FreeBSD and Apache ModSecurity

ModSecurity Logo

Apache ModSecurity:

ModSecurity performs real-time web application monitoring, logging and access control.  It can also reduce Apache’s attack surface by narrowing down HTTP features the server is willing to accept.

 

Installing ModSecurity:

root@bsd220:/ # pkg install ap24-mod_security

 

Configure ap24-mod_security:

To enable mod_security in Apache edit the following file: /usr/local/etc/apache24/modules.d/280_mod_security.conf
vim: set filetype=apache:
##
## module file for mod_security
##
## PROVIDE: mod_security2
## REQUIRE: mod_unique_id

##
## To enable ModSecurity in Apache, enable the modules
##  mod_unique_id (in httpd.conf) and
##  mod_security2 in this config file
##
## Additionally, load configuration and rules with an Include line from
##  /usr/local/etc/modsecurity/*.conf
##
## Most users will use the signatures from the OWASP Core Rule Set (CRS).
## For configuration instructions, see /usr/local/share/doc/mod_security2/README.
##

## apache modules for mod_security
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/*.conf
Restart Apache:
root@bsd220:/ # apachectl restart

Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 10082.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
root@bsd220:/ #
Verify ModSecurity is loaded by checking the Apache error log file:
root@bsd220:/ # tail -f /var/log/http-error.log

ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
ModSecurity: APR compiled version="1.5.2"; loaded version="1.5.2"
ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
ModSecurity: YAJL compiled version="2.1.0"
ModSecurity: LIBXML compiled version="2.9.4"

 

Configuring the Core Rule Set:

ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let’s make a directory for all our ModSecurity related stuff, and clone the CRS repository under it.

First, install devel/git, clone the CRS Repository, and then copy the crs.conf file:
pkg install git
cd /usr/local/etc/modsecurity 
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs 

cp owasp-modsecurity crs/modsecurity_crs_10_setup.conf.example \ crs.conf
Activate CRS Base Rules by adding the following to /usr/local/etc/apache24/modules.d/280_mod_security.conf:
vim: set filetype=apache:
##
## module file for mod_security
##
## PROVIDE: mod_security2
## REQUIRE: mod_unique_id

##
## To enable ModSecurity in Apache, enable the modules
##  mod_unique_id (in httpd.conf) and
##  mod_security2 in this config file
##
## Additionally, load configuration and rules with an Include line from
##  /usr/local/etc/modsecurity/*.conf
##
## Most users will use the signatures from the OWASP Core Rule Set (CRS).
## For configuration instructions, see /usr/local/share/doc/mod_security2/README.
##

## apache modules for mod_security
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule security2_module libexec/apache24/mod_security2.so
Include /usr/local/etc/modsecurity/*.conf
Include /usr/local/etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf

 

Configuring Blocking Mode:

To enable ModSecurity blocking mode edit the following file /usr/local/etc/modsecurity/modsecurity.conf and change the following:
SecRuleEngine On
Next, restart Apache:
root@bsd220:/ # apachectl restart

At this point, it is wise to check the functionality of your web sites to ensure ModSecurity is not preventing any legitimate actions.  If there are any false positives, custom exceptions/rules written can mitigate the offending behavior.

Additionally, monitor https-error.log and modsec_audit.log in /var/log to view any potential false positives.

 

Log Rotation:

As with any service running on a server, it’s imperative to monitor the log files.  Also, proper log file rotation is essential to managing the amount of data collected.  FreeBSD’s log manager – newsyslog is designed to rotate various log files for the operating systems.  Newsyslog allows one to include a file to pull in additional entries.  Please review the man page for newsyslog(8).

First, create the directory /usr/local/etc/newsyslog.conf.d/:
root@bsd220:/ # mkdir /usr/local/etc/newsyslog.conf.d
Create /usr/local/etc/newsyslog.conf.d/httpdlog.conf
root@bsd220:/  # touch /usr/local/etc/newsyslog.conf.d/httpdlog.conf
Add the following to /usr/local/etc/newsyslog.conf.d/httpdlog.conf:
/var/log/httpd-access.log               600  7     *    @T12   B    /var/run/httpd.pid 30

/var/log/httpd-error.log                600  7     *    @T12   B    /var/run/httpd.pid 30

/var/log/httpd-ssl_request.log          600  7     *    @T12   B    /var/run/httpd.pid 30

/var/log/modsec_audit.log               600  7     *    @T12   B    /var/run/httpd.pid 30
Next, restart newsyslog:
root@bsd220:/ # service newsyslog restart

 

Maintenance:

You probably want to keep the CRS updated from time to time. You can do this with Git:

root@bsd220: / # cd /usr/local/etc/modsecurity/owasp-modsecurity-crs
root@bsd220: / # git pull
root@bsd220: / # apachectl restart

 

Summary:

ModSecurity is a powerful application layer firewall for the venerable Apache web server.  It provides real-time application security monitoring and access control as well as full HTTP traffic logging.  With the OWASP ModSecurity Core Rule Set (CRS), it is ready to use right out-of-the-box.  CRS also provides default rule sets for both Drupal and WordPress which comes in quite handy for site using these popular frameworks.  Placing ModSecurity in monitoring mode is an excellent resource for System Administrators to monitor traffic and make corrective actions.

 

References:

ModSecurity’s Web Site

OWASP ModSecurity Core Rule Set

Leave a Reply

Your email address will not be published. Required fields are marked *