../base_rules/modsecurity_35_bad_robots.data .

Create a custom error page

/forbidden/403.php
Copy to clipboard
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="page_1210"> <head><title>Tiki: Error 403</title></head> <body style="margin: 3em 6em;"> <h1>Oops, sorry!</h1> Your request got filtered out due to possible security issues.<br /><br /> 1. You tried to access a page you are not allowed to.<br /><br /> or<br /><br /> 2. One or more things in your request were suspicious (defective request header, invalid cookies, bad parameters, ...).<br /><br /> If you think you did nothing wrong<br /><br /> - try again with a different browser<br /> - avoid any evil characters inside the request url<br /> <br /><br /> <pre> <hr /> <h2>Your request was:</h2> <textarea cols='100' rows='10' name='input'> <?php print(htmlspecialchars($_SERVER["SERVER_NAME"])); print(quoted_printable_decode(htmlspecialchars_decode($_SERVER["REQUEST_URI"]))); ?> </textarea> <h2>Your post data were:</h2> <?php foreach ($_POST as $key => $v) print( "<h3>".htmlspecialchars($key)."</h3><br /><textarea cols='100' rows='5' name='input'>".htmlspecialchars($v)."</textarea>" ); ?> <hr /> <?php print date("Y-m-d H:i:s"); ?> </pre> </body> </html>


All set up. Now test your config and then tell apache to reload config.

phpinfo() should tell you that mod_security is enabled and a new logfile should be available: /var/log/apache2/modsec_audit.log

Example error log entry of a blocked 'bad robot':

Copy to clipboard
--25f26844-A-- [03/Nov/2011:12:25:35 +0100] TrJ6LLwoNcsAABrw@7wAAAAh 41.82.184.111 2521 188.40.53.203 80 --25f26844-B-- GET / HTTP/1.1 Accept: text/html Cache-Control: no-cache, no-cache Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent Pragma: no-cache Connection: close Host: tiki.org --25f26844-F-- HTTP/1.1 403 Forbidden Vary: Accept-Encoding Content-Length: 1677 Connection: close Content-Type: text/html; charset=utf-8 --25f26844-H-- Message: Access denied with code 403 (phase 2). [file "modsecurity_crs_35_bad_robots.conf"] [line "27"] [id "990012"] [rev "2.2.2"] [msg "Rogue web site crawler"] [data "DTS Agent"] [severity "WARNING"] [tag "AUTOMATION/MALICIOUS"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] Action: Intercepted (phase 2) Stopwatch: 1320319532916353 2998180 (- - -) Stopwatch2: 1320319532916353 2998180; combined=710, p1=232, p2=443, p3=0, p4=0, p5=34, sr=48, sw=1, l=0, gc=0 Producer: ModSecurity for Apache/2.6.2 (http://www.modsecurity.org/); core ruleset/2.2.2. Server: Apache/2.2.9 --25f26844-Z--


Now let it run for some time and then check for false positives. If you found one, grab the rule id from the log (here it is: id "990012") and the filename of the rule file: file %22modsecurity_crs_35_bad_robots.conf%22. Go to the rulefile and adjust the rule to exclude the false positive or disable the rule completely by commenting it out with a leading # character.

If you think the rules are good, adjust /etc/apache2/mod_security/modsecurity_crs_10_config.conf from

Copy to clipboard
SecRuleEngine DetectionOnly


to

Copy to clipboard
SecRuleEngine On


and let apache reload the configuration:

Copy to clipboard
/etc/init.d/apache2 reload



related pages

Security Admin
Advanced Settings

external links

aliases for this page

mod security | mod_security

doc.tiki.org

Get Started

Admin Guide User Guide

Keywords

Keywords serve as "hubs" for navigation within the Tiki documentation. They correspond to development keywords (bug reports and feature requests):

Accessibility (WAI and 508)
Accounting
Articles and Submissions
Backlinks
Banners
Batch
BigBlueButton audio/video/chat/screensharing
Blog
Bookmark
Browser Compatibility
Link Cache
Calendar
Category
Chat
Clean URLs
Comments
Communication Center
Compression (gzip)
Contacts (Address Book)
Contact us
Content Templates
Contribution
Cookie
Copyright
Credit
Custom Home and Group Home Page
Date and Time
Debugger Console
Directory of hyperlinks
Documentation link from Tiki to doc.tiki.org (Help System)
Docs
Draw
Dynamic Content
Dynamic Variable
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Gmap Google maps
Groups
Hotword
HTML Page
i18n (Multilingual, l10n)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
Kaltura video management
Karma
Live Support
Login
Logs (system & action)
Look and Feel
Mail-in
Map with Mapserver
Menu
Meta Elements
Mobile Tiki and Voice Tiki
Module
MultiTiki
MyTiki
Newsletter
Notepad
Payment
Performance Speed / Load
Permissions
Platform independence (Linux-Apache, Windows/IIS, Mac, BSD)
Polls
Profiles
Profile Manager
Report
Toolbar
Quiz
Rating
Feeds
Score
Search engine optimization
Search
Search and Replace
Security
Semantic links
Shadowbox
Shadow Layers
Share
Shopping cart
Shoutbox
Slideshow
Smiley
Social Networks
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Stats
Surveys
Tags
Task
Tell a Friend, alert + Social Bookmarking
TikiTests
Theme CSS & Smarty
Tiki Manager
Trackers
Transitions
User Administration including registration and banning
User Files
User Menu
Watch
WebDAV
Webmail
Web Services
Wiki History, page rename, etc
Wiki Syntax
Wiki structure (book and table of content)
Workspace
WSOD
WYSIWYCA
WYSIWYG
XMLRPC

Tiki Newsletter

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki