Apache2 security – mod_rewrite, mod_security

Enable mod_rewrite in Apache2

http://www.grosseosterhues.com/2011/07/enabling-mod-security-protection-in-apache2-on-ubuntu/
http://www.linuxlog.org/?p=135

a2enmod rewrite

/etc/apache2/sites-available/000-default

Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all

/etc/init.d/apache2 restart

.htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Enable mod_evasive and mod_security in Apache2

aptitude install libapache-mod-security libapache2-mod-evasive

a2enmod mod-security mod-evasive

ln -s /usr/sbin/sendmail /bin/mail
mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive/

/etc/apache2/conf.d/modevasive

<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify jan.faix@gmail.com
DOSWhitelist 127.0.0.1
</ifmodule>

Check if /etc/apache2/apache2.conf contain:

# Include generic snippets of statements
Include /etc/apache2/conf.d/[^.#]*

mkdir /etc/apache2/mod_security_rules
chown -R root:root /etc/apache2/mod_security_rules
sed '/^$/d; /^#/d;' /usr/share/doc/mod-security-common/examples/rules/*conf >> /etc/apache2/mod_security_rules/modsecurity_crs_10_config_global.conf
cp /usr/share/doc/mod-security-common/examples/rules/base_rules/* /etc/apache2/mod_security_rules/
touch /var/log/apache2/modsec_audit.log /var/log/apache2/modsec_debug.log
chown www-data:www-data /var/log/apache2/modsec_audit.log /var/log/apache2/modsec_debug.log

/etc/apache2/mod_security_rules/modsecurity_crs_10_config_global.conf

SecAuditLog /var/log/apache2/modsec_audit.log
SecDebugLog /var/log/apache2/modsec_debug.log

/etc/apache2/conf.d/mod_security

<IfModule security2_module>
Include /etc/apache2/mod_security_rules/*.conf
</IfModule>

cd /etc/apache2/mod_security_rules/
mv modsecurity_crs_41_phpids_filters.conf modsecurity_crs_41_phpids_filters.conf.disabled

/etc/init.d/apache2 restart

Test mod_security

/var/www/test.php

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

http://yourserver.tld/test.php?secret_file=/etc/passwd

Correct response is “403 Forbidden” error message.

rm -f /var/www/test.php

Test mod_evasive

Run from another box than your server, change domain to your web server.
Correct response is HTTP/1.1 404 Not Found.

~/test.pl

#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive’s effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",PeerAddr=> "faix.homelinux.net:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0\n\n";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}

rm -r ~/test.pl