[Page 1, 2 Next]

Topic: mod_security help for newbie on windowsxp

[1]

Topic: mod_security help for newbie on windowsxp

[mewbie]

I have read/search until I'm about to give up.
Please if can help, a complete newbie to apache, install the mod_security-2.5.9-win32. I read that I should have this firewall installed for security. I'm trying :p...

I am using: XP SP3, 'xampp v1.7.1 standalone/portable' which is Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9

I have followed the Readme.txt until here (with exception that I copied files to a new directory here: D:\xampp\apache\modules\mod_security2 <as I have dir apache, but not apache2) Is ok?

"# Configuration: see the included documentation"
I read here: modsecurity2-apache-reference.html#configuration-directives" where I'm completely lost as to:
a. How to configure firewall?
b. Where are the other files and dir in the zip suppose to go? "Include directives": "These rules, along with the Core rules files, should be contained is files outside of the httpd.conf file and called up with Apache "Include" directives...." ???
c. How???: "ModSecurity directives can be used inside the various Apache Scope Directives"
d. In Readme.txt: # A very quick start: < where to put these settings
e. How to know if firewall is on/enabled, being used? I read to call it by going to that url, but it didn't give me error. Which I'm sure because I haven't finished the install.

One of the things I have tried that also failed: Included in the zip is mod_security-2.5.9-win32\modsecurity-2.5.9\modsecurity.conf-minimal < so i renamed that to: modsecurity.conf, placed in the new dir \mod_security2 then added the 2 lines at the end of the modsecurity.conf:
Call your site with:

http://www.xxxxcom/?abc=../../ (replacing www.xxxxcom with my url).
Stop and start apache, test this url and it opens my website homepage, no errors.
I also tested adding all these settings to httpd.conf, but then read "should be contained is files outside of the httpd.conf"

Please if possible could you post with examples how to accomplish in baby steps.
Thank you very much and sorry again to not understand the language in the docs.


*PS. Just a note on this post it says: http://www.apachelounge.com/viewtopic.php?t=2520
To check your mod_security, add the rule:

SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"

Call your site with:

http://www.xxxx.com/?abc=../../

You should get a access denied and in the log:

--------
On the Readme.txt in the zip it doesn't contain the actual rule.

Edit: btw I did 'not':
a.) install this one modsecurity-apache_2.5.9.tar.gz as I believe the zip to be for windows.
b.) I didn't overwrite my existing libxml2 that I have found here: D:\xampp\php\libxml2.dll and here: D:\xampp\apache\bin\libxml2.dll
dated 12/21/2007 because it didn't say to in the Readme.txt (win32)
though I do notice that the libxml2.dll included in the zip that I copied to \mod_security2 is newer date 10/5/2008 and larger by 42kb

[glsmith]

For starters;

I am assuming xamp's ServerRoot is D:\xamp\apache so;
In httpd.conf you need to load the module and tell Apache to
"Include" the conf file

in /xamp/apache/conf/httpd.conf:

[mewbie]

Oh a reply! Thank you glsmith !

Ok I had already, as per Readme.txt, added this only to my httpd.conf:
LoadModule security2_module modules/mod_security2/mod_security2.so
and find & uncomment this line by removing '#'(mine wasn't commented):
LoadModule unique_id_module modules/mod_unique_id.so

So now as you have said I've added the line:
Include modules/mod_security2/modsecurity.conf <which I presume will be the one I copied over from zip (modsecurity.conf-minimal) and renamed to modsecurity.conf, so at least I was on the right track

I have stopped/restarted server. Close/reopen browser.
Enter: (replaced 'www.xxxxcom' with my url)
http://www.xxxxcom/?abc=../../
And that URL still prompts me for password then opens up my website.. all variations of that url open website as well like: http://www.xxxxcom/?abc=../ and http://www.xxxxcom/?abc=

Readme.txt said: "To check your mod_security, add the rule":
Call your site with:
http://www.xxxxcom/?abc=../../

I didn't add this rule to anything. I did paste it on modsecurity.conf at the bottom (changing to my url), but then apache wouldn't start.

