June 1, 2005
Installing mod_security on OSX 10.4 Tiger
A month ago I added Mod_security to this server, and it's been the best thing I've done in some time. In 30 days I've had only 2 spam comments make it through to Movable Type (both luckily got stopped by the second line of defense).
Adding mod_security to the stock Apache on MacOS 10.4 (Tiger) was a breeze. Here's the simple install instructions for anyone that's interested. You'll need (of course) to be running the built-in Apache on your Mac. I don't have the 10.4 Tiger Server but I assume everything is in the same place as the client.
Disclaimer: add this module to your Apache at your own risk. Backup your httpd.conf (located in /etc/httpd/httpd.conf) before you begin. As always, you shouldn't be adding modules to a live or production server. If you're a Mac user and you don't know what http.conf is then you probably shouldn't be messing with the command line and Apache.
To begin, fire up the Terminal.app and fetch the latest release version of mod_security (1.8.7 as of 6/1/05) :
% curl -O http://www.modsecurity.org/download/modsecurity-1.8.7.tar.gz
% gnutar zxf modsecurity-1.8.7.tar.gz
cd into the extracted directory and build the module for your Apache:
% gnutar zxf modsecurity-1.8.7.tar.gz
% cd modsecurity-1.8.7
% sudo apxs -cia apache1/mod_security.c
At this point your Apache should be restarted and running with ModSecurity. To add the default rules, you'll need to edit the Apache config:
% sudo apxs -cia apache1/mod_security.c
% sudo pico /etc/httpd/httpd.conf
Add the following directives to the end of httpd.conf:
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On # Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Unicode encoding check
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 0 255
# Only log suspicious requests
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/audit_log
# Debug level set to a minimum
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On # By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500" # Prevent drop table SQL injection
SecFilter "drop[[:space:]]table" # Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly # Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."
SecFilterSelective "HTTP_Via" "pinappleproxy"
</IfModule>
Save httpd.conf, exit pico and restart Apache:
# Turn the filtering engine On or Off
SecFilterEngine On # Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Unicode encoding check
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 0 255
# Only log suspicious requests
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/audit_log
# Debug level set to a minimum
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On # By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500" # Prevent drop table SQL injection
SecFilter "drop[[:space:]]table" # Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
SecFilterEngine DynamicOnly # Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
SecFilterSelective SCRIPT_FILENAME "export\.php$" chain
SecFilterSelective ARG_what "\.\."
SecFilterSelective "HTTP_Via" "pinappleproxy"
</IfModule>
% sudo apachectl graceful
If all goes well Apache should happily return something along the lines of:
/usr/sbin/apachectl graceful: httpd gracefully restarted
Ta-Da. Your Apache should now be protected from injection attacks and in my short experience, most spammers. The module config added to httpd.conf is the basic for ModSecurity to do its job. I've included the PinappleProxy-- which I find 80% of my spam load comes from. Not needed, but highly recommend: having your MovableType blacklist parsed by mod_security.
Some additional resources:
- Basic mod_security and Movable Type
- An introduction to mod_security
- Convert Snort rules to mod_security
- mod-security rule generator
great tutorial, thank you very much! It helped with a redhat install I was trying to do. Just for people trying, note that the lines for the httpd.conf, they may copy over as curly quotes which may cause you trouble.
Doh. Curly quotes fixed. Thanks
very easy tin install and to configure. The only one trouble was/is configuring the chroot... I keep working on it