In this part of setup complete webserver we will harden Apache with popular mod_security. Mod_security is a small module that works like application firewall. It protect the app before most common attacks and vulnerabilities. It's good to have such thing on the webserver.
I assume that You have Apache already installed, if not check out previous part - How to install Apache on CentOS?
LAMP on steroids
This is part of our series LAMP on steroids. Check the links below to learn how to setup awesome webserver!
- Choosing VPS
- Install EPEL
- Install and configure Apache HTTPD server
- Harden Apache with ModSecurity and OWASP Core Rule Set
- Install and configure PHP
- Install and configure MySQL server
- Configure firewall based on iptables
- Create developer user and setup SSH key-pair
- Configure SSH
- Install and configure Varnish to speed up websites
- More to come...
How to install mod_security on Apache httpd server
First thing is installation of required tools. We need them to compile mod_security.
yum install automake libtool libxml2-devel
Next thing that we need is to download and decompress mod_security. Download links can be found on official mod_security page.
cd ~/sources wget https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz tar -zxvf modsecurity-2.9.0.tar.gz
Now it's time to compile mod_security. While
./confgure we need to pass paths to axps and apr binaries. All binaries should be inside
bin directory in apache installation path.
cd modsecurity-2.9.0 ./autogen.sh ./configure --with-apxs=/usr/local/apache2/bin/apxs --with-apr=/usr/local/apache2/bin/apr-1-config --with-apu=/usr/local/apache2/bin/apu-1-config make make install cp /usr/local/modsecurity/lib/mod_security2.so /usr/local/apache2/modules
If there was no error mod_security is ready to use. It can be found in
/usr/local/modsecurity We need to copy generated .so file to apache extension directory.
ModSecurity and OWASP rules
mod_security is nothing without the rules that tells what attacks should be blocked. Fortunately there is a great package with lot of rules provided by OWASP. We will use such rules package to harden Apache HTTPD. So let's download, unzip and copy the rules to apache configuration directory.
cd ~/sources wget -O owasp.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master mkdir /usr/local/apache2/conf/crs tar -zxvf owasp.tar.gz -C /usr/local/apache2/conf/crs --strip 1 cd /usr/local/apache2/conf/crs cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
Now we are ready to use ModSecurity!
In previous article we added
httpd-security.conf file with some basic rules that improves Apache security. We will modify this file to load mod_security with OWASP rules and add some basic configuration. You need to know that mod_security is pretty large module with tons of configuration option. You can find them in ModSecurity reference manual.
Once You open the file add these lines somewhere in the file:
LoadModule security2_module modules/mod_security2.so <IfModule security2_module> Include conf/crs/modsecurity_crs_10_setup.conf Include conf/crs/base_rules/*.conf # Include conf/crs/experimental_rules/*.conf # Include conf/crs/optional_rules/*.conf SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream SecDataDir /tmp # Debug log SecDebugLog /usr/local/apache2/logs/modsec_debug.log SecDebugLogLevel 3 SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^2-5 SecAuditLogParts ABCIFHZ SecAuditLogType Serial SecAuditLog /usr/local/apache2/logs/modsec_audit.log </IfModule>
So from the top:
- First we need to load
- Next are rules from OWASP that we will include to ModSecurity. We need to include the setup and base rules. OWASP core rule set comes with lot more features that are marked as optional or experimental. We can enable those rules, but we also need to remember that it might not play well with our website. It's rather testing by trial and error then one rule will work well on every website. But in general including base_rules is OK.
SecRuleEngineenables detection and blocking of malicious attacks.
SecRequestBodyAccessenable inspection of data transported request bodies
SeResponseBodyAccessbuffer response bodies matched by
SecDataDirworking directory for ModSecurity temporary purposes
- Next thing is
Debug log. By default all error logs goes to apache error log, but we can set different path to debug log. Best practice would be to change it per domain inside particular VirtualHost file. In previous article we setup directory structure and we have logs directory there. It would be wise to used it for debug log as well.
Audit Logis complementary log for Debug log. It has detail information about every error. It's disabled by default so we need to enable it and turn on logging relevant (warnings and errors) issues. Next options are for configuration the audit log. In general there are lot more of discussing at this topic.
If You want to learn more about how to setup and read mod_security logs, here is really great article about mod_security logging by Infosec Institue.
Now we just need to save the file restart apache and our httpd server has better security.
service httpd restart
If You are following our series, You should have now part of LAMP stack (Linux Apache MySQL PHP). Apache is secured with mod_security.
Small note to those who would like to install mod_evasive as well to increase the security. To be honest, it's really not worth to install it on Apache. Why? Because when You run multiple instances via MPM mod_evasive doesn't share the info between the MPM instances. It means that one instance of apache can block the attacker but others wont. So if You have many MPM workers mod_evasive is just useless.
As always, if You are using Ansible for server provisioning You can use ready playbook, that will cover everything in this series. You can find it on GitHub.
In next episode we will add P to our LAMP server.