Installing ModSecurity2 On Debian Etch

Submitted by falko (Contact Author) (Forums) on Thu, 2007-07-05 17:08. :: Debian | Apache | Security

Installing ModSecurity2 On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/22/2007

This article shows how to install and configure ModSecurity (version 2) for use with Apache2 on a Debian Etch system. ModSecurity is an Apache module that provides intrusion detection and prevention for web applications. It aims at shielding web applications from known and unknown attacks, such as SQL injection attacks, cross-site scripting, path traversal attacks, etc.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

I'm assuming that Apache2 is already installed and fully functional on your Debian Etch system.

 

2 Installation

In Debian Sarge, ModSecurity was available as a .deb package in the official Debian repositories, but in Debian Etch it was removed due to some license issues. Fortunately, the original maintainer provides packages for Debian Etch in his own repository. To install these, we need to add his repository to /etc/apt/sources.list:

vi /etc/apt/sources.list

[...]
deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/ etch/
[...]

Afterwards, we update our packages database like this:

apt-get update

Now we can install ModSecurity2 with this simple command:

apt-get install libapache2-mod-security2

That's it. The ModSecurity2 module gets enabled by default, and Apache2 is restarted automatically.

 

3 Configuration

Now it's time to configure ModSecurity2. The easiest way to do this is download the ModSecurity2 source package from http://www.modsecurity.org/download/index.html (e.g. http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz) and unpack it. It contains a file modsecurity.conf-minimal with a basic configuration for ModSecurity2 which I will use here (but I have adjusted the lines SecDebugLog and SecAuditLog so that ModSecurity2 logs to the /var/log/apache2 directory, Debian's default Apache2 log directory).

We open Apache's main configuration file /etc/apache2/apache2.conf and put the following configuration into it, right before the end where the virtual hosts are included:

vi /etc/apache2/apache2.conf

[...]
<IfModule mod_security2.c>
    # Basic configuration options
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess Off

    # Handling of file uploads
    # TODO Choose a folder private to Apache.
    # SecUploadDir /opt/apache-frontend/tmp/
    SecUploadKeepFiles Off

    # Debug log
    SecDebugLog /var/log/apache2/modsec_debug.log
    SecDebugLogLevel 0

    # Serial audit log
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus ^5
    SecAuditLogParts ABIFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/apache2/modsec_audit.log

    # Maximum request body size we will
    # accept for buffering
    SecRequestBodyLimit 131072

    # Store up to 128 KB in memory
    SecRequestBodyInMemoryLimit 131072

    # Buffer response bodies of up to
    # 512 KB in length
    SecResponseBodyLimit 524288

</IfModule>

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

Afterwards we restart Apache (it should restart without errors):

/etc/init.d/apache2 restart

If you haven't got any errors, ModSecurity2 is now working with a basic configuration. You can now modify/extend this basic configuration so that it fits your needs. A good starting point is the ModSecurity2 documentation. Also, there are more advanced rulesets in the ModSecurity2 sources that we've downloaded before (in the rules directory), and you can even download core rulesets from http://www.modsecurity.org/download/index.html (e.g. http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz).

Christian Folini has provided a tutorial about Remo, a GUI for creating ModSecurity rulesets. This is another great way to create your own ModSecurity2 rulesets.

 

4 Links


Copyright © 2007 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
additional note
Submitted by madferret (registered user) on Fri, 2007-08-10 04:40.
I had to do this, since I was getting an  NO_PUBKEY error when running apt-get (after adding inittab.org to /etc/apt/sources.list):
 

# gpg --keyserver pgpkeys.mit.edu --recv-keys C514AF8E4BA401C3


# gpg --export -a C514AF8E4BA401C3 | apt-key add -


# apt-get update

 

reply | view as pdf view as pdf
GPG Server
Submitted by meto (registered user) on Sun, 2008-05-25 12:12.

For me MIT server wouldn't work, so i found alternative:

# gpg –keyserver wwwkeys.eu.pgp.net –recv-keys C514AF8E4BA401C3
# gpg –export C514AF8E4BA401C3 | apt-key add -

# apt-get update

 

reply | view as pdf view as pdf
additional note 2
Submitted by Stoneborn (registered user) on Sun, 2008-01-13 14:44.

I had to modify my sources.list as follows to get libapache2-mod-security2 installed via apt-get otherwise it gave me a 404 for  mod-security2-common and mod-security2-common packages:

deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/etch ./ 

reply | view as pdf view as pdf
Useing inittab.org for mod_securit
Submitted by wirechief (registered user) on Mon, 2007-08-20 20:14.

Err http://etc.inittab.org etch/ mod-security2-common 2.1.1-0
  404 Not Found
Err http://etc.inittab.org etch/ libapache2-mod-security2 2.1.1-0
  404 Not Found
Failed to fetch http://etc.inittab.org/~agi/debian/libapache-mod-security2/./mod-security2-common_2.1.1-0_all.deb  404 Not Found
Failed to fetch http://etc.inittab.org/~agi/debian/libapache-mod-security2/./libapache2-mod-security2_2.1.1-0_i386.deb  404 Not Found

I was unable to obtain the above. I got around the key problem but apparently it is not on the host now.

I did find a updated version but am getting dependency issues with 

http://etc.inittab.org/~agi/debian/libapache-mod-security2/

dpkg -i mod-security2-common_2.1.2-1_all.deb
Selecting previously deselected package mod-security2-common.
(Reading database ... 113386 files and directories currently installed.)

Almost, but not quite there....thanking you for your research into this, it sure looked like it might work.
reply | view as pdf view as pdf
Re: Useing inittab.org for mod_securit
Submitted by admin (registered user) on Tue, 2007-08-21 09:38.

Please run

apt-get update

and try again.

reply | view as pdf view as pdf
Note that you don't need
Submitted by Daniel15 (registered user) on Sat, 2007-07-21 04:26.

Note that you don't need to download the ModSecurity2 source package to get the minimal config. After you install the module, the same file will be at /usr/share/doc/mod-security2-common/examples/modsecurity.conf-minimal

reply | view as pdf view as pdf
Source for ModSecurity2
Submitted by schiffmeister (registered user) on Sat, 2007-09-01 13:40.

Enter one of the following in your sourcelist: 

Packages for Sid:
deb http://etc.inittab.org/~agi/debian/libapache-mod-security2 ./

Packages for Etch are in etch/
deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/etch ./

Packages for Sarge (apache2.0) are in sarge/
deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/sarge ./

Source:
http://etc.inittab.org/~agi/debian/libapache-mod-security2/README 

 

reply | view as pdf view as pdf