Problem with mod_security 1.9.5?

BigBirdy

Active Member
Jun 10, 2007
28
0
151
I am basically trying to get mod_security configured properly. Since I also run ConfigServer CSF and LFD, I wanted to ensure that however I set things up, the CSF control panel area would show the mod_security settings/log entires. I also wanted to ensure I had the lastest mod_security version.

I first installed it as a cpanel plugin which installed 1.9.1 I think and a small cgi applet in the WHM addons section. So far so good and everything was working and I could see the warnings in the logs. But I then upgraded mod_security to the latest 1.9.4 which promptly got overwritten with 1.9.1 the next cpanel/whm upgrade. So I checked the cpanel forums and learned I could avoid this by removing the addon, and installing manually.

So far so good, installed the latest 1.9.5 with

# /usr/local/apache/bin/apxs -cia mod_security.c


and all seemed fine. Proper loadmodule line in httpd.conf and I updated /usr/local/apache/conf/mod_security.conf with my directives, and some new ones suggested in the basic modsec.conf in the 1.9.5 docs and then restarted apache.

However, although apache started fine I didnt see the usual " [Wed Aug 8 21:08:42 2007] [notice] mod_security/1.9.5 configured", line and no /usr/local/apache/logs/audit.conf or modsec_debug.log file gets created?

I also have a directive (SecServerSignature "No Info Here") which should show when apache starts but instead I get the default signature as below:

[Wed Aug 8 21:35:11 2007] [notice] SIGHUP received. Attempting to restart
[Wed Aug 8 21:35:11 2007] [notice] Apache/1.3.37 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/5.2.1 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a PHP-CGI/0.1b configured -- resuming normal operations
[Wed Aug 8 21:35:11 2007] [notice] suEXEC mechanism enabled (wrapper: /usr/local/apache/bin/suexec)
[Wed Aug 8 21:35:11 2007] [notice] Accept mutex: sysvsem (Default: sysvsem)

So it would appear that something is not loading correctly.

Maybe I didnt build the module correctly? But it seemed to build fine:

[email protected]:/usr/src/modsecurity-apache_1.9.5/apache1# /usr/local/apache/bin/apxs -cia mod_security.c
gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -I/usr/include/gdbm -DMOD_SSL=208128 -DUSE_HSREGEX -DEAPI -fpic -DSHARED_MODULE -I/usr/local/apache/include -c mod_security.c
gcc -shared -o mod_security.so mod_security.o
[activating module `security' in /usr/local/apache/conf/httpd.conf]
cp mod_security.so /usr/local/apache/libexec/mod_security.so
chmod 755 /usr/local/apache/libexec/mod_security.so
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
rm /usr/local/apache/conf/httpd.conf.new

*Contents of modsec.conf:*

<IfModule mod_security.c>
# Enable ModSecurity
SecFilterEngine On

# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:500"

# Ignore the localhost monitoring calls
#SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
SecServerSignature "No Info Here"

# Designate a directory for temporary files
# storage. It is a good idea to change the
# value below to a private directory, just as
# an additional measure against race conditions
SecUploadDir /tmp
SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
# Uncomment below to record responses with unusual statuses
# SecAuditLogRelevantStatus ^5
SecAuditLog logs/audit.log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug.log

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"

# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"

# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"


</IfModule>
 

BigBirdy

Active Member
Jun 10, 2007
28
0
151
Thanks, found the problem. The include directive was missing to add my modsec.conf settings