1. Now what do I do with all those other files in the directories 'rules' and 'tools' included in the mod_security-2.5.9-win32.zip?

2. How do I know if it's running and working? I do see on D:\xampp\apache\logs\error.log: [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.

Just strange as use to my own firewall popping up to ask if this and that is ok.

Thank you again so much for your time!
Mew

[mewbie]

Btw I was trying to also follow this tut here;
http://gilbertng.blogspot.com/2008/03/apache-modsecurity-and-xampp.html
Its quite confusing when one doesn't know what they are doing. Sorry.. So I ask now as I'm going to end up asking when the above problem is solved.

1.) All ok until tut comes to step 8; as it sounds like he is putting those directives in the httpd.conf file?
But I read: Core rules files, should be contained is files outside of the httpd.conf file and called up with Apache

2.) His step 9.: Start and stop the Apache and look at the phpinfo and see it loaded or not.
"phpinfo" < what is phpinfo? I look under phpMyAdmin and I don't see any mention of mod_security. If he means http://localhost/xampp/phpinfo.php < then I don't see it listed there either.

3.) this his last steps:
1. Disable PHP function - do i need to do these?
As I dont have the file where he says but I do have it here: D:\xampp\php\php.ini
Which right now states under disable_functions only: disable_functions =
2. he says: 2. Besides, open safe mode
in my php.ini I have:
; Safe Mode
;
safe_mode = Off
3. he says: open_basedir = C:\ foo\bar
mine is commented I believe, it has: ;open_basedir =

Thank you again, sorry for all the questions at once!

[glsmith]

His step 8 is not using "core" rules but his own set. Look at the minimal conf file included ... drop it into /xamp/apache/conf and in httpd.conf file add

Include conf/filename.conf

done

if you want to use core rules .. read the mod security docs .. not someones tut

basically, put all 8 or so of the files into a folder /xamp/apache/conf/core
then

Include conf/core/*.conf

I know nothing about "his" php setup .. I'm php dumb

[James Blond]

Hi newbie,
you don't need to disable any php functions if only you run your scripts on that server. Also you don't need to set open_basedir.
In the case other ppl run theier scripts on the server you should set open_basedir to the apache document root.
Leave safe mode off! It does not make your server saver and it sucks a lot when it is enabled.

if you have still a question you're welcome to ask more

[glsmith]

Thanks for that tip ... safe_mode==suck-system-dry_mode

[James Blond]

in PHP 6 safe mode will be removed also register globals. To make PHP 5 secure if you have other users on your system.
Set open_basedir to the vhost the user has access to. Also set the upload_tmp_dir to that folder, if not the user can't upload files caused by basedir

with PHP_Admin_value you can set most values for each vhost.

expose_php = Off
than you won't see the X-Powered-By: PHP/5.2.9 header.


Guess this enough of PHP stuff since this is a mod_sec topic.

[mewbie]

Thank you glsmith and James Blong for your time and replies! . Sorry to say that I'm more confused and bummed out about it now than before. Please if you could take the time to read through this and let me know what I have missed, that would be great! I know its a very good program from what I have read and probably very easy to install for seasoned users.

(Would be great if there were step by step 'full' instructions, for windows, that newbies could understand. I have seen at xampp forum other ppl having same problem to get this to work with no solution posted. For example in html doc, step 7-8 for windows, I'm 'completely' lost. Thus my long search on other sites/ 'tuts' to get this setup.)

I did read the docs included, (Readme.txt and modsecurity2-apache-reference.html). I'll post here where my problems are so you can see into a mewbies mind lol and why such confusion in detail (my comments in bold):

Step 7: Skip down to windows:
a. Edit Makefile.win to configure the Apache base and library paths. <no such file 'Makefile.win' and if there was then I suppose the path would be D:\xampp\apache\bin < as this is where I find my existing libxml2.dll. So never mind skip, don't have this makefile.win
b. Compile with: nmake -f Makefile.win < I presume this is done via command prompt, skip don't have the file
c. < skip as well, don't have that file
d. Copy the libxml2.dll <skip: have file in bin already) and lua5.1.dll to the Apache bin directory.<skip: Readme.txt says: Lua is build inline, no need to have lua5.1.dll)
Alternatively you can follow the step below for using LoadFile to load these libraries. < ok, I'll do that:

