Mod_Security for HTTP / Apache
Mod_Security is a web application firewall and he can help us to secure our sites against RFI, LFI, XSS, SQL Injection etc
Now I will explain how to install Mod_security from source.
You can’t install Mod_Security if you don’t have libxml2 and http-devel libraries.
Also, you need to enable mod_unique_id in apache modules, but don’t worry, I will explain how to do it .
step :
Now I will explain how to install Mod_security from source.
You can’t install Mod_Security if you don’t have libxml2 and http-devel libraries.
Also, you need to enable mod_unique_id in apache modules, but don’t worry, I will explain how to do it 
Login into SSH and type :
yum install libxml2 libxml2-devel httpd-devel
libxml2 libxml2-devel httpd-devel should be installed now
then you need to edit httpd.conf file, you can find it here:
/etc/httpd/conf/httpd.conf
do :
cd /root/downloads
wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz
tar zxf modsecurity-apache_2.5.6.tar.gz
cd modsecurity-apache_2.5.6
cd apache2
You need to add this in your httpd.conf file
LoadModule unique_id_module modules/mod_unique_id.so
Now download the latest version of mod_security for apache2 from http://www.modsecurity.org
login into SSH and type :
./configure
make
make install
# vi /etc/httpd/conf/httpd.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include /etc/httpd/conf/modsecurity.conf
go at the end of httpd.conf and place an include for our config/rules file…
Include /etc/httpd/conf/modsecurity.conf
Content of /etc/httpd/conf/modsecurity.conf
<IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly
# Reject requests with status 403
SecFilterDefaultAction “deny,log,status:403″
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature “Microsoft-IIS/5.0″
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won’t need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply “text/html” as Content-Type
SecFilterSelective REQUEST_METHOD “!^GET$” chain
SecFilterSelective HTTP_Content-Type “!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)”
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD “^POST$” chain
SecFilterSelective HTTP_Content-Length “^$”
# Don’t accept transfer encodings we know we don’t handle
# (and you don’t need it anyway)
SecFilterSelective HTTP_Transfer-Encoding “!^$”
# WEB-ATTACKS /bin/sh command attempt
SecFilter “/bin/sh”
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST “/bin/ps”
# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST “ps\x20″
# WEB-ATTACKS wget command attempt
SecFilter “wget\x20″
# WEB-ATTACKS uname -a command attempt
SecFilter “uname\x20-a”
# WEB-ATTACKS /usr/bin/id command attempt
SecFilter “/usr/bin/id”
# WEB-ATTACKS id command attempt
SecFilter “\;id”
# WEB-ATTACKS echo command attempt
SecFilter “/bin/echo”
# WEB-ATTACKS kill command attempt
SecFilter “/bin/kill”
# WEB-ATTACKS chmod command attempt
SecFilter “/bin/chmod”
# WEB-ATTACKS chgrp command attempt
SecFilter “/chgrp”
# WEB-ATTACKS chown command attempt
SecFilter “/chown”
# WEB-ATTACKS chsh command attempt
SecFilter “/usr/bin/chsh”
# WEB-ATTACKS tftp command attempt
SecFilter “tftp\x20″
# WEB-ATTACKS gcc command attempt
SecFilter “gcc\x20-o”
# WEB-ATTACKS cc command attempt
#SecFilter “cc\x20″
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter “/usr/bin/cpp”
# WEB-ATTACKS cpp command attempt
SecFilter “cpp\x20″
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter “/usr/bin/g\+\+”
# WEB-ATTACKS g++ command attempt
SecFilter “g\+\+\x20″
# WEB-ATTACKS bin/python access attempt
SecFilter “bin/python”
# WEB-ATTACKS python access attempt
SecFilter “python\x20″
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter “bin/tclsh”
# WEB-ATTACKS tclsh execution attempt
SecFilter “tclsh8\x20″
# WEB-ATTACKS bin/nasm command attempt
SecFilter “bin/nasm”
# WEB-ATTACKS nasm command attempt
SecFilter “nasm\x20″
# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter “/usr/bin/perl”
# WEB-ATTACKS perl execution attempt
SecFilter “perl\x20″
# WEB-ATTACKS traceroute command attempt
SecFilter “traceroute\x20″
# WEB-ATTACKS ping command attempt
SecFilter “/bin/ping”
# WEB-ATTACKS netcat command attempt
SecFilter “nc\x20″
# WEB-ATTACKS nmap command attempt
SecFilter “nmap\x20″
# WEB-ATTACKS xterm command attempt
SecFilter “/usr/X11R6/bin/xterm”
# WEB-ATTACKS X application to remote host attempt
SecFilter “\x20-display\x20″
# WEB-ATTACKS lsof command attempt
SecFilter “lsof\x20″
# WEB-ATTACKS rm command attempt
SecFilter “rm\x20″
# WEB-ATTACKS mail command attempt
SecFilter “/bin/mail”
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST “/bin/ls”
# WEB-ATTACKS /etc/inetd.conf access
SecFilter “/etc/inetd\.conf” log,pass
# WEB-ATTACKS /etc/motd access
SecFilter “/etc/motd” log,pass
# WEB-ATTACKS /etc/shadow access
SecFilter “/etc/shadow” log,pass
# WEB-ATTACKS conf/httpd.conf attempt
SecFilter “conf/httpd\.conf” log,pass
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST “\.htgroup” log,pass
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST “/rksh”
# WEB-CGI bash access
SecFilterSelective THE_REQUEST “/bash” log,pass
# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST “/perl\?”
