modsecurity (custombuild with apache 2.2)

Christophe1

Verified User
Joined
Aug 24, 2008
Messages
49
Location
Belgium
Hello everyone,

I would like to add some extra security to a DA-server, installed using custombuild on Debian 4.0.

With custombuild I've choosen php 5 cgi, so I think I'm already using suphp?
(sorry for the maybe stupid question, I'm new to custombuild)

-I already installed succesfully: APF + BFD, chkrootkit and rkhunter
-php.ini and my.cnf are tweaked
-OS is up to date
-openbasedir OFF
-php safe mode on
-/tmp is secured

I now would like to install modsecurity (on apache 2.2), but because I don't want to mess up the server and I can't find a good howto, is there anyone here who could help me a little bit?

Thanks in advance!

Christophe
 
Great script! Thanx for the tip, smtalk :)

I had to put:
LoadFile /usr/lib/libxml2.so
LoadModule security2_module /usr/lib/apache/mod_security2.so

after:
LoadModule php5_module /usr/lib/apache/libphp5.so

2 problems:
- I don't see anything like
LoadModule php5_module /usr/lib/apache/libphp5.so
in my httpd.conf.
Is that because I use suphp?
- libxml2.so had to be libxml2.so.2

I have put in the load-code like this:
#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
Include /etc/httpd/conf/extra/httpd-phpmodules.conf

# load MODsecurity
LoadFile /usr/lib/libxml2.so.2
LoadModule security2_module /usr/lib/apache/mod_security2.so

User apache
Group apache

Is that OK?
Can I test if modsecurity works?
 
When I used update.script to install Mod_Security, I just ran update.script to install mod-security and also mod-security rule, that was all I did and it works. To test it, check this link -> http://www.debian-administration.org/articles/65

Basically, create a script name "vulnerable.php" and run it. I also saw some log about mod_security to make sure it works.
________
FREE XXX STREAMS
 
Last edited:
hmm, I did the test with vulnerable.php, but the only thing I saw was a blank page.

I've taken a look at /etc/modsecurity2/modsecurity-rules-selected-by-webhost.net.conf

I changed:
-uncomment and changed line 105:
SecDefaultAction "phase:2,log,deny,status:403"

-uncomment and changed line 194/195:
SecAuditLog /var/log/httpd/modsec_audit.log
SecAuditLogStorageDir /var/log/httpd/modsec_audit

Now MODsecurity is logging: when I hold F5 for a while, MODevasive appears in the modsec_audit.log, but still no error message in the browser...

Is this the way it should be by default? I thought I would get an error message by uncommenting line 105.
 
Error with libxml2

I have commented the line :

#LoadFile /usr/lib64/libxml2.so.2

-------------------------------------------------------------------------
ServerRoot "/etc/httpd"
Listen 80
#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
#LoadModule php5_module /usr/lib/apache/libphp5.so
#LoadFile /usr/lib64/libxml2.so.2
LoadModule security2_module /usr/lib/apache/mod_security2.so
Include /etc/httpd/conf/extra/httpd-phpmodules.conf

-------------------------------------------------------------------------

because there was an error

Starting httpd: httpd: Syntax error on line 20 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf/extra/httpd-phpmodules.conf: Cannot load /usr/lib/apache/libphp5.so into server: /usr/lib/apache/libphp5.so: undefined symbol: xmlTextReaderSetup


i have 2 more servers with such kinf of configuration (hard and soft)
but have no errors on them

error happend when i try to compile php with enable soap

any ideas?
 
Back
Top