Mod-Security Installing Along with - Open Source Rules

Installing the Mod Security.

## For RHEL/CentOS 6.2/6.1/6/5.8 ##

Installing needed Modules

yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel\

Installing the Mod-Security

## For RHEL/CentOS 6.2/6.1/6/5.8 ##
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache_2.6.6.tar.gz
tar xzf modsecurity-apache_2.6.6.tar.gz
cd modsecurity-apache_2.6.6
./configure
make install
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

Adding the Mod-security Module to the Apache

# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

[root@54 modsecurity-apache_2.6.6]# httpd -t -D DUMP_MODULES |grep sec
security2_module (shared)
Syntax OK
[root@54 modsecurity-apache_2.6.6]#

<IfModule security2_module>
Include conf.d/modsecurity.conf
</IfModule>

 

Adding new Mod-Security Rules ..

OWASP core rule set

wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/modsecurity-crs_2.2.5.tar.gz/a
aeaa1124e8efc39eeb064fb47cfc0aa/modsecurity-crs_2.2.5.tar.gz
tar zxvf modsecurity-crs_2.2.5.tar.gz
mv modsecurity-crs_2.2.5 modsecurity-crs

mv modsecurity-crs /etc/httpd/conf.d/

Adding the rules to httpd

<IfModule security2_module>
Include conf.d/modsecurity.conf
Include conf.d/modsecurity-crs/activated_rules/*.conf
Include conf.d/modsecurity-crs/base_rules/*.conf
Include conf.d/modsecurity-crs/optional_rules/*.conf
Include conf.d/modsecurity-crs/slr_rules/*.conf
</IfModule>

More rules are available at

sudo wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master

Now the Mod Security is in the detect mode . once we are set we need to move it to on mode

[root@54 conf]# cat /etc/httpd/conf.d/modsecurity.conf |grep SecRuleEngine -i

SecRuleEngine DetectionOnly

# when SecRuleEngine is set to DetectionOnly mode in order to minimize

[root@54 conf]#

Change to

SecRuleEngine on

 

Setting the Mysql into a ReadOnly mode..

whole database to read only mode by this commands:

In the MySQL Prompt

FLUSH TABLES WITH READ LOCK;
SET GLOBAL read_only = 1;

and back to normal mode with:
SET GLOBAL read_only = 0;
UNLOCK TABLES;

Atomic mod security rules

ConfigServer ModSecurity Control provides an easy way of monitoring which rules are being triggered on the server in real time but more importantly, you can whitelist certain rules either globally accross the entire server or on a per account/domain basis if some of the rules conflict with a particular script or functionality (e.g. FrontPage). To install CMC, run the following:

rm -fv cmc.tgz

wget http://www.configserver.com/free/cmc.tgz
tar -xzf cmc.tgz
cd cmc
sh install.sh
cd ..
rm -Rfv cmc/ cmc.tgz
If you log in to WHM you will now see “ConfigServer ModSec Control” under “Plugins”. It’s important that you click on it because when it’s run the first time, it will create the file “modsec2.whitelist.conf” if it doesn’t already exist. If that file doesn’t exist then you’ll find Apache won’t start when we come to the end of this guide. Also while you’re here, click on “Disable modsecparse.pl”. This will disable the cPanel cron job that processes and empties the mod_security log, allowing you to use the log watching tool built in to CMC.

As to help our VPS and Dedicated Server customers who might also be effected by this we have designed the following guide to make installing Atmoic Mod Security into cPanel with little to no fuss.

Stage 1: Run the following commands at command line:

mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/*
chmod ug+rwx -R /var/asl/data/*
mkdir /var/asl/updates
mkdir /var/asl/rules/
mkdir /var/asl/rules/clamav
mkdir /etc/asl/
touch /etc/asl/whitelist
cd /usr/local/src/
wget http://updates.atomicorp.com/channels/rules/delayed/modsec-2.7-free-latest.tar.gz
tar zxvf modsec-2.7-free-latest.tar.gz
mkdir /usr/local/apache/conf/modsec_rules/
cp modsec/* /usr/local/apache/conf/modsec_rules/
These command will create the required directory’s and download the latest free version of the Atomic Mod Security rules. It will also directly install them into the location of Apache designed for cPanel and configure the permission.

Stage 2: Configure cPanel to use the Mod Security Rules

In this stage, you can do everything from WHM as long as you have Mod Security already installed as part of your EasyApache build. If you do not, you will need to rebuild apache with Mod Security.

In go to: WHM -> Plugins -> Mod Security and then click: Edit Config

In this section, delete all the current content and then paste in the following configuration:

SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf
Save this and restart Apache.

This should now have successfully installed the Atomic mod security rules into cPanel which are a much more secure rule base and include extra protection which is important for the latest hacks.

