▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - MOD_SECURITY - FIREWALL FOR APACHE - █▌
█▌ █▌
█ ▐▌
█ This tutorial is for installing mod_security-2.5.9-win32.zip on Windows XP ▐▌
█ SP3/ Apache v 2.2.11 of which I'm using `xampp v1.7.1 standalone/portable' ▐▌
█ (Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9). ▐▌
█ Mod_Security's site is HERE. Check for latest versions HERE. Big Thanks ▐▌
█ for the Windows installing go to glsmith at apachelounge.com as the docs ▐▌
█ can be very confusing. ▐▌
█ ▐▌
█ LINUX: ▐▌
█ For Linux download mod_security HERE. I haven't installed this yet so ▐▌
█ not ready to guide you. But when I do I'll follow the enclosed docs and ▐▌
█ have a look HERE & HERE, and then continue with the settings (5.) I have ▐▌
█ listed below under Windows. ▐▌
█ ▐▌
█ WINDOWS: ▐▌
█ 1. Install if you haven't already: ▐▌
█ Microsoft Visual C++ 2008 Redistributable Package (x86) ▐▌
█ & if you like: Microsoft Visual C++ 2008 SP1 Redistributable Package (x86) ▐▌
█ ▐▌
█ 2. Download mod_security, unzip, copy the module 'mod_security2.so' to: ▐▌
█ \xampp\apache\modules\mod_security2\ (create this new directory ▐▌
█ ▐▌
█ 3. libxml2.dll: ▐▌
█ Backup your existing \xampp\apache\bin\libxm12.dll to somewhere safe ▐▌
█ just in case. ▐▌
█ Then copy the libxml2.dll that is included in the zip to: ▐▌
█ \xampp\apache\bin ▐▌
█ ▐▌
█ 4. Rename `modsecurity.conf-minimal' (included in zip) to: ▐▌
█ modsecurity.conf ▐▌
█ then copy that to: \xampp\apache\conf\ ▐▌
█ ▐▌
█ 5. Edit in notepad: modsecurity.conf ▐▌
█ Below the line: SecResponseBodyLimit 524288 ▐▌
█ add the line: ▐▌
█ SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive ▐▌
█ Access'" ▐▌
█ ▐▌
█ save and exit. ▐▌
█ ▐▌
█ 6. Edit in notepad: httpd.conf ▐▌
█ a. Enable the module unique_id by uncommenting (remove the '#' that ▐▌
█ preceeds it) this line : ▐▌
█ LoadModule unique_id_module modules/mod_unique_id.so ▐▌
█ b. Add this line at the bottom of Load Modules section: ▐▌
█ LoadModule security2_module modules/mod_security2/mod_security2.so ▐▌
█ c. Add this line at the bottom of Include conf/.. section : ▐▌
█ Include conf/modsecurity.conf ▐▌
█ ▐▌
█ save and exit. ▐▌
█ ▐▌
█ 7. Restart Apache. ▐▌
█ ▐▌
█ 8. Look in the error log (\xampp\apache\logs\error.log), You should see a ▐▌
█ line like: ▐▌
█ [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) ▐▌
█ configured. ▐▌
█ ▐▌
█ 9. Now try opening your site with this URL (replace localhost with your ▐▌
█ domain): http://localhost/?abc=../../ ▐▌
█ You should get a 403 Access Forbidden. *I don't get this error, it opens ▐▌
█ fine for me. But on error logs it states: ▐▌
█ [error] [client 192.168.1.2] ModSecurity: Warning. Pattern match "\\.\\./" ▐▌
█ at ARGS:abc. [file"D:/xampp/apache/conf/modsecurity.conf"] [line "33"] [id ▐▌
█ "99999"] [msg "Drive Access"] [severity "WARNING"] [hostname ▐▌
█ "my.host.name.com"] [uri "/"] [unique_id "SiCQz8CoAQIAAAdjfldfj"] ▐▌
█ ▐▌
█ Which I'm told means mod_security is loaded and working. Though I'm ▐▌
█ confused as to why the rule was added, but yet website can still open with ▐▌
█ that strange URL. Though I do see in the rule it states to 'msg' not ▐▌
█ deny..?, never mind, moving on. ▐▌
█ ▐▌
█ 10. To add the other rules included in the zip: Rename 'rules' directory ▐▌
█ (from zip) to 'core', copy it including contents to: ▐▌
█ /xampp/apache/conf/core ▐▌
█ ▐▌
█ 11. Edit in notepad: httpd.conf (\xampp\apache\conf\httpd.conf) ▐▌
█ a. Add this line at the bottom of Include conf/.. section : ▐▌
