Apache Mod Security Configuration Class Activity 1 - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Pre-Lab Info:

Mod Security is an open-source Web Application Firewall that integrates with Apache. It comes as a module which has to be compiled and installed. In order to provide protection to generic web applications, the Core Rules use the following techniques.

HTTP Protection:

• detects violations of the HTTP protocol and a locally defined usage policy

Real-time Blacklist Lookups

• Utilizes 3rd party IP Reputation

Web-Based Malware Detection

• Identifies malicious web content by checking against the Google Safe Browsing API

HTTP Denial of Service Protections

• defends against HTTP flooding and slow HTTP DoS attacks

Common Web Attacks Protections

• detects common web application attacks

Automation Detection

• Detects bots, crawlers, scanners and other recognizable malicious activity

Integration with AV Scanning for File Uploads

• detects malicious files uploaded through the web application

Tracking Sensitive Data

• Tracks Credit Card Usage and blocks leakages

Trojan Protection

• Detects access to Trojan horses

Identification of Application Defects

• alerts on application misconfigurations

Error Detection and Hiding

• Disguises error messages sent by the server

Pre-Lab Work:

• Launch the rocky VM and make sure you have apache installed without errors
• make sure you have an index.html file in /var/www/html

Disable the Apache "Testing 123" sample page

It is good practice to disable sample web pages on web servers. The Apache sample page is loaded by the welcome.conf file.

To disable:

• Rename /etc/httpd/conf.d/welcome.conf to something that does not end in conf so that Apache does not load it.
  • You can name it to anything else. If creativity is not peaking right now, you can rename it to /etc/httpd/conf.d/backUpOfWelcome

Download and Installation

Install ModSecurity package

• yum install mod_security -y

This will install the mod_security on your server. Now we need to configure it on our server.

Check and confirm the integration of the module into Apache

• Check for the configuration file generated with the default set of rules
• The configuration file will be located inside the Apache custom modules folder /etc/httpd/conf.d/mod_security.conf

pwd 
ll mod_security.conf 
httpd -M | grep security

• Restart Apache and verify whether the Mod_security module is loaded on restart in the Apache logs
• tail /etc/httpd/logs/error_log

Might need "tail -n 15" etc, if the log you are looking for did not make it to last 10.

From the logs, you can identify the ModSecurity version loaded and other details.

Reviewing Configuration and Log Files

The ModSecurity configuration file contains the include path for the rules which we can add for customization and also identify the log file path for further analysis.

• go to `/etc/httpd/conf.d/mod_security.conf
• look for the following and verify that the activated_rules folder was created

# ModSecurity Core Rules Set configuration
IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf

As above, the rules will be loaded from the activated_rules folder

• And we can also verify that the log file was created at /var/log/httpd/modsec_audit.log

Core Ruleset Configuration

We can get the custom rule sets from the official repo. These rule sets are automatically symlinked to the activated rules and are made effective on install by default.

• yum -y install mod_security_crs
• Review the directory /etc/httpd/modsecurity.d/activated_rules to make sure that the rules were loaded.