Step 8: Edit the main Apache httpd config file (usually httpd.conf)
On UNIX (and Windows if you did not copy the DLLs as stated above) you must load libxml2 and lua5.1 before ModSecurity with something like this:

LoadFile /usr/lib/libxml2.so<no such file
LoadFile /usr/lib/liblua5.1.so<no such file
Load the ModSecurity module with: LoadModule security2_module modules/mod_security2.so <done, pasted in httpd.conf

Step 9: Configure ModSecurity <how? do what to what file?

---------- ok not working, back to the Readme.txt:
Create .../apache2/modules/mod_security2 and copy mod_security2.so and libxml2.dll to this folder <done

Install the Visual C++ 2008 Redistributable Package <done

Add to your httpd.conf:
LoadModule security2_module modules/mod_security2/mod_security2.so <done
Enable the module unique_id by uncommenting:
LoadModule unique_id_module modules/mod_unique_id.so <done

A very quick start: <not done, didn't understand where to put these

To check your mod_security, add the rule:
Call your site with:
http://www.xxxxcom/?abc=../../ <didn't know where to add these 2 lines, so I renamed 'modsecurity.conf-minimal' to 'modsecurity.conf', placed that in D:\xampp\apache\modules\mod_security2 pasted the two lines above into file (replacing www.xxxxcom with my url), restarted, tried URL, could open, no denial.

Then glsmith instructed me to add to httpd.conf:
Include modules/mod_security2/modsecurity.conf <done, restart, apache won't load. I remove these two lines, apache can load. I go searching, find http://www.apachelounge.com/viewtopic.php?t=2520
To check your mod_security, add the rule:
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'" < so this is the rule to add, not the 2 lines above as stated in Readme.txt (mod_security-2.5.9-win32.zip), so I paste this to bottom of 'modsecurity.conf'. Restart apache, http://www.xxxxcom/?abc=../../ < still opens my website.

---next reply:
glsmith instructs to: Look at the minimal conf file included ... drop it into /xamp/apache/conf and in httpd.conf file add Include conf/filename.conf < ok I did this earlier as per your instructions, but it was: Include modules/mod_security2/modsecurity.conf < should be fine here, or do I need to move it?

Then: put all 8 or so of the files into a folder /xamp/apache/conf/core <done
then Include conf/core/*.conf <pasted on httpd.conf, restart apache, close browser, clear temp files, restart apache again, http://www.xxxxcom/?abc=../../ < still opens my website.
I take a look at error.log and see this:
[error] [client 192.168.1.2] ModSecurity: Warning. Pattern match "\\.\\./" at ARGS:abc. [file "D:/xampp/apache/modules/mod_security2/modsecurity.conf"] [line "60"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname "myurl.com"] [uri "/"] [unique_id "ShylOcCoAQIAABC0ZZAAAZZZ"] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.[notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.

(note these errors in error.log are only when I restart apache, not while using apache)

"Drive Access" I think could this be because I have alias (symbolic link) to another drive in my computer??? So I test this script (RogioBiz.PHP.File.Manager, its a file editor/upload/download script) I make a new folder (via this webpage.php), Ok, makes new folder. Then I select delete folder; it sends me to a 404 page, I press back button and get message 'Invalid folder bane!'. I still can't delete folder.
I test again by uploading a file: file uploads, then sends me to a 404 page, i press back and get same error, but file i upload is there.
The whole start of me installing apache was this script- so a friend could upload/download/delete at will securely. So I need this script to work properly as it did before.

