How to mod_security Ubuntu 9.04
Update : This how-to is reported to work in Ubuntu 8.04 as well.
What is mod_security you ask ?
Mod Security can significantly increase the security of your Apache installation.
What Is ModSecurity?
ModSecurity is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
It is also an open source project that aims to make the web application firewall technology available to everyone.
Do not think you need this ? Follow along with the examples and decide for yourself (This tutorial assumes you already have Apache and php5 installed).
First, let us look at the default Apache behavior. I will use “ubuntuVPS” as the server of interest.
“Insecure” Example 1 – curl
Use curl to obtain information on the server (bodhi@home is a remote machine connecting to “ubutnuVPS”. You can test all this with any browser if you wish, simply use your server’s home page).
bodhi@home# curl -i ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:06:21 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>
Looks like this in your browser (the famous It works! page)
It works!
See how with a single command we already know the server is Ubuntu running Apache 2.2.11 and PHP 5.2.6 ?
“Insecure” Example 2 – bad .php
For this I will ask you to create a file “/var/www/insecure.php”
Put the following code in the file :
< ? $secret_file = $_GET['secret_file'];
include ( $secret_file); ?>
Note: I had to put a space at the front of the php tag “< ?”, remove it.
Now what ? Open a browser and enter http://ubuntuVPS/insecure.php?secret_file=/etc/passwd
I shall use curl in this example:
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:24:11 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.1 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-3ubuntu4.1
Vary: Accept-Encoding
Content-Length: 860
Content-Type: text/html
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
postfix:x:104:107::/var/spool/postfix:/bin/false
YIKES !!!
Install and configure mod_secure
There was a time when installing mod_security was a bit difficult, now it is as easy as :
sudo apt-get -y install libapache-mod-security
The “hard part” is that we need to configure mod_security and obtain a few rules.
Configure mod_security
Using any editor, make a file “/etc/apache2/conf.d/modsecurity2.conf” and put the following contents in the file.
< ifmodule mod_security2.c>
Include conf.d/modsecurity/*.conf
< /ifmodule>
Note: I had to add a space at the front of the tag “< ifmodule mod_security2.c>” and “< /ifmodule>”, remove them.
By default, mod_security logs to /etc/apache2/logs, the following commands will put the log in /var/log/apache2/mod_security and create a symbolic link back to /etc/apache2/logs
sudo mkdir /var/log/apache2/mod_security
sudo ln -s /var/log/apache2/mod_security/ /etc/apache2/logs
Download and install rules
Download rules from here
As of this writing, the rule set was “modsecurity-core-rules_2.5-1.6.1.tar.gz”, you may need to adjust accordingly as new rules are released.
sudo mkdir /etc/apache2/conf.d/modsecurity
cd /etc/apache2/conf.d/modsecurity
sudo wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo tar xzvf modsecurity-core-rules_2.5-1.6.1.tar.gz
sudo rm CHANGELOG LICENSE README modsecurity-core-rules_2.5-1.6.1.tar.gz
Enable mod_security:
sudo a2enmod mod-security
Now restart Apache
sudo /etc/init.d/apache2 restart
That’s it 
Testing mod_security
“Secure” Example 1 – curl
bodhi@home# curl -i http://ubuntuVPS
HTTP/1.1 200 OK
Date: Tue, 28 Apr 2009 22:44:42 GMT
Server: Apache/2.2.0 (Fedora)
Last-Modified: Tue, 28 Apr 2009 21:39:54 GMT
ETag: "50d4a-2d-468a44dadbe80"
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html
< html>< body>< h1>It works!< /h1>< /body>< /html>
Look no more server or php information (Fedora apache 2.2.0 , LOL !!! )
“Secure” Example 2 – bad .php
bodhi@home# curl -i "http://ubuntuVPS/insecure.php?secret_file=/etc/passwd"
HTTP/1.1 501 Method Not Implemented
Date: Tue, 28 Apr 2009 22:47:38 GMT
Server: Apache/2.2.0 (Fedora)
Allow: TRACE
Vary: Accept-Encoding
Content-Length: 291
Connection: close
Content-Type: text/html; charset=iso-8859-1
< !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< html>< head>
< title>501 Method Not Implemented< /title>
< /head>< body>
< h1>Method Not Implemented< /h1>
< p>GET to /insecure.php not supported.< br />
< /p>
< hr>
< address>Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80< /address>
< /body>< /html>
Looks like this in your browser:
501 Method Not Implemented
Method Not Implemented
GET to /insecure.php not supported.
Apache/2.2.0 (Fedora) Server at ubuntuvps Port 80
Ah 501 Error looks much better then the contents of /etc/passwd
Where to go from here ?
1. Monitor your logs :
tail /var/log/apache2/mod_security/modsec_audit.log
2. Learn / edit your mod_security rules : ModSecurity Reference Manual
3. Delete bad.php, LOL
sudo rm -rf /var/www/insecure.php
I hope you enjoyed and learned from this tutorial
Posted in Linux
[...] [1.1.7_509]please wait…Rating: 0.0/5 (0 votes cast) This article was found on Planet Ubuntu. Click here to visit the full article on the original website. What is mod_security you ask [...]
