CSUF LogoCSUF Site Navigation

F14 Apache/MySQL/PHP Services & Applications ModSecurity

Department of Electrical and Computer Engineering
Associate Professor Gregory R. Kriehn
F14 ModSecurity

From the ModSecurity documentation:

ModSecurity™ is a web application firewall (WAF). With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

To install ModSecurity, use yum:

~> sudo yum install mod_security
ModSecurity acts to restrict injection attacks, especially in conjunction with PHP, but tends to be a bit overly restrictive in is ruleset. As a result, PHP based applications may not work as intended, especially when a user tries to submit information via an application.

You can check for denials that are occurring with ModSecurity in /var/log/httpd/error_log. If you find an error that is legitimate (a true error, and not just an attack on your sever) you can add an exception to the ruleset. For me, this means making exceptions for Joomla, MediaWiki, phpBB, and my Repository. Exceptions can be added by creating a /etc/httpd/modsecurity.d/base_rules/modsecurity_crs_15_kriehn_exceptions.conf file. My
modsecuirty_crs_15_kriehn_exceptions.conf has the following exceptions:
# Pass Joomla Stuff
SecRule REQUEST_URI "/administrator/.*" phase:1,log,pass,ctl:ruleEngine=Off

# Pass MediaWiki Stuff
SecRule REQUEST_URI "/mediawiki/.*" phase:1,log,pass,ctl:ruleEngine=Off

# Pass PHPBB3 Admin Stuff
SecRule REQUEST_URI "/forums/adm/.*" phase:1,log,pass,ctl:ruleEngine=Off

# Pass PHPBB3 ucp.php Stuff
SecRule REQUEST_URI "/forums/ucp.php" phase:1,log,pass,ctl:ruleEngine=Off

# Pass SVN Stuff
SecRule REQUEST_URI "/svn/.*" phase:1,log,pass,ctl:ruleEngine=Off

# Pass phpMyAdmin Stuff
SecRule REQUEST_URI "/phpmyadmin/.*" phase:1,log,pass,ctl:ruleEngine=Off
Under the default settings, ModSecurity is a bit too sensitive, so edit the /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file. Change the inbound anomaly score:
SecAction "phase:1,t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=20"
Save and exit. After you are finished making exceptions to the rules, restart Apache:
~> sudo service httpd restart
You should see httpd successfully restart:
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
The exception should now be in place. If another problem crops up, check /var/log/httpd/error_log for details.