-----
Mini summary of All that I have done:
1.) LoadModule security2_module modules/mod_security2/mod_security2.so <done, pasted in httpd.conf
2.) Enable the module unique_id by uncommenting:
LoadModule unique_id_module modules/mod_unique_id.so <done in httpd.conf
2a.) Include modules/mod_security2/modsecurity.conf <done, pasted in httpd.conf
3.) Create .../apache2/modules/mod_security2 and copy mod_security2.so and libxml2.dll to this folder <done
4.) Install the Visual C++ 2008 Redistributable Package <done
5.) renamed 'modsecurity.conf-minimal' to 'modsecurity.conf', placed that in D:\xampp\apache\modules\mod_security2
6.) pasted at bottom of modsecurity.conf:
SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
7.) Rename 'rules' directory (from zip) to 'core', copy it including contents to: /xampp/apache/conf/core
8.) paste in httpd.conf: Include conf/core/*.conf
(I did not make any changes to php per the other tut)

Results:
-errors on log
-don't know if firewall is working- I can still go to http://www.xxxxcom/?abc=../../ ,
-my file_editor/upload/download php script isn't working properly now

[glsmith]

I notice you are throwing around a lot of paths on the file system using the beloved \ (backslash) character. Please tell me you are not using these in your config. And if you are, double them up (escape them) like
D:\\xamp\\apache\\etc\\etc

or simpler just using the prefered forward slash
D:/xamp/apache/etc/etc


------------------------------------------------------------------------
note to self (alpost3.txt)

[mewbie]

No, I am using '/' in all the files.
'\' is to show paths to files in explorer

PS. I do hope you can see from my post how one could be so confused and that I'm not going out of my mind haha :p

[glsmith]

ok .. let's ignore all readme's and tuts .... period. I think some of your problem is you are trying to do this off too many different things and one may contradict another.

Undo everything you've done in your config files, clean up the Apache files like remove the mod_security2 folder you made. Make sure Apache is running properly again. Now I know what page your on for sure.

I am going to do this in two parts. After the first part we will see where we are. No, mod_security will not do anything yet, but it will let us know if there is a problem with the binaries for some odd reason.

Part one

Start with a brand new copy of mod_secuity2.so, libxml2.dll and the minimal config file (we will no use this file yet in part one).

Move/copy the module itself (mod_security2.so) in the Apache modules folder (which looks like it is /xamp/apache/modules)

Move/copy libxml2.dll to /xamp/apache/bin

In Notepad, open httpd.conf

Uncomment the line for the Unique ID module

Add line at bottom of Load Modules section

[mewbie]

HUGE THANK YOU glsmith for your time and patience again! .
I know once this is sorted out, its going to help a number of other ppl that I have seen posting about this, so thank you from them as well LOL.
I agree, start fresh and with baby steps haha :p
I have done almost all as you have instructed (with a few exceptions), all seems OK.

The exceptions are, in case it matters:

1. I have also reinstalled Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) after re-installing:
Microsoft Visual C++ 2008 Redistributable Package (x86)
rebooted

2. I had deleted D:\xampp\apache\modules\mod_security2\ < this directory and all of it's files.
Copied over a fresh copy of 'mod_security2.so' to: D:\xampp\apache\modules\
Apache (httpd.conf) would 'Not' restart with this line:
LoadModule security2_module modules/mod_security2.so
But when I move 'mod_security2.so' from modules directory into newly created sub directory mod_security2, this line works just fine:
LoadModule security2_module modules/mod_security2/mod_security2.so
No idea why, so I have left it as that.
---------end of exceptions to your instructions

Error log looks good:
[Fri May 29 11:16:43 2009] [notice] Server built: Dec 10 2008 00:10:06
[Fri May 29 11:16:43 2009] [notice] Parent: Created child process 2816
[Fri May 29 11:16:44 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Fri May 29 11:16:45 2009] [notice] Digest: generating secret for digest authentication ...
[Fri May 29 11:16:45 2009] [notice] Digest: done
[Fri May 29 11:16:46 2009] [notice] Child 2816: Child process is running
[Fri May 29 11:16:47 2009] [notice] Child 2816: Acquired the start mutex.
[Fri May 29 11:16:47 2009] [notice] Child 2816: Starting 250 worker threads.
[Fri May 29 11:16:47 2009] [notice] Child 2816: Starting thread to listen on port 80.
[Fri May 29 11:16:47 2009] [notice] Child 2816: Starting thread to listen on port 443.


