LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-11-2011, 05:52 AM   #1
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Rep: Reputation: 127Reputation: 127
mod_security loaded but does nothing


As subject says, I installed mod_security on webserver, carefully following installation instructions on mod_sec website.
It is loaded but seems not to do anything.
The rules are located under conf/extra/sec_rules/
httpd.conf has the relevant lines in this order:
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Include conf/extra/sec_rules/*.conf

Checking:
Code:
#lsof |grep mod_security
httpd     21298       root  mem       REG        8,6    1074471     217257 /nih/httpd-2.2.17/modules/mod_security2.so
httpd     21305     daemon  mem       REG        8,6    1074471     217257 /nih/httpd-2.2.17/modules/mod_security2.so
httpd     21306     daemon  mem       REG        8,6    1074471     217257 /nih/httpd-2.2.17/modules/mod_security2.so
httpd     21307     daemon  mem       REG        8,6    1074471    
# /etc/init.d/apachectl -t -D DUMP_MODULES | grep security
Syntax OK
 security2_module (shared)
phpinfo gives:
Code:
Loaded Modules 	core mod_authn_file mod_authn_default mod_authz_host mod_authz_groupfile mod_authz_user mod_authz_default mod_auth_basic mod_include mod_filter mod_log_config mod_env mod_setenvif mod_version mod_ssl prefork http_core mod_mime mod_status mod_asis mod_cgi mod_negotiation mod_dir mod_actions mod_userdir mod_alias mod_rewrite mod_so mod_php5 mod_security2 mod_unique_id
Checking log:
Code:
[Wed May 11 11:19:56 2011] [notice] ModSecurity for Apache/2.5.13 (http://www.modsecurity.org/) configured.
So the modules are loaded, the rules are in place.
Now testing as suggested here: http://www.howtoforge.com/installing...rity-on-sles10
Contents of both /etc/motd and /etc/passwd are displayed in browser.
There is nothing in logs/audit_log, there is no file logs/modsec_debug_log
(Config settings:
SecFilterDebugLevel 5
SecFilterDebugLog logs/modsec_debug_log
SecAuditEngine On #RelevantOnly
SecAuditLog logs/audit_log
Apache do write to logs/access.log & logs/error.log but no error message concerning mod_security.)

Server spec: OpenSuse 11.3 apache 2.2.17 mod_security 2.5.13
Apache, pcre & mod_security are all compiled manually.
Attaching httpd.conf & modsec.conf
Attached Files
File Type: txt httpd_test.conf.txt (1.7 KB, 26 views)
File Type: txt modsec.conf.txt (8.1 KB, 35 views)
 
Old 05-11-2011, 01:07 PM   #2
DisK0nn3cT
LQ Newbie
 
Registered: May 2011
Posts: 2

Rep: Reputation: 1
Hey Pingu,

I actually just finished my ModSecurity install today and ran into a similar problem. This is what you have to do to get it running:

1. If you haven't already, copy the /rules directory from the source into a folder called 'modsecurity_crs(or anything you want) in your /etc/httpd/conf/ dir
2. Updated your httpd.conf file with:

<IfModule security2_module>
Include conf/modsecurity_crs/*.conf
Include conf/modsecurity_crs/base_rules/*.conf
</IfModule>

3. Edit your modsecurity_crs_10_config.conf file and uncomment the following line and change it to the option of your choice (On|DetectionOnly|RelevantOnly):
#SecRuleEngine DetectionOnly to SecRuleEngine On

4. Restart apache

And you should be good to go. Also, these instructions are in the /rules/README help file.

Hopefully that helps,
Danny
 
Old 05-11-2011, 01:18 PM   #3
DisK0nn3cT
LQ Newbie
 
Registered: May 2011
Posts: 2

Rep: Reputation: 1
Hmm, after going over your comments more closely, it looks like you have done most of these. One thing that does look odd is your Include in the httpd.conf file. Are you using the modsecurity CRS default rules? If so, you need to include your base_rules as well:

<IfModule security2_module>
Include conf/extra/sec_rules/*.conf
Include conf/extra/sec_rules/base_rules/*.conf
</IfModule>

Let me know if that helps at all.
 
1 members found this post helpful.
Old 05-12-2011, 04:23 AM   #4
pingu
Senior Member
 
Registered: Jul 2004
Location: Skuttunge SWEDEN
Distribution: Debian preferably
Posts: 1,350

Original Poster
Rep: Reputation: 127Reputation: 127
Thanks a lot DisK0nn3cT!
You were actually not completely right but you put me on the right track - that's what counts.

As you noted, I had already done everything you should according to README & other documentation.
BUT! somehow my modsec.conf was not correct - don't know where I got that one from??
So I copied in modsecurity_crs_10_config.conf from source and all is fine.

What got me to find that out was your last comment, which made me look more closely to the contents of the sec_rules-directory. Then I compared my modsec.conf with the one you mentioned and it was obvious I had a wrong config.

Last edited by pingu; 05-12-2011 at 04:25 AM. Reason: Spelling
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mod_security pradeep.goodTUX Linux - Security 1 12-17-2009 03:31 AM
mod_security kingtas Linux - Security 4 01-20-2008 05:53 PM
mod_security shafey Linux - Security 2 12-22-2007 09:33 AM
paraport_pc module loaded with wrong options, st not loaded adrianmariano Debian 2 12-18-2004 10:37 PM
mod_security ridertech Linux - Security 1 09-01-2004 06:16 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration