how to cpanel is different than ensim configuration. and for starters like me it may be hard to fallow... also i wish masters add some ideas and recommendations here

here is what i do for adding mod_security on ensim pro 3.5


first backup your httpd.conf

cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.backup.conf

Download mod_security from http://www.modsecurity.org/

tar zxvf mod_security-*.*.*.tar.gz

cd mod_security-*.*.*/

cd apache1/

/usr/sbin/apxs -cia mod_security.c

than

edit

/etc/httpd/conf/httpd.conf

add following in if modules... you may put anywhere for deciding please read credits. but i am not guru on this set and it is taken from credits... please read credits... i need build it again for ensim... any help appriated


# Turn the filtering engine On or Off
SecFilterEngine On

# Change Server: string
SecServerSignature " "

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# Only allow bytes from this range
SecFilterForceByteRange 1 255

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# Action to take by default
SecFilterDefaultAction "deny,log,status:500"

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Prevent path traversal (..) attacks
SecFilter "../"

# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"


now you have errors if you start httpd

you need change the module address

open your httpd.conf and find mod_security

pico -w /etc/httpd/conf/httpd.conf

ctrl w mod_security

find the .so related sentences

you need change address directly to /modules/

like this

LoadModule security_module modules/mod_security.so

restart httpd

service httpd stop

service httpd start

this how to based on the sites that give how to mod_security cPanel based . Please visit those sites

admin0.info/

http://www.webhostgear.com/

Any comment and help appriated...

thank you for your time

I see that on the article published at

http://admin0.info/articles/hardening/step-03.html

there is an additional set of rules named /etc/mod_security_snort.conf

We can use them on Ensim 3.5 ? Or some of them are unusable in an Ensim environment (i.e. the python filters) ?

Best regards,
Giorgio

I've installed and everything worked fine (apart from me having to remove some links to ../ filters)

I then tried out the snort converted rules and everything died.

I think that there must be incompatibilities within the rules so the best approach is to add a group at a time and test

Will this work on Ensine 3.1.11-2? My mySQL is being hacked big time. There doing exactly what

# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"

is supposed to stop. Editing the database, and deleting it.

You really should consider upgrading Ensim.

I installed mod_security today to deal with the worm that is attacking phpbb boards. The directions here were great, with one minor differance for me - my apache confimation file is httpd_app.conf, not httpd.conf. Both files exist, but only httpd_app.conf is processed. This has something to do with the upgrade from Ensim 3.0x. Just wanted to pass this on for others who may be having this problem. I added the following red lines:


LoadModule jk_module /usr/lib/apache/mod_jk.so
LoadModule fastcgi_module modules/mod_fastcgi.so
LoadModule security_module /usr/lib/apache/mod_security.so




AddModule mod_jk.c
AddModule mod_fastcgi.c
AddModule mod_security.c


Then the rules above. After restarting apache, it worked great.

apxs -cia mod_security.c
-bash: apxs: command not found

::scratches head::

From all of my reading this should have been installed already on my system. Perl is on there.

Can someone provide me with detailed instructions on how to make that happen on apache2?

Thanks so much

it should be at

/usr/sbin/apxs

otherwise something's wrong with your system

locate is your friend

regards

locate has been my friend a long time

It is NOT on my system. I suppose this should be escalated to a TT then?

Also check /usr/local/apache/bin if you're running self-compiled apache., or cpanel.

maybe you need to install (up2date) the httpd-devel package?

http://rpmfind.rediris.es/linux/rpm2html/s...ubmit=Search+...

this proves michael right

regards

I appreciate your help gentlemen

Thanks for pointing me in the right direction.

::tips hat::

I too am missing the apxs command.
i dont see any rpms for RedHat Enterprise3 and apache 2.0.46-44.ent ensim 4.0x
Any hints?

httpd-devel package contains that.

yeah i knew that....
just dont see one specific to RHE3.
i see fedora, rh8, and rh9...

as root

regards

thanks kamihacker

I have installed mos security, how can i test that is working?

I have checked the /var/log/httpd/audit_log and there is nothing.