Testing

http://YOUR_HOST/foo.php?foo=http://www.example.com

should give 403

odbctest.php test page

--- begin odbctest.php---
<?
// connect to DSN MSSQL with a user and password
$connect = odbc_connect("MSSQLServer", "username", "password") or die
  ("couldn't connect");
odbc_exec($connect, "use Northwind");
$result = odbc_exec($connect, "SELECT CompanyName, ContactName " .
        "FROM Suppliers");
while(odbc_fetch_row($result)){
  print(odbc_result($result, "CompanyName") .
        ' ' . odbc_result($result, "ContactName") . "<br>\n");
}
odbc_free_result($result);
odbc_close($connect);
?>
--- end odbctest.php --

GRsec patched kernel install

Fetch the sources:

Download kernel from kernel.org

#wget http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.32/linux-2.6.32.51.tar.gz

Downlaod latest Grsecurity patch from below URL :

#wget http://grsecurity.net/stable/grsecurity-2.2.2-2.6.32.51-201201021326.patch

Extract:
tar xjf linux-2.6.32.51.tar.gz

Patch the kernel:

#cd linux-2.6.32.51

#patch -p1 < ../grsecurity-2.2.2-2.6.32.51-201201021326.patch

Now start making the kernel :

# make clean && make mrproper

Edit your kernel as per your need :

# make menuconfig

Compile your kernel and install it:

# make bzImage

# make modules

# make modules_install

Make sure it’s working ok with the help of following command :

# depmod 2.6.32.51-grsec

Installing and booting the new kernel :

# cp arch/i386/boot/bzImage /boot/vmlinuz-2.6.32.51-grsec

There is also a file called “System.map” that must be copied to the same boot directory.

# cp System.map /boot

Do not forget to make changes in /etc/grub.conf

also go to grub prompt after this and fire below command :

# grub > savedefault –-default=0 –-once

Now reboot server :

#Shutdown -r now.

FFmpeg

Download all the files needed

cd /usr/local/src
wget http://www3.mplayerhq.hu/MPlayer/releases/codecs/essential-20071007.tar.bz2
wget http://rubyforge.org/frs/download.php/17497/flvtool2-1.0.6.tgz
wget http://easynews.dl.sourceforge.net/sourceforge/lame/lame-3.97.tar.gz
wget http://superb-west.dl.sourceforge.net/sourceforge/ffmpeg-php/ffmpeg-php-0.5.0.tbz2
wget http://downloads.xiph.org/releases/ogg/libogg-1.1.3.tar.gz
wget http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.gz
wget http://ftp.penguin.cz/pub/users/utx/amr/amrnb-7.0.0.2.tar.bz2
wget http://ftp.penguin.cz/pub/users/utx/amr/amrwb-7.0.0.3.tar.bz2
wget http://downloads.xiph.org/releases/theora/libtheora-1.0beta3.tar.gz

Extract all the files

tar zxvf lame-3.97.tar.gz
tar zxvf libogg-1.1.3.tar.gz
tar zxvf libvorbis-1.2.0.tar.gz
tar zxvf flvtool2-1.0.6.tgz
tar jxvf essential-20071007.tar.bz2
tar jxvf ffmpeg-php-0.5.0.tbz2
bzip2 -cd amrnb-7.0.0.2.tar.bz2 | tar xvf -
bzip2 -cd amrwb-7.0.0.3.tar.bz2 | tar xvf -
tar zxvf libtheora-1.0beta3.tar.gz

We need a codec directory

mkdir /usr/local/lib/codecs/

Install Ruby on Rails, subversion & ncurses

apt-get install subversion ruby libcurses-ruby

Run some SVN queries

svn checkout svn://svn.mplayerhq.hu/ffmpeg/trunk ffmpeg
svn checkout svn://svn.mplayerhq.hu/mplayer/trunk mplayer
cd /usr/local/src/mplayer
svn update

Copy Codecs for mplayer

mkdir /usr/local/lib/codecs
mv /usr/local/src/essential-20071007/* /usr/local/lib/codecs/
chmod -R 755 /usr/local/lib/codecs/

We also need to secure the tmp directory

mkdir /usr/local/src/tmp
chmod 777 /usr/local/src/tmp
export TMPDIR=/usr/local/src/tmp

Install lame

cd /usr/local/src/lame-3.97
./configure
make && make install

Install libogg

cd /usr/local/src/libogg-1.1.3
./configure && make && make install

Install libvorbis

cd /usr/local/src/libvorbis-1.2.0
./configure && make && make install

Install flvtool2

cd /usr/local/src/flvtool2-1.0.6/
ruby setup.rb config
ruby setup.rb setup
ruby setup.rb install

Install mplayer & mencoder

cd /usr/local/src/mplayer
./configure –enable-jpeg
make && make install

Install AMR (for 3gp conversion)

cd /usr/local/src/amrnb-7.0.0.2
./configure
make && make install

cd /usr/local/src/amrwb-7.0.0.3
./configure
make && make install

Install libtheora (for ogg video encoding)

cd /usr/local/src/libtheora-1.0beta3
./configure
make && make install

Install ffmpeg

cd /usr/local/src/ffmpeg/
./configure –enable-libmp3lame –enable-libogg –enable-libvorbis –disable-mmx –enable-shared –enable-amr-nb –enable-libtheora

MSSQL Connection Testpage

<?php
$Server = "localhost";
$User = "your_name";
$Pass = "your_password";
$DB = "examples";

//connection to the database
$dbconn = mssql_connect($Server, $User, $Pass)
or die("Couldn't connect to SQL Server on $Server");

//select a database to work with
$selected = mssql_select_db($DB, $dbconn)
or die("Couldn't open database $myDB");

//declare the SQL statement that will query the database
$query = "SELECT name from test ";

//execute the SQL query and return records
$result = mssql_query($query);

$numRows = mssql_num_rows($result);
echo "<h1>" . $numRows . " Row" . ($numRows == 1 ? "" : "s") . " Returned </h1>";

//display the results
while($row = mssql_fetch_array($result))
{
echo "<br>" . $row["name"];
}
//close the connection
mssql_close($dbconn);
?>