Enabling mod_security under Apache 2.x for windows.

some might allready know the mod_security for apache and some might have never heard of it. Well mod_security is in effect an application firewall running on apache, able to protect the applications running on that apache server.

In this example I will guide you through the process of enabling mod_security on an windows apache 2.x server.

First of all, download the precompiled package containing the mod_security2.so module for apache. I might go through the process of how-to compile it… But hell, steffen allready did this for you guys and is offering the package on his site Do make a donation if you think his work is worth while (it realy is^^) and keep this linkto the package available.

If you downloaded the package unpack it in an directory called “mod_security2” inside the location where your apache modules are saved. By default this is something like

C:\program files\apache foundation\apache 2.x\modules\

When you are finished unpacking the mod_security package in the destined directory its time to make some other preps on the server. Its futile that the following stuff is present on the machine before you are able to use mod_security.

1. libxml2.dll should be present in the same directory as the mod_security2.so apache module file.
2. Microsoft Visual C++ 2008 Redistributable Package should be installed on the machine running the apache instance. If this is not the case the package can be installed from this location.

Next its time to hack the httpd.conf file located in the /conf/ directory within the apache root.

C:\program files\apache foundation\apache 2.x\conf\httpd.conf

Add the following to enable the module.

#Uncomment the following rule be removing the # char.
LoadModule unique_id_module modules/mod_unique_id.so
#Add the following rule to load the security module.
LoadModule security2_module modules/mod_security2/mod_security2.so

Next it would be a wise thing reading the documentation on how to configure mod_security. Maybe I will add some examples in the near future. One quick and dirty way to start might be.

<IfModule security2_module>
SecRuleEngine On
SecAuditLogType Serial
SecAuditLog /logs/mod_security.log
#add some security rule (logging in our case on requests)
SecDataDir c:/seclogs/state
#Base our logging on visiting IP addresses.
SecAction initcol:ip=%{REMOTE_ADDR},nolog,pass
# Increase some IP collection on filtered hits (the remote requests)
SecRule REQUEST_FILENAME “/cgi-bin/phf” pass,setvar:ip.score=+10
SecRule REQUEST_FILENAME “cmd.exe” pass,setvar:ip.score=+10
SecRule REQUEST_FILENAME “apex_admin” pass,setvar:ip.score=+5
SecRule REQUEST_FILENAME “httpd.conf” pass,setvar:ip.score=+5
SecRule REQUEST_FILENAME “server.xml” pass,setvar:ip.score=+5
SecRule REQUEST_METHOD “TRACE” pass,setvar:ip.score=+5
#Evalutate these scores
SecRule IP:SCORE “@ge 50”
</ifmodule>

Well this should work allready. Yea i know there is no use protecting some server.xml if there isnt an proxy setting to some application server like tomcat. But then again this is just one of those examples😉

Rgrds, and good luck…

About Chris Gralike

Momenteel ben ik manager van de afdeling business continuity bij de zakelijke IT dienstverlener AMIS Services BV. Sinds 2003 ben ik actief in de ICT branche. Tussen 2003 en nu heb ik verschillende rollen vervuld. In de rollen: systeem- en netwerkbeheer, system engineer, servicemanager en nu practice manager ben ik in contact gekomen met uiteenlopende technologieën, methodologieën, ideeën, oplossingen en innovaties. Een rijke ervaring waarmee ik de klanten van Conclusion en AMIS elke dag probeer te ondersteunen. Mijn credo: 'Altijd opzoek een win-win tussen business en technologie.'

Posted on December 17, 2008, in Apache and tagged , , , , . Bookmark the permalink. 4 Comments.

  1. Dude it is not for Apache 2.x please read carefully. I’ve lost 30 minutes because of you. It is written there ” They will NOT load into Apache 2.0 and 2.2 releases. ”
    It is for Apache 2.4.

  2. hi thanks for this effective post. I’ve a query: If I am using apache 2.4 just only for Reverse Proxy…. do I still need to turn on mod_security??

  1. Pingback: ModSecurity web application firewall (WAF) Research - IT大道

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: