some might allready know the mod_security for apache and some might have never heard of it. Well mod_security is in effect an application firewall running on apache, able to protect the applications running on that apache server.
In this example I will guide you through the process of enabling mod_security on an windows apache 2.x server.
First of all, download the precompiled package containing the mod_security2.so module for apache. I might go through the process of how-to compile it… But hell, steffen allready did this for you guys and is offering the package on his site Do make a donation if you think his work is worth while (it realy is^^) and keep this linkto the package available.
If you downloaded the package unpack it in an directory called “mod_security2” inside the location where your apache modules are saved. By default this is something like
C:\program files\apache foundation\apache 2.x\modules\
When you are finished unpacking the mod_security package in the destined directory its time to make some other preps on the server. Its futile that the following stuff is present on the machine before you are able to use mod_security.
1. libxml2.dll should be present in the same directory as the mod_security2.so apache module file.
2. Microsoft Visual C++ 2008 Redistributable Package should be installed on the machine running the apache instance. If this is not the case the package can be installed from this location.
Next its time to hack the httpd.conf file located in the /conf/ directory within the apache root.
C:\program files\apache foundation\apache 2.x\conf\httpd.conf
Add the following to enable the module.
#Uncomment the following rule be removing the # char.
LoadModule unique_id_module modules/mod_unique_id.so
#Add the following rule to load the security module.
LoadModule security2_module modules/mod_security2/mod_security2.so
Next it would be a wise thing reading the documentation on how to configure mod_security. Maybe I will add some examples in the near future. One quick and dirty way to start might be.
#add some security rule (logging in our case on requests)
#Base our logging on visiting IP addresses.
# Increase some IP collection on filtered hits (the remote requests)
SecRule REQUEST_FILENAME “/cgi-bin/phf” pass,setvar:ip.score=+10
SecRule REQUEST_FILENAME “cmd.exe” pass,setvar:ip.score=+10
SecRule REQUEST_FILENAME “apex_admin” pass,setvar:ip.score=+5
SecRule REQUEST_FILENAME “httpd.conf” pass,setvar:ip.score=+5
SecRule REQUEST_FILENAME “server.xml” pass,setvar:ip.score=+5
SecRule REQUEST_METHOD “TRACE” pass,setvar:ip.score=+5
#Evalutate these scores
SecRule IP:SCORE “@ge 50”
Well this should work allready. Yea i know there is no use protecting some server.xml if there isnt an proxy setting to some application server like tomcat. But then again this is just one of those examples 😉
Rgrds, and good luck…