How to mod_security Ubuntu 9.04
Update : This how-to is reported to work in Ubuntu 8.04 as well.
What is mod_security you ask ?
Mod Security can significantly increase the security of your Apache installation.
What Is ModSecurity?
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
It is also an open source project that aims to make the web application firewall technology available to everyone.
Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).
First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.
“Insecure” Example 1 – curl
Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).
bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>
Looks like this in your browser (the famous It works! page)
It works!
See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?
“Insecure” Example 2 – bad .php
For this I will ask you to create a file “/var/www/insecure.php”
Put the following code in the file :
< ? $secret_file = $_GET['secret_file'];
include ( $secret_file); ?>
Note: I had to put a space at the front of the php tag “< ?”, remove it.
Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd
I shall use curl in this example:
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:104:107::/var/spool/postfix:/bin/false
YIKES !!!
Install and configure mod_secure
There was a time when installing mod_security was a bit difficult, now it is as easy as :
sudo apt-get -y install libapache-mod-security
The “hard part” is that we need to configure mod_security and obtain a few rules.
Configure mod_security
Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.
< ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
< /ifmodule>
Note: I had to add a space at the front of the tag “< ifmodule mod_security2.c>” and “< /ifmodule>”, remove them.
By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs
sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs
Download and install rules
Download rules from here
As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.
sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz
Enable mod_security:
sudo a2enmod mod-security
Now restart Apache
sudo /etc/init.d/apache2 restart
That’s it 
Testing mod_security
“Secure” Example 1 – curl
bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>
Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )
“Secure” Example 2 – bad .php
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1
< !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< html>< head>
< title>501 Method Not Implemented< /title>
< /head>< body>
< h1>Method Not Implemented< /h1>
< p>GET to /insecure.php not supported.< br />
< /p>
< hr>
< address>Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80< /address>
< /body>< /html>
Looks like this in your browser:
501 Method Not Implemented
Method Not Implemented
GET to /insecure.php not supported.
Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80
Ah 501 Error looks much better then the contents of /etc/passwd
Where to go from here ?
1. Monitor your logs :
tail /var/log/apache2/mod_security/modsec_audit.log
2. Learn / edit your mod_security rules : ModSecurity Reference Manual
3. Delete bad.php, LOL
sudo rm -rf /var/www/insecure.php
I hope you enjoyed and learned from this tutorial
Posted in Linux
[...] [1.1.7_509]please wait…Rating: 0.0/5 (0 votes cast) This article was found on Planet Ubuntu. Click here to visit the full article on the original website. What is mod_security you ask [...]
Pingback by linkfeedr » Blog Archive » Bodhi.Zazen: How to mod_security Ubuntu 9.04 - RSS Indexer (beta) — April 28, 2009 @ 6:20 pm
“ServerTokens minimal” will take care of the first problem in vanilla Apache, returning only “Server: Apache/2.2.3″ on our machines.
Comment by Paul Collins — April 28, 2009 @ 8:54 pm
Paul : Thank you for taking the time to leave a comment
Your point is well taken, however I hope you are not overlooking what mod_security has to offer as it is so much more then simply masking your Apache version and operating system.
Comment by bodhi.zazen — April 28, 2009 @ 10:32 pm
So now you are a php dev?
Nice article if only more people were this careful.
btw Paul’s statement is a absolute must. Don’t give the attacker any more info then they need.
Comment by druibn — April 29, 2009 @ 12:38 am
It’s worthwhile to notice that there are no packages for Ubuntu 8.04.
See: http://packages.ubuntu.com/search?keywords=mod-security&searchon=names&suite=all§ion=all
Comment by JustAnotherReader — April 29, 2009 @ 3:46 pm
[...] first used a simple example from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/ that has you create simple php file on your [...]
Pingback by Apache mod_security on CentOS 5 x86_64 | BASE Logic, Inc. — April 30, 2009 @ 12:11 pm
[...] This is a *brief* follow up blog from my recent blog on mod_security. [...]
Pingback by UbunTube » Bodhi.Zazen: Debugging mod_security rules - 122th Edition — May 1, 2009 @ 5:43 am
Thanks, m8!
I’m no expert in server administration or Linux, however your tutorial worked for me. I was trying to install this for weeks now and you make it simple for me. You got my respect
BTW, I have Ubuntu 8.04, you might want to change the post to let others know it works with this version, too.
Thanks again!
Comment by Gadgets — May 16, 2009 @ 3:31 am
Thank you for the information Gadgets, glad it is working for you.
I added an update at the top re: ubuntu 8.04 .
Comment by bodhi.zazen — May 16, 2009 @ 9:41 pm
[...] [1.1.7_509]please wait…Rating: 0.0/5 (0 votes cast) This article was found on Planet Ubuntu. Click here to visit the full article on the original website. What is mod_security you ask [...]
Comment by PB — May 26, 2009 @ 11:37 pm
I followed all the instructions, but the php function is still activated. What am I doing wrong?
Thanks,
Comment by dragonfire88 — June 1, 2009 @ 8:52 pm
Good job !
However, you cannot forget about the simplest way of blocking such requests by limiting access only to permitted directories.
For example by using:
php_admin_value open_basedir “/var/www/html/boo.bar”
regards
PZ
Comment by Piotr — June 2, 2009 @ 12:10 am
Thanks for the great info. For what it’s worth I had to manually take out about 8 different rules in order to allow mounting a webdav folder over SSL from an Ubuntu client. Log file /var/log/apache2/mod_security/modsec_debug was a real lifesaver.
Comment by HDave — June 3, 2009 @ 1:12 pm
[...] This is a *brief* follow up blog from my recent blog on mod_security. [...]
Pingback by Shadows of epiphany » Blog Archive » Debugging mod_security rules — June 7, 2009 @ 2:52 pm
[...] Fuente: Shadows of epiphany [...]
Pingback by Instalar ModSecurity en Ubuntu 9.04 Server paso a paso « Slice of Linux — June 26, 2009 @ 1:03 am
[...] Fuente: Shadows of epiphany [...]
Pingback by Probar ModSecurity « Slice of Linux — June 30, 2009 @ 1:21 am
If you get some errors about like
apache2: Syntax error on line 278 of /etc/apache2/apache2.conf: Syntax error on line 132 of /etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data: /etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data:170: was not closed.\n/etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data:132:
Then find “Include /etc/apache2/conf.d/” in /etc/apache2/apache2.conf and change it
to “Include /etc/apache2/conf.d/*.conf”
Comment by Jason Sievert — October 30, 2009 @ 9:34 am
- adding on to Jason’s comment
If you change your line in the apache2.conf to “Include /etc/apache2/conf.d/*.conf”
You will need to add more include statements to add back your ’security’,'localized-error-pages’,'charset’ configs because the previous include was including code from all the files within the conf.d folder. So if you change your apache2.conf to read:
Include /etc/apache2/conf.d/*.conf — You will need to add the three includes below
Include /etc/apache2/conf.d/security
Include /etc/apache2/conf.d/localized-error-pages
Include /etc/apache2/conf.d/charset
Or you can add the .conf extention to each of the files you want (security.conf, etc.)
Comment by Chris Morgeson — December 9, 2009 @ 2:57 pm
Thank you for that great comment Chris Morgeson
Comment by bodhi.zazen — December 9, 2009 @ 3:58 pm
[...] two things. 1. mod_security is a great tool. We only used one feature of it. I suggest you follow bodhi.zazen’s tutorial to further configure it. 2. Security by ONLY obscurity is dangerous. You should [...]
Pingback by Slava Markeyev » Blog Archive » Apache – Security by Obscurity — February 6, 2010 @ 4:13 am
Hi,
Does it work on 9.10?
Doesn’t work here with 9.10
Comment by Andre — February 14, 2010 @ 7:54 am
oops, it does work now with the php, i get a 403 forbidden
Comment by Andre — February 14, 2010 @ 8:08 am
Andre: glad you got it working =)
mod_security typically needs a bit of additional configuration.
Comment by bodhi.zazen — February 14, 2010 @ 10:28 am
One more thing, the servertokens are still there.
Which config or rule takes care of this?
Those rules are little bit complex for a “mod_security” noob.
But it’s a must have for a public webserver.
thanks
Comment by Andre — February 14, 2010 @ 3:27 pm
Yes, it takes some time to sort out mod_security.
http://www.modsecurity.org/documentation/modsecurity-apache/2.1.0/modsecurity2-apache-reference.html#N107B3
Comment by bodhi.zazen — February 14, 2010 @ 10:19 pm
(Disclaimer my system is Ubuntu 9.10 but should apply to other flavors as well)
If you followed the above instructions and it appears to not be working you should verify that the module name is correct and is enabled.
First check the module is enabled by looking in the /etc/apache2/mods-enabled directory. There should be s symbolic link named mod-security.load.
Look at the contents of that file ‘more mod-security.load’
The 2nd of that file was:
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
So in one of your apache config files that is loaded you would need to specify it as:
SecServerSignature “Microsoft-IIS/5.0″
(spaced added after >’s in case they are interpreted by this editor)
You can verify that the module is working then with the above config by checking if ‘curl -i YOURDOMAIN.COM’ returns Microsoft-IIS/5.0 for the server instead of Apache.
Comment by David — March 9, 2010 @ 10:50 am
(crap editor removed lines)
Add brackets below as appropriate.
IfModule security2_module
SecServerSignature “Microsoft-IIS/5.0″
/IfModule
Comment by David — March 9, 2010 @ 10:53 am
“Thanks, m8!
I’m no expert in server administration or Linux, however your tutorial worked for me. I was trying to install this for weeks now and you make it simple for me. You got my respect
BTW, I have Ubuntu 8.04, you might want to change the post to let others know it works with this version, too.
Thanks again!
Comment by Gadgets — May 16, 2009 @ 3:31 am”
I hope you are Australian… anyway I am running 8.04.1 and I cannot install mod_sec with the instructions given and I cannot install apxs to compile mod_sec either…
Help would be appreciated.
Mike
Comment by Mike — March 11, 2010 @ 9:13 am
Mike: Glad it worked out for you =)
Comment by bodhi.zazen — March 11, 2010 @ 3:41 pm