ModSecurity 2.5 E-Book

Table of Contents

Copyright © 2009 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: November 2009

Production Reference: 1171109

Published by Packt Publishing Ltd.

32 Lincoln Road

Olton

Birmingham, B27 6PA, UK.

ISBN 978-1-847194-74-9

www.packtpub.com

Cover Image by Karl Moore (<[email protected]> )

Author

Magnus Mischel

Reviewers

Kai 'Oswald' Seidler

Daniel Cuthbert

Acquisition Editor

James Lumsden

Development Editor

Dhiraj Chandiramani

Technical Editor

Conrad Sardinha

Copy Editor

Sanchari Mukherjee

Indexer

Rekha Nair

Editorial Team Leader

Gagandeep Singh

Project Team Leader

Lata Basantani

Project Coordinator

Rajashree Hamine

Proofreader

Lynda Sliwoski

Graphics

Nilesh Mohite

Production Coordinator

Aparna Bhagat

Cover Work

Aparna Bhagat

Magnus Mischel is the founder and director of Mischel Internet Security (http://www.misec.net), whose product TrojanHunter helps protect computers against malware. His long-time passion for computer security is what lead to him starting the company after realizing the threat that trojans and other malware pose to users. He currently lives in London, and when he isn't writing books or managing the company, he enjoys playing a game of chess at the Metropolitan Chess Club. He holds an MSc in Computer Science and Engineering from Linköping University, Sweden.

Kai 'Oswald' Seidler was born in Hamburg in 1970. He graduated from Technical University of Berlin with a Diplom Informatiker degree (Master of Science equivalent) in Computer Science. In the 90's he created and managed Germany's biggest IRCnet server irc.fu-berlin.de, and co-managed one of the world's largest anonymous FTP server ftp.cs.tu-berlin.de. He professionally set up his first public web server in 1993. From 1993 until 1998 he was member of Projektgruppe Kulturraum Internet, a research project on net culture and network organization. In 2002, he co-founded Apache Friends and created the multi-platform Apache web server bundle XAMPP. Around 2005 XAMPP became the most popular Apache stack worldwide. In 2006, his third book, Das XAMPP-Handbuch, was published by Addison Wesley.

Currently he's working as technology evangelist for web tier products at Sun Microsystems.

Daniel Cuthbert heads up Corsaire's Security Training and has over nine years of industry experience. During this time he has focused on Security Assessment for some of the world's largest consultancies and financial, telecommunication, and media institutions.

He holds a Masters Degree from the University of Westminster in IT Security and is both a founding member of the Open Web Application Security Project (OWASP) and previous UK Chapter Head. He has worked on helping companies adopt the Secure Development Lifecycle (SDLC) approach and has lectured extensively on the subject.

He has worked on a wide variety of books for the OWASP project.

Running a web service leaves you exposed in a lot of different ways. A security vulnerability in the web server software or any of the additional modules needed to run the site can result in a compromised server, lost data, and downtime. As a compromised server costs a lot to restore in terms of time and resources it pays to have the best security possible in place, and ModSecurity is an essential tool to protect your web service. This book aims to show you how to protect your server using ModSecurity as an important layer to prevent intrusions and detect intrusion attempts.

Imagine that you have your web server set up and chugging along nicely. It is serving requests without problems and not even straining under the load. Suddenly, it stops working—the web server port is closed and you can't even log on to it via SSH.

What you don't know is that there is a 0-day exploit for PHP, which you happen to be running on the server since most of the dynamic content is written in PHP. A malicious hacker has managed to use this new exploit to execute shell code on your server that added a new user account and allowed him to log on via SSH. Once inside, he proceeded to use a well-known privilege elevation exploit for the old version of the Linux kernel you are running to gain root privileges. As root he then had total control of the server and decided to gather whatever data he could off the server before panicking and deciding to cover his tracks by wiping the server's hard drive.

