Home » Apache, Debian, Featured, Headline, How-to, Linux, Security, Shell

Atomic ModSecurity Rules with Debian Lenny 5.0

30 December 2010 No Comment

Atomic ModSecurity

Everyone, with a decent Linux security knowledge, should know about ModSecurity – Open Source Web Application Firewall. Personally, I know this mod from 2004 and it help me a lot in detecting and/or preventing malicious attacks before reaching my customers applications.

ModSecurity evolved over the years and now is a very complex piece of software. From version 2.5 ModSecurity add support for RULE scripting via LUA which is a very big step in ModSecurity rule scripting.

Anyway, in this article, I will show you how to install Atomic ModSecurity Rules (http://www.atomicorp.com/) in Debian 5.0.

To install ModSecurity you should add the backports repository in your apt source list. If you don’t have the repository added and you don’t know the URL, just add the following line in your /etc/apt/sources.list:


deb http://www.backports.org/debian lenny-backports main contrib non-free

To install ModSecurity run:

apt-get update
apt-get install libapache-mod-security

To work correctly, Atomic ModSecurity Rules, needs some folders created and some files.

 mkdir /etc/apache2/modsecurity.d
 mkdir /etc/asl/
 touch /etc/asl/whitelist
 mkdir /var/asl
 mkdir /var/asl/tmp
 mkdir /var/asl/data
 mkdir /var/asl/data/msa
 mkdir /var/asl/data/audit
 mkdir /var/asl/data/suspicious
 chown www-data.www-data /var/asl/data/msa
 chown www-data.www-data /var/asl/data/audit
 chown www-data.www-data /var/asl/data/suspicious
 chmod o-rx -R /var/asl/data/*
 chmod ug+rwx -R /var/asl/data/*

You should get the latest rules from AtomicCorp website: http://updates.atomicorp.com/channels/rules/delayed/modsec-2.5-free-latest.tar.bz2

AtomicCorp have 2 types of rules: a free one which is 1 month delayed and a real time one what is not free and you should subscribe for it. I usually use the free version, but for a good security I recommend you to get the real time one.

Now you should unpack the archive modsec-2.5-free-latest.tar.bz2 and put all the files in /etc/apache2/modsecurity.d .

Before to enabled modsecurity apache module, modify /etc/apache2/mods-available/mod-security.load and add the following lines

LoadFile /usr/lib/libxml2.so.2
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

Include modsecurity.d/modsecurity_crs_10_config.conf
Include modsecurity.d/*asl*.conf

Now everything should be in place, just test your apache configuration:


apachectl configtest

If is everything ok, just restart the apache server.

Testing is simple, try to add cross site scripting/sql sentences in your URL website and just look at /var/log/apache2/audit_log
Example: http://www.example.com/foo.php?X=1&Y=2′;select * from mysql.db;
OR
http://www.example.com/login?foo=http://www.google.com

This will generate a trace of what happen in /var/asl/data/audit.

For more informations please consult Atomic ModSecurity wiki page at: http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules

Good Luck!


Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.