I have also tried the tests thet come along with modsecurity


[root@sites1 tests]# ./run-test.pl mysute.com:80 *
Test "01 Simple keyword filter": Failed (status = 200)
Test "02 Self referencing directories": Failed (status = 200)
Test "03 Evasion via path traversal": Failed (status = 200)
Test "04 Evasion via a double slash in the path": Failed (status = 200)
Test "05 Mixed case addresses": Failed (status = 200)
Test "06 Evasion via URL encoding": Failed (status = 200)
Test "07 Special characters in the path": Failed (status = 200)
Test "08 Invalid URI encoding in parameters": Failed (status = 200)
Test "09 Directory traversal in parameters": Failed (status = 200)
Test "10 Keyword in POST": Failed (status = 200)
Test "11 XSS attack": Failed (status = 200)
Test "12 HTML forbidden": Failed (status = 200)
Test "13 SQL injection": Failed (status = 200)
Test "14 Redirect action (requires 302)": Failed (status = 200)
Test "15 Not an attack (requires 200)": OK
Test "16 Request without Host header": Failed (status = 200)
Test "17 Request without User-Agent header": Failed (status = 200)
Test "18 Keyword in POST only": Failed (status = 200)
Test "19 Keyword in POST only, negative (requires 200)": OK
Test "20 Keyword in QUERY_STRING only": Failed (status = 200)
Test "21 Keyword in QUERY_STRING only, negative (requires 200)": OK
Test "22 Keyword in ARGS, method GET": Failed (status = 200)
Test "23 Keyword in ARGS, method POST": Failed (status = 200)
Test "24 Keyword in single variable": Failed (status = 200)
Test "25 Keyword in single variable, negative (requires 200)": OK
Test "26 Keyword variable exclusion (requires 200)": OK
Test "27 Keyword variable exclusion, negative": Failed (status = 200)
Test "28 Simple keyword inverted pattern": Failed (status = 200)
Test "29 Filter variable names": Failed (status = 200)
Test "30 Filter variable values": Failed (status = 200)
Test "31 Test for the URL encoding plus bug": Failed (status = 200)
Test "32 SQL injection 2: SELECT test": Failed (status = 200)
Test "33 XSS attack 2": Failed (status = 200)
Test "34 Invalid byte range in parameters": Failed (status = 200)
Test "35 Invalid byte range in the URL": Failed (status = 404)
Test "36 Backslash conversion test (windows only)": Failed (status = 200)
Test "37 URL decoding bug 2": Failed (status = 200)
Test "38 Unicode test 1": Failed (status = 200)
Test "39 Unicode test 2": Failed (status = 200)
Test "40 Unicode test 3": Failed (status = 200)
Test "41 post variable parsing bug test #1 (requires 200)": OK
Test "42 post variable parsing bug test #2": Failed (status = 200)
Test "43 post range check bug": Failed (status = 200)
Test "44 normalisation bug": Failed (status = 200)
Test "45 null byte attack": Failed (status = 200)
Test "43 multipart/form-data test": Failed (status = 200)
Test "47 test action "allow" (requires 200)": OK
Test "48 chained rules test #1": Failed (status = 200)
Test "49 chained rules test #2 (requires 200)": OK
Test "50 chained rules test #3 (requires 200)": OK
Test "51 skipnext test 1, without a parameter (requires 200)": OK
Test "52 skipnext test2 , with a parameter (requires 200)": OK
Test "53 named cookie test": Failed (status = 200)
Test "54 named cookie test, positive (requires 200)": OK
Test "55 cookie names test": Failed (status = 200)
Test "56 cookie values test": Failed (status = 200)
Test "57 regex hex escape test": Failed (status = 200)
Test "58 cookie values test 1": Failed (status = 200)
Test "58 cookie values test 1": Failed (status = 200)
Test "60 Invalid cookie test 1, empty cookie name": Failed (status = 200)
Test "61 Invalid cookie test 2, empty keyword name": Failed (status = 200)
Test "62 Invalid cookie test 3, missing quotation mark": Failed (status = 200)
Test "63 Invalid cookie test 4, invalid boundary": Failed (status = 200)
Test "64 Invalid cookie test 5, missing value 1": Failed (status = 200)
Test "65 Invalid cookie test 6, missing value 2": Failed (status = 200)
Test "66 Invalid cookie test 7, missing data": Failed (status = 200)
Test "67 Cookie value escape 1 (double quotation mark)": Failed (status = 200)
Test "68 Cookie value escape 2 (using slash)": Failed (status = 200)
Test "69 bug false url encoding valudation test (requires 200)": OK
Test "70 bug bad ARGS filtering (requires 200)": OK
Failed (status not available)
Failed (status = 0)
Test "/usr/bin/perl": Failed (status not available)
Failed (status = 0)
Failed (status = 400)
Test "/usr/bin/perl -w": Failed (status not available)
Failed (status = 0)