Does this sound far-fetched? It's not. Most compromised servers are attacked by using the web service to gain initial entry to it. You can't exploit a closed port, and port 80 is the one port that needs to be open to everyone for a web server to be able to function. Once inside, the attacker can then use other exploits to gain additional privileges, as in this example.

The difficulty in protecting a server is that new exploits appear all the time, and even if you patch them within a few days (which is something very few sites do!), there is still a certain time window where you are vulnerable to being attacked.

ModSecurity allows you to protect your server by writing generic rules that cover a broad range of possible attacking scenarios. Thus, ModSecurity is an additional layer that can protect you in a way that no patching, no matter how swift or meticulously done, can.

Chapter 1: Installation and Configuration shows how to compile ModSecurity from source, install and integrate it with Apache, and make sure it works.

Chapter 2: Writing Rules teaches you everything you need to know about writing ModSecurity rules.

Chapter 3: Performance takes a look at the performance of ModSecurity and what impact, if any, it has on the speed of your server and web application.

Chapter 4: Logging and Auditing teaches you how to configure logging and how to use the ModSecurity console to view logs online.

Chapter 5: Virtual Patching covers the technique of creating a "virtual" patch to fix any vulnerability which does not have a vendor-supplied patch, or where the source code to the web application is not available or easily patched.

Chapter 6: Blocking Common Attacks explains how common attacks on the web today work, and how to block them using ModSecurity.

Chapter 7: Chroot Jails is about creating a chroot jail for Apache, and how this can easily be accomplished using ModSecurity (usually it is a quite tedious task).

Chapter 8: REMO teaches you how to install and use the Rule Editor for ModSecurity (REMO), which is a graphical tool to create ModSecurity rules.

Chapter 9: Securing a Web Application takes a real-life web application and secures it using a positive security model, which means that only requests that correspond to a pre-defined pattern are allowed through; anything else is denied.

Appendix A: Directives and Variables contains a list of the directives available for use in your ModSecurity configuration file and also the variables available for use in rule writing.

Appendix B: Regular Expressions teaches you the basics of regular expressions so that you can make use of them when writing ModSecurity rules in a better way.

This book is mainly targeted at Linux systems and as such most of the commands will be Linux commands. Many systems today run standard configurations such as LAMP (Linux, Apache, MySQL, PHP) and the book will put focus on those setups that are commonly used in real-world environments.

ModSecurity runs on many other platforms, such as FreeBSD, OpenBSD, HP-UX and Mac OS X. If you are familiar with the differences between Linux and your platform you should be able to use the advice in this book to get everything working on your particular platform.

As of the release date of this book the latest version of ModSecurity is 2.5. You can always find the latest release at www.modsecurity.org, which is the project's official web site.

This book is aimed at the web server administrator who wishes to install and use ModSecurity on one or several web servers; either his own or those used by a company. The book does not assume the reader is an expert in Internet security and thus most vulnerabilities and exploits will be explained so that the reader is better able to understand the threat and the reason to guard against it.

There are many articles available online that cover ModSecurity; however most of them only examine one or two aspects of the module such as installation or how to write rules. This book aims to be a complete guide to the process of installing and deploying the module. You can also use this book as a reference guide when you need to create rules for a new or existing web server.

Once finished with the book, you will have a better idea of the exploits that are currently used by malicious hackers, and you will also know how to protect your servers against these and other exploits.

Some of the rules are aimed at specific application setups or languages such as PHP or SQL. However the book aims to explain the reason for creating the rules in as general terms as possible so that even readers who are not familiar with these languages will understand why certain rules will protect the server against attack.

In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.

Code words in text are shown as follows: "Some collections have fixed fields, such as the GEO collection, which contains fields such as COUNTRY_NAME and CITY."

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "If necessary, you can change the protocol used to standard HTTP in the console settings under Administration | Web Server Configuration once you have logged in."

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.

To send us general feedback, simply send an email to <[email protected]>, and mention the book title via the subject of your message.

If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or email <[email protected]>.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book on, see our author guide on www.packtpub.com/authors.

