Monday, February 11, 2013

Mod_Security –

Mod_Security – ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure.

To install mod_security, go to WHM => EasyApache (or alternatively via CLI, run /scripts/easyapache). After you select your Apache and PHP versions, you’ll be brought to the Short Options page. Select mod_security from the list, then proceed with the build.

When the build is done, mod_security will be installed. The files are kept in the following location:

When hack attempts are identified by mod_security, they are logged in /usr/local/apache/logs/audit_log with the IP of the offender and what rule was violated. Visitors that trigger mod_security rules are greeted with a “406: Not Acceptable” error when doing so. However, mod_security does occasionally block legitimate website access attempts, specifically for software that happens to make calls consistent with a specific rule that mod_security is configured to block. Therefore, you may wish to either disable that rule, or disable mod_security for a specific domain or part of your website. Doing this is rather easy from command line.
First, open up your httpd.conf (/usr/local/apache/conf/httpd.conf) and locate your domain’s block. Under it you’ll see a line like this that is commented out:

# Include "/usr/local/apache/conf/userdata/std/2/$user/$domain/*.conf"

Uncomment this line, then create the folder indicated (note that $user is your username, and $domain is your domain name):

mkdir -p /usr/local/apache/conf/userdata/std/2/$user/$domain/
cd /usr/local/apache/conf/userdata/std/2/$user/$domain/

Create a file called modsec.conf, and insert this line:

SecRuleEngine Off

To apply, restart Apache

mod_security rules

No comments:

Post a Comment