Pingback by linkfeedr » Blog Archive » Bodhi.Zazen: How to mod_security Ubuntu 9.04 - RSS Indexer (beta) — April 28, 2009 @ 6:20 pm
“ServerTokens minimal” will take care of the first problem in vanilla Apache, returning only “Server: Apache/2.2.3″ on our machines.
Comment by Paul Collins — April 28, 2009 @ 8:54 pm
Paul : Thank you for taking the time to leave a comment
Your point is well taken, however I hope you are not overlooking what mod_security has to offer as it is so much more then simply masking your Apache version and operating system.
Comment by bodhi.zazen — April 28, 2009 @ 10:32 pm
So now you are a php dev?
Nice article if only more people were this careful.
btw Paul’s statement is a absolute must. Don’t give the attacker any more info then they need.
Comment by druibn — April 29, 2009 @ 12:38 am
It’s worthwhile to notice that there are no packages for Ubuntu 8.04.
See: http://packages.ubuntu.com/search?keywords=mod-security&searchon=names&suite=all§ion=all
Comment by JustAnotherReader — April 29, 2009 @ 3:46 pm
[...] first used a simple example from http://blog.bodhizazen.net/linux/how-to-mod_security-ubuntu-904/ that has you create simple php file on your [...]
Pingback by Apache mod_security on CentOS 5 x86_64 | BASE Logic, Inc. — April 30, 2009 @ 12:11 pm
[...] This is a *brief* follow up blog from my recent blog on mod_security. [...]
Pingback by UbunTube » Bodhi.Zazen: Debugging mod_security rules - 122th Edition — May 1, 2009 @ 5:43 am
Thanks, m8!
I’m no expert in server administration or Linux, however your tutorial worked for me. I was trying to install this for weeks now and you make it simple for me. You got my respect
BTW, I have Ubuntu 8.04, you might want to change the post to let others know it works with this version, too.
Thanks again!
Comment by Gadgets — May 16, 2009 @ 3:31 am
Thank you for the information Gadgets, glad it is working for you.
I added an update at the top re: ubuntu 8.04 .
Comment by bodhi.zazen — May 16, 2009 @ 9:41 pm
[...] [1.1.7_509]please wait…Rating: 0.0/5 (0 votes cast) This article was found on Planet Ubuntu. Click here to visit the full article on the original website. What is mod_security you ask [...]
Comment by PB — May 26, 2009 @ 11:37 pm
I followed all the instructions, but the php function is still activated. What am I doing wrong?
Thanks,
Comment by dragonfire88 — June 1, 2009 @ 8:52 pm
Good job !
However, you cannot forget about the simplest way of blocking such requests by limiting access only to permitted directories.
For example by using:
php_admin_value open_basedir “/var/www/html/boo.bar”
regards
PZ
Comment by Piotr — June 2, 2009 @ 12:10 am
Thanks for the great info. For what it’s worth I had to manually take out about 8 different rules in order to allow mounting a webdav folder over SSL from an Ubuntu client. Log file /var/log/apache2/mod_security/modsec_debug was a real lifesaver.
Comment by HDave — June 3, 2009 @ 1:12 pm
[...] This is a *brief* follow up blog from my recent blog on mod_security. [...]
Pingback by Shadows of epiphany » Blog Archive » Debugging mod_security rules — June 7, 2009 @ 2:52 pm
[...] Fuente: Shadows of epiphany [...]
Pingback by Instalar ModSecurity en Ubuntu 9.04 Server paso a paso « Slice of Linux — June 26, 2009 @ 1:03 am
[...] Fuente: Shadows of epiphany [...]
Pingback by Probar ModSecurity « Slice of Linux — June 30, 2009 @ 1:21 am
If you get some errors about like
apache2: Syntax error on line 278 of /etc/apache2/apache2.conf: Syntax error on line 132 of /etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data: /etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data:170: was not closed.\n/etc/apache2/conf.d/modsecurity/base_rules/modsecurity_40_generic_attacks.data:132:
Then find “Include /etc/apache2/conf.d/” in /etc/apache2/apache2.conf and change it
to “Include /etc/apache2/conf.d/*.conf”
Comment by Jason Sievert — October 30, 2009 @ 9:34 am
- adding on to Jason’s comment
If you change your line in the apache2.conf to “Include /etc/apache2/conf.d/*.conf”
You will need to add more include statements to add back your ’security’,'localized-error-pages’,'charset’ configs because the previous include was including code from all the files within the conf.d folder. So if you change your apache2.conf to read:
Include /etc/apache2/conf.d/*.conf — You will need to add the three includes below
Include /etc/apache2/conf.d/security
Include /etc/apache2/conf.d/localized-error-pages
Include /etc/apache2/conf.d/charset
Or you can add the .conf extention to each of the files you want (security.conf, etc.)
Comment by Chris Morgeson — December 9, 2009 @ 2:57 pm
Thank you for that great comment Chris Morgeson
Comment by bodhi.zazen — December 9, 2009 @ 3:58 pm
[...] two things. 1. mod_security is a great tool. We only used one feature of it. I suggest you follow bodhi.zazen’s tutorial to further configure it. 2. Security by ONLY obscurity is dangerous. You should [...]
Pingback by Slava Markeyev » Blog Archive » Apache – Security by Obscurity — February 6, 2010 @ 4:13 am