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

This chapter deals with the installation and basic configuration of ModSecurity. In this chapter you will learn about the following, among other things:

If you're new to ModSecurity I would recommend that you set it up on a test server while you get acquainted with the ins and outs of using it. You wouldn't want to deploy it on a production server only to find out a few days later that you've been blocking everyone in Europe from accessing your server because of a misconfiguration. (For more on blocking users from specific countries, see Chapter 2, Writing Rules.)

The installation instructions in this chapter show you how to compile ModSecurity from source. Some Linux distributions also make packages for ModSecurity available, but since compiling from source guarantees you will get the latest version of ModSecurity that is what we'll be doing in this chapter.

ModSecurity was originally developed by web application security specialist Ivan Ristic in 2002. He has also written the excellent book Apache Security (O'Reilly Media, 2005) which I highly recommend if you want a general book on hardening Apache. ModSecurity was acquired by Breach Security, a California-based web application security company, in 2006. The company chose to continue releasing ModSecurity as a free open source product (under the GPLv2 license), hiring Ivan and additional staff to work on the product, which is good news for all users of ModSecurity.

The ModSecurity source code is available at http://www.modsecurity.org/download/. The source is provided as a .tar.gz archive—to download it all you have to do is copy the link to the latest release and you will then be able to use wget to download the source archive to your server.

In the following text the name of the file used for the source archive is assumed to be modsecurity‑apache.tar.gz. Make sure you substitute the actual file name or web location (which usually includes the version number of the latest release) for this name when downloading or working with files.

If you have downloaded the gzip file with the source code and saved it as modsecurity-apache.tar.gz you can use the following command to unpack it:

This will unpack the source code into a subfolder with the name modsecurity-apache. It will also create a directory structure in this folder where the different subfolders will hold the source code, documentation, and sample rules, among other things. A typical layout of the directories is as follows:

ModSecurity requires the following additional components before you can compile it:

apxs is the APache eXtenSion tool and is used to compile extension modules for Apache. Since ModSecurity is an Apache module this tool is required to be able to compile ModSecurity. You can see if you have apxs installed on your system by running the following:

If apxs is available the above command will return its location, like so:

If you don't have apxs installed then it is available as part of a package called httpd-devel (or apache2-dev on Debian, Ubuntu, and related distributions). Use your favorite package manager to install this and you should then have apxs available on your system.

libxml2 is an XML parsing library. If you don't have this installed then you can get it by installing the package libxml2-devel (or libxml2-dev if you're using a Debian-based distribution).

Finally, mod_unique_id is an Apache module that generates a unique identifier for each HTTP request. (See http://httpd.apache.org/docs/2.0/mod/mod_unique_id.html if you are interested in the technical details on how this works.) Apache usually comes with this module pre-compiled, but you'll need to insert the following line in the module list of httpd.conf (you can find this list by looking for a bunch of lines all starting with the LoadModule directive) and restart the server for the module to be activated:

Note that this procedure for enabling the module is for Red Hat/Fedora-based distributions. On Debian/Ubuntu, for example, you would use the command a2enmod unique_id to enable the module.

To verify that mod_unique_id is indeed loaded into Apache you can run the following command and check for the presence of the line unique_id_module (shared) in the output listing:

As with other Linux software that comes as source, you need to compile ModSecurity to be able to use it. Compilation will result in a file called mod_security2.so, which is a binary shared module used by the Apache server in a plugin-like fashion. This module file contains all the functionality of ModSecurity.

To get started compiling the source, change to the root user as you will require root privileges to install ModSecurity. Then change to the apache2 subfolder of the directory where you unpacked ModSecurity (for example, /home/download/modsecurity-apache/apache2/). This directory contains the source files and all the files needed to build the binary module.

To be able to compile the binary, you need a Makefile, which is a file that contains details of your particular server setup such as which compiler is available and what options it supports. To generate the Makefile, run the following command:

If the configure script stops with an error indicating that the PCRE library cannot be found, this is usually because you have compiled Apache from source and it has used the PCRE library that is bundled with the Apache distribution. Running configure --with-pcre=/path/to/apache-src/srclib/pcre should solve the problem (if it doesn't, edit Makefile and change the PCRE_CFLAGS and PCRE_LIBS variables to point to the pcre directory).

