A. ModSecurity is an open source web application firewall that runs as an Apache module, and version 2.0 offers many new features and improvements.
It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. Some of the features include:
=> Parallel text matching
=> Geo IP resolution
=> Credit card number detection
=> Support for content injection
=> Automated rule updates
=> scripting as well as many others.
FreeBSD install mod_security
Type the following command to update ports tree:# portsnap fetch update
Under FreeBSD 7, mod_security can be installed by typing the following commands:
# cd /usr/ports/www/mod_security
# make install clean
Configure mod_security
The modsecurity 2 Core Rules have been installed in/usr/local/etc/apache22/Includes/mod_security2/
By default it run in "DetectionOnly" mode as not to disturb operatings of working websites and Apache. First change directory to /usr/local/etc/apache22/Includes/mod_security2/:
# cd /usr/local/etc/apache22/Includes/mod_security2/
Now, open the ModSecuirty core rule set file - modsecurity_crs_10_config.conf, enter:
# vi modsecurity_crs_10_config.conf
The file is well documented so just customize it according to your requirements. Open httpd.conf file located at /usr/local/etc/apache22 and make sure following line exists:
LoadFile /usr/local/lib/libxml2.so
LoadModule security2_module libexec/apache22/mod_security2.so
Finally, restart the apache:
# /usr/local/etc/rc.d/apache22 restart
Monitoring mod_security log files
By default logs are written to following two files:- /var/log/httpd-modsec2_audit.log
- /var/log/httpd-modsec2_debug.log
- /var/log/httpd-error.log or virtual domain error.log file
tail -f /var/log/httpd-modsec2_audit.log
grep cmd.exe /var/log/httpd-modsec2_audit.log
tail -f /home/httpd/example.com/logs/error.log
Once everything started to working perfectly open modsecurity_crs_10_config.conf file and set SecRuleEngine to On:
SecRuleEngine On
Restart apache:
# /usr/local/etc/rc.d/apache22 restart
No comments:
Post a Comment