CSUF LogoCSUF Site Navigation
optics.csufresno.edu

F12 Apache/MySQL/PHP Services & Applications ModSecurity

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
Forums
Wiki
F12 ModSecurity

From the ModSecurity documentation:

ModSecurity™ is a web application firewall (WAF). With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

To install ModSecurity, use yum:

~> sudo yum install mod_security
ModSecurity acts to restrict injection attacks, especially in conjunction with PHP, but tends to be a bit overly restrictive in is ruleset. As a result, PHP based applications may not work as intended, especially when a user tries to submit information via an application.

You can check for denials that are occurring with ModSecurity in /var/log/httpd/error_log. If you find an error that is legitimate (a true error, and not just an attack on your sever) you can add an exception to the ruleset. For me, this means making exceptions for Joomla, MediaWiki, phpBB, and my Repository. Exceptions can be added by modifying /etc/httpd/modsecurity.d/modsecurity_localrules.conf file. If you are using any of the applications as well, you will probably have to do something similar.

To add an exception to a rule, edit /etc/httpd/modsecurity.d/modsecuirty_localrules and restart Apache.

As an example of this, if I find an error when something is not working properly, then I will note its ID number in the /var/log/httpd/error_log file and make an exception for the rule
in /etc/httpd/modsecurity.d/modsecuirty_localrules.  My localrules file has the following exceptions:
# Exceptions for Kriehn Repository
<LocationMatch '^/fedora'>
SecRuleRemoveByID 960015
SecRuleRemoveByID 970013
</LocationMatch>


# Exceptions for Joomla
<LocationMatch '^/joomla/'>
SecRuleRemoveById 950013
</LocationMatch>


# Exceptions for Joomla Component Expose
<LocationMatch '^/joomla/components/com_expose/expose/manager/amfphp/gateway.ph$
SecRuleRemoveById 960010
</LocationMatch>


# Exceptions for Joomla Administration Panel
SecRule REQUEST_FILENAME "/joomla/administrator/index2.php" \
"allow,phase:1,nolog,ctl:ruleEngine=Off"

# Exceptions for Joomla Administrator
<LocationMatch '^/joomla/administrator/index.php'>
SecRuleRemoveByID 950107
SecRuleRemoveByID 950006
SecRuleRemoveByID 950911
SecRuleRemoveByID 970902
SecRuleRemoveByID 960903
SecRuleRemoveByID 970903
</LocationMatch>

<LocationMatch '^/joomla/administrator/index2.php'>
SecRuleRemoveByID 960903
</LocationMatch>


# Exceptions for MediaWiki
<LocationMatch '^/mediawiki/index.php'>
SecRuleRemoveByID 950006
SecRuleRemoveByID 950018
</LocationMatch>

<LocationMatch '^/wiki/'>
SecRuleRemoveByID 960903
</LocationMatch>


# Exceptions for phpBB
<LocationMatch '^/forums/posting.php'>
SecRuleRemoveById 950005
</LocationMatch>


# Exeptions for phpMyAdmin
<LocationMatch '^/phpmyadmin/sql.php'>
SecRuleRemoveByID 950107
</LocationMatch>

<LocationMatch '^/phpmyadmin/tbl_change.php'>
SecRuleRemoveByID 950107
SecRuleRemoveByID 950006
</LocationMatch>

<LocationMatch '^/phpmyadmin/tbl_replace.php'>
SecRuleRemoveByID 950107
SecRuleRemoveByID 950006
</LocationMatch>
After you are finished making exceptions to the rules, restart Apache:
~> sudo service httpd restart
You should see httpd successfully restart:
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
The exception should now be in place. If another problem crops up, check /var/log/httpd/error_log for details.

References

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.0-rc2/html-multipage/
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/html-multipage/04-processing-phases.html
http://www.modsecurity.org/blog/archives/2007/02/handling_false.html
http://article.gmane.org/gmane.comp.apache.mod-security.user/3222
http://osdir.com/ml/apache.mod-security.user/2006-11/msg00135.html