What is mod_security?

The mod_security addition to Apache is a modular way to add or remove various security features to your Apache server. You can add or remove these modules by simply adding or removing (or commenting out) lines to your httpd.conf file and restarting the httpd daemon. And installing mod_rewrite is as easy as it is to install.

Getting and installing

I am going to take you through the installation of mod_security on a CentOS distribution. There will be a combination of using yum and installing from source. I will assume Apache is already installed.

There are a few ways to install this package. You can install from source, but that will require you install numerous dependencies just for the compilation alone. Since we’re looking at CentOS (and this will apply to Red Hat and Fedora as well) you can use Yum for easy installation. But if you fire Yum up you will find that mod_security is not in the standard repositories. Fortunately there is an easy way to add a repo for this installation. The command to add the repostority is:
su -c 'rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm'

You will have to answer ‘Y’ to a couple of questions to finish the installation. Once you have added the repository issue the command:

yum install mod_security

to install the system. You will have to accept any dependencies needed for your system to complete the installation. Once mod_security is installed you are ready to get it up and running on your Apache server.

Basic configuration

Issue the command:

grep -n security2_module httpd.conf

from within the /etc/httpd/conf/ directory. If you do not see any output that means you have to add the directive to your httpd.conf file. This is simple. At the end of your module loading section add the following line:

LoadModule security2_module modules/mod_security2.so

Now save the file and restart Apache with the command:

/etc/rc.d/init.d/httpd restart

You should not receive any errors at this point.

The most difficult aspect of using mod_security is the the IfModule section in the httpd.conf file. The reason this section is so complex is because there are so many possible options. The best chance you have of getting familar with this is by taking a glance at the Configuration Directives page on the mod_security web site. To give you an example of a configuration directive section take a look at the following sample in Figure 1.

Figure 1

As you can see this section seems fairly complex. But this is mostly a basic sample of what mod_security can do. In this sample we do the following:

• SecFilterEngine On: Start the engine
• SecFilterDefaultAction: Set the default action for the module. Notice in the sample code i have the default action set to “allow”. For higher security you will want to set this to “deny”.
• SecFilterScanPOST: Tell mod_security to scan Payloads as well as Get requests.
• SecFilterCheckURLEncoding: Check for valid hex values in requests.
• SecFilterCheckUnicoding: Set this to off if your web site does not use unicoding.
• SecFilterForceByteRange: Set allowable ascii values in GET request and in FORM data posts.
• SecUploadDir: Set the upload directory.
• SecUploadKeepFiles: This must be set to On for the above to be used. For security’s sake you want to set it to  Off so upload files are not saved.
• SecAuditEngine: Enables the logging facility. This value is set to either RelevantOnly or DynamicOrRelevant.
• SecAuditLog: The location of the log file.
• SecFilterDebugLog: Set the debug log file.
• SecFilterDebugLevel: Set the debug level.

That is the minimum directives I would employ for your mod_security configuration.

Once you finish this section, restart Apache again and enjoy a much more secure Apache server.

Final thoughts

Of course this just scratches the surface of mod_security. To really get the most of this powerful feature you will want to really comb through the directives section on the mod_security site.

In this article I will show you five simple ways to make your Linux Apache installation more secure. And of course you should always know that even with five new means of making your install more secure, that doesn’t mean it is perfectly safe from attack. Even after securing your installation, you should always keep watch over your server by checking log files and using standard security tools.

With that said, let’s get our Apache security on!

1. Update, update, update! One of the biggest no nos Linux administrators make is to “set it and forget it”. This should not be your standard policy. There are always updates that close new holes and patch security flaws. This holds true for Apache as much as it does any other system or application. Keep watch, using your normal means of update, for any security update for Apache or any constituent component you have installed. By doing this you will ensure your web server is safe from any new known issues.

2. Disable modules you do not use. If you check the Apache configuration file. Most often this file is called httpd.conf and its location will depend upon what distribution you are running (For example CentOS has this file in /etc/httpd/conf/ whereas Ubuntu locates it in /etc/apache2). If you examine that file you will see quite a few modules listed. These modules will look like:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so

You might have to look up what some of these modules do to know if you need them or not. But there is no reason to load a module if you are not going to use it. To keep a module from loading place a comment in front of the line. You will have to restart Apache for this change to take effect.

3. Limit the request sizes allowed. Denial of Service attacks remain one of the most popular attacks on web sites because they are the easiest to pull off. One way to protect your site from DoS attacks is to use the following directives wisely: LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody within a Directory tag (the document root is probably the best place for this). By default Apache sets these directives to unlimited which means any size of request can be made. You will want to investigate these directives and configure them to suit your web sites needs. Unless it is absolutely necessary, do not set them to unlimited.

4. Use mod_security. This is the most important module you can use. This one module handles such tasks as: Simple filtering, regular expression filtering, server identity masking, and URL encoding validation. It is likely you will have to install mod_security, because the default Apache install does not include this module. Once installed you will want to make sure you at least add the “unique_id” and “security2″ directives in your Apache module section and then restart Apache. I will deal with this module in its own tutorial coming up very soon.

Figure 1

5. Restrict browsing to your document root. The last thing you want is to allow browser to peek outside of the Apache document root (Such as /var/www/html or /var/www/). To do this you will want to configure your document root directory entry as shown in Figure 1. This will

Of course if you want to add options to any directory inside of the document root you will have to give that directory its own Directory entry.

Final thoughts

There are plenty more ways to secure your Apache installation, but these will get you started. Can you think of other ways to secure an Apache installation? If so, share them with your fellow ghacks readers.