2005-07-04, 05:56 PM
Well I though I would write another tutorial :) this time on apache on making it more secure
and defending against DOS attacks this tutorial is for Apache version 2.
The two packages I am going to use are the following:
mod_security which is available from [/url]http://www.modsecurity.org/
mod_dosevasive which is available from http://www.nuclearelephant.com/projects/dosevasive/
I would like to give credit to fedoranew.org (Jorge A Gallegos) as I stumbled into mod_security
there.
Once you have downloaded the two packages unpack the as shown below.
Code:
tar zvxf modsecurity-1.8.7.tar.gz
tar zvxf mod_dosevasive_1.10.tar.gzThis will create two directory's which will contain the source code. Before we install these modules
you should get the apxs which will build the module into apache for you, this tool can be downloaded
via yum as shown below.
Code:
yum install httpd-develOnce that is installed go into mod_security decompressed directory and type the following as
root:
Code:
apxs -cia mod_security.cThis should produce the following out put:
Code:
/bin/sh /usr/lib/apr/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -march=i386 -mcpu=i686 -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/include/apr-0 -I/usr/include/httpd -c -o mod_security.lo mod_security.c && touch mod_security.slo
/bin/sh /usr/lib/apr/build/libtool --silent --mode=link gcc -o mod_security.la -rpath /usr/lib/httpd/modules -module -avoid-version mod_security.lo
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL='/bin/sh /usr/lib/apr/build/libtool' mod_security.la /usr/lib/httpd/modules
/bin/sh /usr/lib/apr/build/libtool --mode=install cp mod_security.la /usr/lib/httpd/modules/
cp .libs/mod_security.so /usr/lib/httpd/modules/mod_security.so
cp .libs/mod_security.lai /usr/lib/httpd/modules/mod_security.la
cp .libs/mod_security.a /usr/lib/httpd/modules/mod_security.a
ranlib /usr/lib/httpd/modules/mod_security.a
chmod 644 /usr/lib/httpd/modules/mod_security.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/httpd/modules
----------------------------------------------------------------------
Libraries have been installed in:
/usr/lib/httpd/modules
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'
See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/httpd/modules/mod_security.so
[activating module `security' in /etc/httpd/conf/httpd.conf]Once that has been done go to the /etc/httpd/conf.d/ directory and create a file
called: "mod_security.conf". Once this file is created paste the following into the config
file:
Code:
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Make sure that Unicode encoding is valid
SecFilterCheckUnicodeEncoding On
# Turn of server token
SecServerResponseToken On
# Only allow bytes from this range
SecFilterForceByteRange 32 126
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
SecFilterDebugLog /var/log/httpd/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:406"
# Simple filter
SecFilter /bin/bash
SecFilter /var
SecFilter /etc
SecFilter /home
SecFilter hidden
# Prevent OS specific keywords
SecFilter /etc/password
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |\n)*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
</IfModule>That is the config file I use, you can also visit mod_security web site to view all the rules
that can be applied into this config file.
Once the config file has been setup restart apache as shown below.
Code:
services httpd restartOnce thats restarted open your web browser and type 127.0.0.1/etc this should say in you
web browser:
Code:
Not Acceptable
An appropriate representation of the requested resource /etc could not be found on this server.
Apache/2.0.54 (Fedora) Server at 127.0.0.1 Port 80Now goto /var/log/httpd and you should see a file called audit_log the content will display something
similar to:
Code:
========================================
Request: 127.0.0.1 - - [04/Jul/2005:18:45:53 +0100] "GET /etc HTTP/1.1" 406 329
Handler: (null)
----------------------------------------
GET /etc HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
mod_security-message: Access denied with code 406. Pattern match "/etc" at THE_REQUEST
mod_security-action: 406
HTTP/1.1 406 Not Acceptable
Content-Length: 329
Connection: close
Content-Type: text/html; charset=iso-8859-1As you may have noticed it has filtered out /etc and displayed the attackers details.
Now that we have mod_security setup its now time to setup mod_dosevasive, first step is
to change into mod_dosevasive decompressed directory and issue the following command.
Code:
apxs -i -a -c mod_dosevasive20.cThis will produce the output similar to mod_security once that has installed you can delete
both decompressed directorys and their comrpess version.
Open the httpd.conf file and add the following entry:
Code:
<IfModule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
</IfModule>The following values are as stated from the mod_dosevasive.
DOSHashTableSize
----------------
The hash table size defines the number of top-level nodes for each child's
hash table. Increasing this number will provide faster performance by
decreasing the number of iterations required to get to the record, but
consume more memory for table space. You should increase this if you have
a busy web server. The value you specify will automatically be tiered up to
the next prime number in the primes list (see mod_dosevasive.c for a list
of primes used).
DOSPageCount
------------
This is the threshhold for the number of requests for the same page (or URI)
per page interval. Once the threshhold for that interval has been exceeded,
the IP address of the client will be added to the blocking list.
DOSSiteCount
------------
This is the threshhold for the total number of requests for any object by
the same client on the same listener per site interval. Once the threshhold
for that interval has been exceeded, the IP address of the client will be added
to the blocking list.
DOSPageInterval
---------------
The interval for the page count threshhold; defaults to 1 second intervals.
DOSSiteInterval
---------------
The interval for the site count threshhold; defaults to 1 second intervals.
DOSBlockingPeriod
-----------------
The blocking period is the amount of time (in seconds) that a client will be
blocked for if they are added to the blocking list. During this time, all
subsequent requests from the client will result in a 403 (Forbidden) and
the timer being reset (e.g. another 10 seconds). Since the timer is reset
for every subsequent request, it is not necessary to have a long blocking
period; in the event of a DoS attack, this timer will keep getting reset.
DOSEmailNotify
--------------
If this value is set, an email will be sent to the address specified
whenever an IP address becomes blacklisted. A locking mechanism using /tmp
prevents continuous emails from being sent.
NOTE: Be sure MAILER is set correctly in mod_dosevasive.c
(or mod_dosevasive20.c). The default is "/bin/mail -t %s" where %s is
used to denote the destination email address set in the configuration.
If you are running on linux or some other operating system with a
different type of mailer, you'll need to change this.
DOSSystemCommand
----------------
If this value is set, the system command specified will be executed
whenever an IP address becomes blacklisted. This is designed to enable
system calls to ip filter or other tools. A locking mechanism using /tmp
prevents continuous system calls. Use %s to denote the IP address of the
blacklisted IP.
DOSLogDir
---------
Choose an alternative temp directory
By default "/tmp" will be used for locking mechanism, which opens some
security issues if your system is open to shell users.
[url=http://security.lss.hr/index.php?page=deta...=LSS-2005-01-01]http://security.lss.hr/index.php?page=deta...=LSS-2005-01-01
In the event you have nonprivileged shell users, you'll want to create a
directory writable only to the user Apache is running as (usually root),
then set this in your httpd.conf.
Once all that is setup restart your apache server and enjoy the know fact that you have
locked it down :)note that mod_dosevasive provide a test.pl file to check the mod_dosevasive
is functioning correctly.
Code:
service httpd restart