How To Install mod_security/mod_security2 On SuSE Linux Enterprise Server 10 (SLES10)

Introduction

The Apache module mod_security is a very powerful security module. Combined with predefined rules, you can close many security wholes on your server, opened by bad written php or perl apps.

Unfortunately mod_security is not part of the SLES10 distribution. To install mod_security to have to install some 3rd party modules. This guide helps you to install mod_security on SLES10. It also helps you to remove the module, by building RPM packages you can easily uninstall.

Install Apache2 

First of all you have to install apache2. This is very simple with the following command.

yast2 -i apache2

Install requried build packages

Some modules are required to build the mod_security module. Install the following  packages:

yast2 -i libxml2-devel pcre-devel apache2-devel curl-devel gcc gcc-c++

Apache2-devel is required for apxs2. curl-devel is optional.

Get and Install checkinstall (for packaging)

To keep track of installed software and enable the user to uninstall and update software, checkinstall can build RPM, DEBIAN (DEB) and Slackware packages. Instead of executing "make install" just run "checkinstall" and checkinstall catches all files, that would be installed by "make install".

Get checkinstall from http://www.asic-linux.com.mx/~izto/checkinstall/download.php.

wget http://www.asic-linux.com.mx/~izto/checkinstall/files/source/checkinstall-1.6.1.tgz
make
make install
checkinstall
cp /usr/src/packages/RPMS/i386/checkinstall-1.6.1-1.i386.rpm .
rpm -ivh checkinstall-1.6.1-1.i386.rpm

Get and Install liblua

The LUA programming language is used by mod_security for configuration. You must compile LUA as shared module.

Get LUA from http://www.lua.org/ftp/lua-5.1.3.tar.gz.

wget http://www.lua.org/ftp/lua-5.1.3.tar.gz
tar -zxvf lua-5.1.3.tar.gz
cd lua-5.1.3
make linux
checkinstall

[...]
1 - Summary: [ The LUA programming language ]
2 - Name: [ lua ]
3 - Version: [ 5.1.3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ Development/Languages/Lua ]
7 - Architecture: [ i386 ]
8 - Source location: [ http://www.lua.org/ftp/lua-5.1.3.tar.gz ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ lua ]
[...]

cp /usr/src/packages/RPMS/i386/lua-5.1.3-1.i386.rpm ..
rpm -ivh ../lua-5.1.3-1.i386.rpm

Now you have to build a shared library from the liblua archive.

cd /usr/local/lib
gcc -shared -o liblua.5.1.3.so /usr/local/lib/liblua.a
ln -s liblua.5.1.3.so liblua.so

Get and Install mod_security

Get mod_security from http://www.modsecurity.org/download/direct.html.

Documentation about the installation can be found here: http://www.modsecurity.org/documentation/index.html.

cd modsecurity-apache_2.5.2
cd apache2
./configure
make
checkinstall

...
1 - Summary: [ mod_security application level firewall ]
2 - Name: [ apache2-mod_security ]
3 - Version: [ 2.5.2 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ Productivity/Networking/Web/Servers ]
7 - Architecture: [ i386 ]
8 - Source location: [ http://www.modsecurity.org/download/ ]
9 - Alternate source location: [ ]
10 - Requires: [ apache2 libxml2 ]
11 - Provides: [ mod_security ]

cp /usr/src/packages/RPMS/i386/apache2-mod_security-2.5.2-1.i386.rpm ../../
rpm -ivh ../../apache2-mod_security-2.5.2-1.i386.rpm

Configure Apache2 for mod_security

# /etc/apache2/conf.d/mod_security.conf
LoadFile /usr/lib/libxml2.so
LoadFile /usr/local/lib/liblua.so
LoadModule security2_module /usr/lib/apache2/mod_security2.so
Include modsecurity/*.conf
LoadModule unique_id_module /usr/lib/apache2/mod_unique_id.so

Extract and Configure Core Rules

Get the core rules from http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.0.tar.gz.

cd /etc/apache2
mkdir modsecurity
cd modsecurity
tar -zxvf ../modsecurity-core-rules_2.5-1.6.0.tar.gz

Modify modsecurity_crs_10_config.conf to meet the location of your config files:

vi modsecurity_crs_10_config.conf
    SecAuditLog=...
    SecDebugLog=...

Restart Apache and Test your Webpage

First restart apache to get the current configuration:

rcapache restart

To test the installation, write a simple (insecure) PHP script like this:

<? # /srv/www/htdoc/index.php
    file $text=$_GET['file'];
    echo "Content of File $text";
    echo `cat $text`;
?> 

Then access it to try opening insecure files:

http://ip.of.your.server.de/index.php?file=/etc/passwd

You should get ERROR 501 in your browser and the SecAuditLog file should show:

[...]
GET /index.php?file=/etc/passwd HTTP/1.1 ...
[...]
Message: Access denied with code 501 (phase 2). Pattern match "(?:\b(?:\.(?:ht(?:access|passwd|group
)|www_?acl)|global\.asa|httpd\.conf|boot\.ini)\b|\/etc\/)" at ARGS:file. [file "/etc/apache2/modsecu
rity/modsecurity_crs_40_generic_attacks.conf"] [line "114"] [id "950005"] [msg "Remote File Access A
ttempt"] [data "/etc/"] [severity "CRITICAL"] [tag "WEB_ATTACK/FILE_INJECTION"]

Caveats

• When accessing your server via IP, a rule in modsecurity_crs_21_protocol_anomalies.conf denies this. Edit the file and look for "Check that the host header is not an IP address".

Links and References

• mod_security home page:  http://www.modsecurity.org/
• LUA home page: http://www.lua.org/
• Checkinstall home page: http://www.asic-linux.com.mx/~izto/checkinstall/
• Author's home page: http://www.elconas.de