seems as if mod_security has changed the way the system handles uploaded files from forms. mainly images.

I also had to comment out
# Prevent path traversal (..) attacks
SecFilter "../"
to get my images to load as this is not practical for ah html file that resides in
/folder1/folder2/folder3/

to reference an image in /folder1/images

the html img tag - "../images/imag.jpg" would get filtered out.


Please Help with the upload images problem....

# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "Apache"

# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
## ## ## ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ##
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "viewtopic.php?" chain
SecFilter "chr(([0-9]{1,3}))" "deny,log"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
SecFilterSelective THE_REQUEST "cvs "
SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "


This is mine. Although basic, I have had no conflict reports come in from clients or squawks from ensim. Apache 2, Ensim 4.0.2, RHEL

fixed the "../" filter by changing the line to:
SecFilter "../"

and fixed the image upload problem with commenting out:
# SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

Thanks!

Now that everyone's site is running properly I can take a moment to read the .pdf manual that came with Mod_Security.

SecFilter "<(.|n)+>" rule stops squirrelmail from replying to and forwarding emails. I'm not sure why it allows sending of a newly composed email though.

This may be a challenge for someone who can revise this filter to work with SqirrelMail. I've searched the internet for a while and found nothing.

How can i tell if this is working? I have checked the /var/log/httpd/audit_log file and it is not there.

If you have both a httpd.conf and a httpd_app.conf it may be set up in the wrong one.

<>< Paul

Hello,

First of all, thank you for this nice howto.
Now, i try to install the last version of mod_security ( 2.0.2 )
I have some problems to compile it ...
Here is what i have :

[root@srv1 apache2]# make
/bin/sh /usr/lib/apr/build/libtool --silent --mode=compile gcc -pthread -Wuninitialized -std=c99 -Wall -Wmissing-prototypes -Wshadow -Wunused-variable -Wunused-value -Wchar-subscripts -Wsign-compare -DWITH_LIBXML2 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DSSL_EXPERIMENTAL_ENGINE -I/usr/include/pcre -I /usr/include/libxml2 -I/usr/include/httpd -I/usr/include/apr-0 -I/usr/include/openssl -DAP_FNAME="mod_security2.c" -prefer-pic -c mod_security2.c && touch mod_security2.slo
cc1: warning: -Wuninitialized is not supported without -O
In file included from modsecurity.h:40,
from mod_security2.c:18:
msc_xml.h:19:31: libxml/xmlschemas.h: No such file or directory
msc_xml.h:20:26: libxml/xpath.h: No such file or directory
In file included from modsecurity.h:40,
from mod_security2.c:18:
msc_xml.h:25: error: syntax error before "xmlSAXHandler"
msc_xml.h:25: warning: no semicolon at end of struct or union
msc_xml.h:26: warning: type defaults to `int' in declaration of `parsing_ctx'
msc_xml.h:26: warning: data definition has no type or storage class
msc_xml.h:27: error: syntax error before "doc"
msc_xml.h:27: warning: type defaults to `int' in declaration of `doc'
msc_xml.h:27: warning: data definition has no type or storage class
msc_xml.h:30: error: syntax error before '}' token
make: *** [mod_security2.slo] Error 1

Can someone help me here ?
Thanks
Best regards
Jean