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST “/zsh”
# WEB-CGI csh access
SecFilterSelective THE_REQUEST “/csh”
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST “/tcsh”
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST “/rsh”
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST “/ksh”
# WEB-CGI icat access
SecFilterSelective THE_REQUEST “/icat” log,pass
# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST “/cgi-bin/ls” log,pass
# WEB-CLIENT Javascript document.domain attempt
SecFilter “document\.domain\(”
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter “javascript\://”
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter “img src=javascript”
# WEB-MISC .htpasswd access
SecFilter “\.htpasswd”
# WEB-MISC http directory traversal
SecFilter “\.\.\\”
# WEB-MISC http directory traversal
SecFilter “\.\./”
# WEB-MISC ls%20-l
SecFilter “ls\x20-l”
# WEB-MISC /etc/passwd
SecFilter “/etc/passwd”
# WEB-MISC .htaccess access
SecFilter “\.htaccess”
# WEB-MISC cd..
SecFilter “cd\.\.”
# WEB-MISC /…. access
SecFilter “/\.\.\.\.”
# WEB-MISC cat%20 access
SecFilter “cat\x20″
# WEB-MISC long basic authorization string
SecFilter “Authorization\: Basic ”
# WEB-MISC .history access
SecFilterSelective THE_REQUEST “/\.history”
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST “/\.bash_history”
# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST “/*\x0a\.pl”
# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST “/\?M=D” log,pass
# WEB-MISC server-status access
SecFilterSelective THE_REQUEST “/server-status” log,pass
# WEB-MISC Transfer-Encoding\: chunked
SecFilter “chunked”
# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST “/perl/” chain
SecFilter “POST”
# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST “/mod_gzip_status” log,pass
# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST “/squirrelspell/modules/check_me\.mod\.php” chain
SecFilter “SQSPELL_APP\[”
# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST “/left_main\.php” chain
SecFilter “cmdd=”
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST “/quick-reply\.php” chain
SecFilter “phpbb_root_path=”
# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST “/quick-reply\.php” log,pass
SecFilterSelective THE_REQUEST “\.php” chain
SecFilter “path=http\://”
# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST “/uploadimage\.php” chain
SecFilter “\.php”
# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST “/upload\.php” chain
SecFilter “\.php”
# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST “/uploadimage\.php” log,pass
# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST “/upload\.php” log,pass
# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST “/privmsg\.php” log,pass
# WEB-PHP test.php access
SecFilterSelective THE_REQUEST “/test\.php” log,pass
# WEB-PHP phpBB viewtopic.php
SecFilterSelective THE_REQUEST “viewtopic.php” chain
SecFilterSelective “THE_REQUEST|ARG_VALUES” “(system|exec|passthru|cmd|fopen|exit|fwrite)” deny,log
# EXTRAS
SecFilter “/boot”
SecFilter “/dev”
SecFilter “/etc”
SecFilter “/initrd”
SecFilter “/lost+found”
SecFilter “/mnt”
SecFilter “/proc”
SecFilter “/root”
SecFilter “/sbin”
SecFilter “/tmp”
SecFilter “/usr/local/apache”
SecFilter “/var/spool”
SecFilter “/bin/cc”
SecFilter “/bin/gcc”
SecFilter “<[[:space:]]*script”
SecFilter “<(.|\n)+>”
SecFilter “delete[[:space:]]+from”
SecFilter “insert[[:space:]]+into”
SecFilter “select.+from”
</IfModule>
Now restart httpd, type “service httpd restart” into SSH
source : http://packetstormsecurity.org/papers/general/server_security.txt
