CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F8 Apache/MySQL/PHP Services & Applications ModSecurity

Department of Electrical and Computer Engineering
Assistant Professor Gregory R. Kriehn
 Forums
Wiki
F8 ModSecurity
From the ModSecurity documentation:
ModSecurity™ is a web application firewall (WAF). With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

If Apache is installed on your system, ModSecurity is most likely installed as well. It acts to restrict injection attacks, especially in conjunction with PHP, but tends to be a bit overly restrictive in is ruleset. As a result, PHP based applications may not work as intended, especially when a user tries to submit information via an application.

You can check for denials that are occurring with ModSecurity in /var/log/httpd/error_log. If you find an error that is legitimate (a true error, and not just an attack on your sever) you can add an exception to the ruleset. For me, this means making exceptions for Joomla, MediaWiki, phpBB, and my Repository. Exceptions can be added by modifying /etc/httpd/modsecurity.d/modsecurity_localrules.conf file. If you are using any of the applications as well, you will probably have to do something similar.

To add an exception to a rule, edit /etc/httpd/modsecurity.d/modsecuirty_localrules and restart Apache.

As an example of this, if I find an error when something is not working properly, then I will note its ID number in the /var/log/httpd/error_log file and make an exception for the rule in /etc/httpd/modsecurity.d/modsecuirty_localrules.  My localrules file has the following exceptions:
# Exceptions for Joomla Root Directory
<LocationMatch '^/'>
SecRuleRemoveById 950013
</LocationMatch>

# Exceptions for Joomla Administration Panel
SecRule REQUEST_FILENAME "/administrator/index2.php" \
"allow,phase:1,nolog,ctl:ruleEngine=Off"

# Exceptions for Joomla Component Expose
<LocationMatch '^/components/com_expose/expose/manager/amfphp/gateway.php'>
SecRuleRemoveById 960010
</LocationMatch>

# Exceptions for MediaWiki
<LocationMatch '^/mediawiki/index.php'>
SecRuleRemoveByID 950006
</LocationMatch>

<LocationMatch '^/wiki/'>
SecRuleRemoveByID 960903
</LocationMatch>

# Exceptions for phpBB
<LocationMatch '^/forums/posting.php'>
SecRuleRemoveById 950005
</LocationMatch>

# Exceptions for Kriehn Repository
<LocationMatch '^/fedora'>
SecRuleRemoveByID 960015
SecRuleRemoveByID 970013
</LocationMatch>

# Exceptions for Migrator
<LocationMatch '^/administrator/index2.php'>
SecRuleRemoveByID 960903
</LocationMatch>

# Exceptions for Migrator
<LocationMatch '^/testing/forums/install/index.php'>
SecRuleRemoveByID 960903
</LocationMatch>

# Exceptions for Joomla
<LocationMatch '^/administrator/index.php'>
SecRuleRemoveByID 950107
SecRuleRemoveByID 950006
SecRuleRemoveByID 950911
SecRuleRemoveByID 970902
SecRuleRemoveByID 960903
SecRuleRemoveByID 970903
</LocationMatch>

# Exceptions for Joomla
<LocationMatch '^/administrator/index2.php'>
SecRuleRemoveByID 960903
</LocationMatch>

# Exceptions for Joomla
<LocationMatch '^/testing/components/com_expose/expose/manager/amfphp/gateway.php'>
SecRuleRemoveByID 960010
</LocationMatch>

<LocationMatch '^/testing/index.php'>
SecRuleRemoveByID 960903
</LocationMatch>

<LocationMatch '^/testing/plugins/system/legacy/functions.php'>
SecRuleRemoveByID 960903
</LocationMatch>

<LocationMatch '^/phpmyadmin/sql.php'>
SecRuleRemoveByID 950107
</LocationMatch>

<LocationMatch '^/phpmyadmin/tbl_change.php'>
SecRuleRemoveByID 950107
SecRuleRemoveByID 950006
</LocationMatch>

<LocationMatch '^/phpmyadmin/tbl_replace.php'>
SecRuleRemoveByID 950107
SecRuleRemoveByID 950006
</LocationMatch>

<LocationMatch '^/mediawiki/index.php'>
SecRuleRemoveByID 950018
</LocationMatch>
After you are finished making exceptions to the rules, restart Apache:
~> sudo service httpd restart
You should see httpd successfully restart:
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
The exception should now be in place. If another problem crops up, check /var/log/httpd/error_log for details.

References
http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc2/html-multipage/
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
http://article.gmane.org/gmane.comp.apache.mod-security.user/3222
http://osdir.com/ml/apache.mod-security.user/2006-11/msg00135.html