After this command has completed, check for the presence of a file called Makefile in the current directory. After making sure it exists you can go ahead and compile the binary:

You should see a fairly long list of messages written to the terminal as the compilation takes place, and if everything goes well there should be no error messages (though you may get a few compiler warnings, which you can ignore).

The compilation process outlined in the previous section results in a file called mod_security2.so being created. This is an Apache dynamic shared object which is a plugin to Apache that adds functionality to the web server without requiring it to be recompiled. This file contains all the ModSecurity functionality, and integrating it like any other Apache module is, except for some basic configuration, all it takes to enable ModSecurity on your server.

The mod_security2.so file is output to the modsecurity-apache/apache2/.libs directory by the compiler. To let Apache know about ModSecurity, start by copying the mod_security2.so file to your Apache modules directory. Typically the modules directory will be something like /etc/httpd/modules, but the location will vary depending on your setup.

The next step is to edit the Apache configuration file and add a line to let the web server know about the new module. Start your favorite editor and open up httpd.conf (again, the location will vary depending on your setup, but assuming the same Apache base directory as in the previous section, the file will be in /etc/httpd/conf/httpd.conf). It's a good idea to create a backup copy of httpd.conf before you start editing the file, so that you can revert to the backup if anything goes wrong.

In httpd.conf there will be a fairly long list of configuration directives that start with the word LoadModule. Find this section of LoadModule directives and add the following line to the top of the list:

The security2_module string is known as the module identifier, and is declared in the source code of each module. It is used by Apache to later identify the module in such directives as IfModule, which turn on or off processing of configuration directives based on whether or not the module is loaded.

After adding this line, exit the editor and run apachectl configtest. This will test the new configuration file and report back any errors so you can fix them before attempting to restart the server. If all went well, run apachectl restart to restart the web server. This will load ModSecurity which means the fun part of writing rules can soon begin!

It is best to put all the configuration and security rules for ModSecurity in a separate file in the conf.d sub-directory of the Apache root directory. This prevents you from cluttering your main Apache configuration file with ModSecurity directives.

Simply start your favorite editor, create a file called modsec.conf in the conf.d directory, and enter the following to get started:

Make sure the IfModule directive uses the module identifier you provided in the LoadModule line in httpd.conf (security2_module in this case), otherwise Apache will ignore everything between the start and end of IfModule.

SecRuleEngine On turns on the rule engine so that it will start processing rules. For debugging purposes you can also set this to Off (which will turn off rule processing) or DetectionOnly, which will process rules but not take any action, even if a rule matches (which is helpful if you want to test that rules are working, but not block any requests should there be a problem with the rules).

The SecDefaultAction line above specifies what happens when a rule match occurs. In this case we want ModSecurity to deny the request with a status code 403 ("Forbidden"), and to write a log entry (which will show up in the Apache error log and the ModSecurity audit log). The default action is to allow requests even if a rule matches, so it is important to add this line to make sure any matching rule results in the request being denied.

You may be wondering what the phase:2 statement in the above directive does. ModSecurity divides the processing of a request into five phases—request headers, request body, response headers, response body and logging:

As can be seen by the table, the most useful phase when we want to inspect incoming HTTP requests is the request body phase, in which all of the request headers, as well as the body, are available. By specifying phase:2 for the default action, subsequent rules will all be processed in phase 2 unless another phase is specified in a rule.

To override the default phase for a rule, you use the phase directive, as can be seen in this example, which stops processing and denies the request if the request header's user-agent field contains the string WebVulnScan, which is a script to find weaknesses in web servers:

This will cause the rule to be processed in phase 1—after the request headers have been received.

After completing the installation we need a way to test that the ModSecurity module has been loaded and is working as it should. The procedure described here can be used to test that ModSecurity is functioning correctly whenever you feel the need to verify this (such as after making changes to your Apache configuration file).