█ Include conf/core/*.conf ▐▌
█ ▐▌
█ save and exit. ▐▌
█ ▐▌
█ 12. Restart Apache. Done! For more info beyond this read included docs, ▐▌
█ the .conf files and go to their forums. ▐▌
█ ▐▌
█ TROUBLE SHOOTING ERRORS: ▐▌
█ ```````````````````````` ▐▌
█ 1. If you allow users to upload files and now they can't after installing ▐▌
█ the firewall, this is how I fixed it: ▐▌
█ Create a directory named: tmp in the root of your drive where xampp is ▐▌
█ installed. For me this is: D:\tmp\ ▐▌
█ Restart Apache. ▐▌
█ Uploads were once again allowed (and no, the uploads won't go in there). ▐▌
█ ▐▌
█ 2. If you want to allow users to upload files larger than 131,072 bytes ▐▌
█ Edit modsecurity.conf ▐▌
█ Has this: ▐▌
█ SecRequestBodyLimit 131072 ▐▌
█ Change to (6MB), or what ever size you want to allow: ▐▌
█ SecRequestBodyLimit 6000000 ▐▌
█ ▐▌
█ Error for this is: "Message: Request body (Content-Length) is larger than ▐▌
█ the configured limit (131072)." ▐▌
█ ▐▌
█ 3. If you have large web pages (anything over 524,288 bytes)and your users ▐▌
█ can't load them now. You'll see in error.log something like: ModSecurity: ▐▌
█ Output filter: Content-Length (850886) over the limit (524288). [hostname ▐▌
█ "yoursite.com"] [uri "/mewbie/test.html"] [unique_id ▐▌
█ "Sj8738CoAQIAACCgDNEAAAD5"] ▐▌
█ To be able to load larger web pages you need to edit this file: ▐▌
█ D:\xampp\apache\conf\core\modsecurity_crs_10_config.conf ▐▌
█ Line (76): SecResponseBodyLimit 524288 ▐▌
█ Has: 524288 ▐▌
█ I changed to: 1124288 ▐▌
█ which will now allow my site to load webpages as large as 1,124,288 bytes ▐▌
█ ▐▌
█ 4. ON ERROR.LOG: (only when restarting apache, not using it) ▐▌
█ [error] SecServerSignature: original signature too short. Please set ▐▌
█ ServerTokens to Full. ▐▌
█ I have this error as an earlier security measure I had ServerTokens to ▐▌
█ Prod. So to stop this error: ▐▌
█ A. Get into the core file #10 and comment out the SecServerSignature line ▐▌
█ B. In httpd.conf ... uncomment the Include conf/extra/httpd-default.conf ▐▌
█ ▐▌
█ 5. PHP script. If you have a PHP script that needs to get and send out ▐▌
█ data from a users port, such as the Ident Check script, you'll most ▐▌
█ likely won't be able to load it and have errors here ▐▌
█ \xampp\apache\logs\error.logs like this: ▐▌
█ [Wed Dec 02 18:01:41 2009] [error] [client 192.168.1.2] ModSecurity: ▐▌
█ Access denied with code 500 (phase 4). Pattern match "<b>Warning<\\/b>. ▐▌
█ {0,100}?:.{0,1000}?\\bon line\\b" at RESPONSE_BODY. [file "D:/xampp/apache ▐▌
█ /conf/core/modsecurity_crs_50_outbound.conf"] [line "42"] [id "970009"] ▐▌
█ [msg "PHP Information Leakage"] [severity "WARNING"] [tag "LEAKAGE/ ▐▌
█ ERRORS"] [hostname "yourhost.com"] [uri "/xampp/ident_check.php"] ▐▌
█ [unique_id "SxY658CoAQIAAA5YT6UAAADx"] ▐▌
█ ▐▌
█ To fix this; open up modsecurity_crs_50_outbound.conf that is located here ▐▌
█ \xampp\apache\conf\core\optional_rules\ and comment out the rules under ▐▌
█ # PHP Information Leakage. ▐▌
█ It has this: ▐▌
█ # PHP Information Leakage ▐▌
█ SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
█ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information
█ Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
█ ▐▌
█ Change it to: ▐▌
█ # PHP Information Leakage
█ #SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
█ # "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information
█ #Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 07 Oct '09 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██