Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How to verify mod security is running? |
|
| Author |
|
Redebo
Joined: 13 Feb 2006
Posts: 4
|
 Posted: Mon 13 Feb '06 7:30 Post subject: How to verify mod security is running? |
 |
|
Hello all.
I'm new at running apache servers and as such am fairly paranoid about security. I just got my first server up and running last night and in my quest for more information stumbled upon this place.
I quickly learned that the module mod_security is very important to have, so I immediately d/l'ed and installed it using Steffen's binaries and sample config guide.
My question is, how can I verify that the module has loaded correctly and that it is working?
I see this in my error log:
[Sun Feb 12 22:23:44 2006] [notice] mod_security/1.9.2 configured
[Sun Feb 12 22:23:44 2006] [notice] Apache/2.0.55 (Win32) configured -- resuming normal operations
[Sun Feb 12 22:23:44 2006] [notice] Server built: Oct 9 2005 19:16:56
and I can only assume that its working from that first line.
If I keep an eye on the sec.log will I see the foiled malicious attempts show up there?
Thanks in advance! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7402
Location: EU, Germany, Next to Hamburg
|
| Posted: Mon 13 Feb '06 12:14 Post subject: |
|
|
If there is no error message from the apache, mod_security works correcly. If Apache can not load a module it will show it to you.
If you have installed PHP on the server
make a page info.php
| Code: |
<?php
phpinfo();
?>
|
Call it via browser and there you can also see the loaded Modules from Apache |
|
| Back to top |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3117
Location: Hilversum, NL, EU
|
| Posted: Mon 13 Feb '06 13:58 Post subject: |
|
|
As James says, your mod_security is loaded correct.
Malicious attempts are showing up in the error.log and more detailed in the sec.log.
When you use my conf, try the following to test:
http://www.yourdomain.com/?highlight=%27
This should trigger the "phpBB attack" rule.
Steffen |
|
| Back to top |
|
jworisek
Joined: 21 Feb 2007
Posts: 2
|
| Posted: Wed 21 Feb '07 0:28 Post subject: |
|
|
I am also having trouble verifying that mod_security is running...
I am using apache 2.0.52
mod_security-2.0.4-2.0.x-w32.zip installed
I see this in my error log:
[Tue Feb 20 15:47:22 2007] [notice] ModSecurity for Apache 2.0.4 configured
This is in my http.conf:
| Code: |
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2/mod_security2.so
<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
#SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Not Important"
#SecUploadDir logs
#SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine On
# RelevantOnly
SecAuditLog logs/sec.log
## -- Common attacks --------------------
SecFilterDefaultAction "deny,log,msg:'Common attacks',status:403"
#Web Proxy GET Request
SecFilter "^GET (http|https|ftp)\:/"
#Web Proxy HEAD Request
SecFilter "^HEAD (http|https|ftp)\:/"
#Proxy POST Request
SecFilter "^POST (http|https|ftp)\:/"
#Proxy CONNECT Request
SecFilterSelective THE_REQUEST "^CONNECT "
# Only accept request encodings we know how to handle.
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Restrict which request methods can be used
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$"
# Restrict protocol versions.
SecFilterSelective SERVER_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$"
# Require Content-Length to be provided with every POST request.
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't know how to handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
## -- PHP attacks --------------------
SecFilterSignatureAction "log,deny,msg:'PHP attack'"
# Possible code execution attack (targets valid PHP streams constructs)
SecFilterSelective ARGS_NAMES "^php:/"
#phpBB attack
SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
## -- Awstats-------------------------
SecFilterSignatureAction "log,deny,msg:'Awstats Attack'"
SecFilterSelective ARGS_NAMES "configdir"
## -- SQL Injection Attacks --------------------
SecFilterSignatureAction "log,deny,msg:'SQL Injection attack'"
# Generic
SecFilterSelective ARGS "delete[[:space:]]+from"
SecFilterSelective ARGS "drop[[:space:]]+database"
SecFilterSelective ARGS "drop[[:space:]]+table"
SecFilterSelective ARGS "drop[[:space:]]+column"
SecFilterSelective ARGS "drop[[:space:]]+procedure"
SecFilterSelective ARGS "create[[::space:]]+table"
SecFilterSelective ARGS "update.+set.+="
SecFilterSelective ARGS "insert[[:space:]]+into.+values"
SecFilterSelective ARGS "select.+from"
SecFilterSelective ARGS "bulk[[:space:]]+insert"
SecFilterSelective ARGS "union.+select"
SecFilterSelective ARGS "or.+1[[:space:]]*=[[:space:]]1"
SecFilterSelective ARGS "alter[[:space:]]+table"
SecFilterSelective ARGS "or 1=1--'"
SecFilterSelective ARGS "'.+--"
# MySQL
SecFilterSelective ARGS "into[[:space:]]+outfile"
SecFilterSelective ARGS "load[[:space:]]+data
SecFilterSelective ARGS "/\*.+\*/"
## -- Command execution --------------------
SecFilterSignatureAction "log,deny,msg:'Command execution attack'"
SecFilterSelective ARGS_VALUES "^(uname|id|ls|rm|kill)"
SecFilterSelective ARGS_VALUES "^(ls|id|pwd|wget)"
SecFilterSelective ARGS_VALUES ";[[:space:]]*(ls|id|pwd|wget)"
</IfModule>
|
I installed the Visual C++ Package. Should the installer disappear when finished without giving an "installation complete" dialogue?
It doesn't show up with phpinfo(); and trying the phpBB attack did nothing but make the page load blank.
Any suggestions would be appreciated. |
|
| Back to top |
|
jworisek
Joined: 21 Feb 2007
Posts: 2
|
| Posted: Wed 21 Feb '07 1:33 Post subject: |
|
|
I also tried the sampe from the Readme First file:
| Code: |
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace
SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log
## -- General rules --------------------
SecRule ARGS "c:/" t:normalisePathWin
SecRule ARGS "\.\./" t:normalisePathWin
SecRule ARGS "d:/" t:normalisePathWin
## -- phpBB attack --------------------
SecRule ARGS:highlight "(\x27|%27|\x2527|%2527)"
|
Same results. |
|
| Back to top |
|
|
|
|
|
|