Thank you, and I am ready for the next steps when you are, IF the above is all OK.

[LuMorehead]

I've been reading your posts both here and on the Apache Friends site.

Some questions first:

How did you install XAMPP? With an installer or manually?
My suggestion is that you install manually or do a buildif you want to add third-party modules .

Is XAMPP up and running? In other words are you able to access localhost and the demos? (Sorry, I don't remember what you wrote in previous posts on friends forum.)

Have you read the docs on security in Apache? Unless you use the developer's version of XAMPP - Apache, security type option(s) are restricted to cookie type.

In your last reply/post you wrote 2.5.9 for a version. Is this an error?

Last but not least, It's likely that I missed some of the gist of your posts - sorray again. But , exactly what are you trying to get as the final result?

Lu

[glsmith]

Lu ... That is not an error ... that is the mod_security2 modules version number.

[glsmith]

I do not mind the exceptions .. as long as I see this
[Fri May 29 11:16:44 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.


OK ... next step .. let's get it working with the minimal config.
Rename the config file, drop in /xamp/apache/conf/modsecurity.conf
Below the line in the file
SecResponseBodyLimit 524288

add the line

[mewbie]

glsmith: Thank you again!
OK, done and as I suspected I still can go that url (as I'm right where I was in one of my previous post):
http://localhost/?abc=../../ (local host replaced with my url)

In error log it says:
[Sat May 30 09:49:01 2009] [notice] Server built: Dec 10 2008 00:10:06
[Sat May 30 09:49:01 2009] [notice] Parent: Created child process 2724
[Sat May 30 09:49:04 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Sat May 30 09:49:05 2009] [notice] Digest: generating secret for digest authentication ...
[Sat May 30 09:49:05 2009] [notice] Digest: done
[Sat May 30 09:49:07 2009] [notice] Child 2724: Child process is running
[Sat May 30 09:49:07 2009] [notice] Child 2724: Acquired the start mutex.
[Sat May 30 09:49:07 2009] [notice] Child 2724: Starting 250 worker threads.
[Sat May 30 09:49:08 2009] [notice] Child 2724: Starting thread to listen on port 443.
[Sat May 30 09:49:08 2009] [notice] Child 2724: Starting thread to listen on port 80.

[Sat May 30 09:50:07 2009] [error] [client 192.168.1.2] ModSecurity: Warning. Pattern match "\\.\\./" at ARGS:abc. [file

"D:/xampp/apache/conf/modsecurity.conf"] [line "33"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname

"my.host.name.com"] [uri "/"] [unique_id "SiCQz8CoAQIAAA********"]
(unique id I *** out some of the numbers in case this is private)

Thank you!

=============================
LuMorehead: Thank you for trying to help this mess of mine

[glsmith]

ok .. I was wrong .. not a 403 .. but it flagged in the error log so mod_sec is working. see what that gets you for the next couple days before you dive into core rules ... and no .. nothing secret in the unique id that I know of .. you can press reload on your browser a hundred time and you will get 100 different ones.

[mewbie]

Thank you again. OK will do glsmith, and I'll keep an eye on the error log for any unusual things related to mod_security.

I had previously thought firewall wasn't working, as according to docs and other post that URL should not open with that rule..
but I see it is told to give a msg: msg:'Drive Access'"
So I do feel a little confused about that but will continue this process

re unique id: noted

(my note: line 33 is the rule that you had me add to modsecurity.conf)

[mewbie]

glsmith, how are you?

Seems to all be running smooth. Though a few new odd entries in error log that weren't there before (I don't know if related or not). It only happened for 2 days, now I don't see them again, yet:

2 of these:
[warn] (OS 121)The semaphore timeout period has expired. : winnt_accept: Asynchronous AcceptEx failed.

and then 8 of these:
[warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.

I'm ready for your Part 2 of the installation when you are. Thank you!

PS. We also never covered what do I do with all those other files in the directory 'tools'.