MEWBIES@: Facebook Twitter G+ YouTube DeviantArt Forum Wall
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - MOD_SECURITY - FIREWALL FOR APACHE - █▌
█▌ █▌
█ ▐▌
█ This tutorial is for installing mod_security-2.5.9-win32.zip on Windows XP ▐▌
█ SP3/ Apache v 2.2.11 of which I'm using `xampp v1.7.1 standalone/portable' ▐▌
█ (Apache/2.2.11 (Win32) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.9). ▐▌
█ Mod_Security's site is HERE. Check for latest versions HERE. Big Thanks ▐▌
█ for the Windows installing go to glsmith at apachelounge.com as the docs ▐▌
█ can be very confusing. ▐▌
█ ▐▌
█ LINUX: ▐▌
█ For Linux download mod_security HERE. I haven't installed this yet so ▐▌
█ not ready to guide you. But when I do I'll follow the enclosed docs and ▐▌
█ have a look HERE & HERE, and then continue with the settings (5.) I have ▐▌
█ listed below under Windows. ▐▌
█ ▐▌
█ WINDOWS: ▐▌
█ 1. Install if you haven't already: ▐▌
█ Microsoft Visual C++ Redistributable Package ▐▌
█ ▐▌
█ 2. Download mod_security, unzip, copy the module 'mod_security2.so' to: ▐▌
█ \xampp\apache\modules\mod_security2\ (create this new directory ▐▌
█ ▐▌
█ 3. libxml2.dll: ▐▌
█ Backup your existing \xampp\apache\bin\libxm12.dll to somewhere safe ▐▌
█ just in case. ▐▌
█ Then copy the libxml2.dll that is included in the zip to: ▐▌
█ \xampp\apache\bin ▐▌
█ ▐▌
█ 4. Rename `modsecurity.conf-minimal' (included in zip) to: ▐▌
█ modsecurity.conf ▐▌
█ then copy that to: \xampp\apache\conf\ ▐▌
█ ▐▌
█ 5. Edit in a text editor like notepad: modsecurity.conf ▐▌
█ a. Thanks to tmc for pointing out: SecRuleEngine DetectionOnly ▐▌
█ Change to: SecRuleEngine On ▐▌
█ And below it add: SecDefaultAction "deny,phase:2,status:403" ▐▌
█ Or you will have the problem I list below under '9.' ▐▌
█ b. Below the line: SecResponseBodyLimit 524288 ▐▌
█ add the line: ▐▌
█ SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access'"
█ ▐▌
█ save and exit. ▐▌
█ ▐▌
█ 6. Edit in a text editor like notepad: httpd.conf ▐▌
█ a. Enable the module unique_id by uncommenting (remove the '#' that ▐▌
█ preceeds it) this line : ▐▌
█ LoadModule unique_id_module modules/mod_unique_id.so ▐▌
█ b. Add this line at the bottom of Load Modules section: ▐▌
█ LoadModule security2_module modules/mod_security2/mod_security2.so ▐▌
█ c. Add this line at the bottom of Include conf/.. section : ▐▌
█ Include conf/modsecurity.conf ▐▌
█ ▐▌
█ save and exit. ▐▌
█ ▐▌
█ 7. Restart Apache. ▐▌
█ ▐▌
█ 8. Search the error log (\xampp\apache\logs\error.log), You should see a ▐▌
█ line like: ▐▌
█ [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) ▐▌
█ configured. ▐▌
█ ▐▌
█ 9. Now try opening your site with this URL (replace localhost with your ▐▌
█ domain): http://localhost/?abc=../../ ▐▌
█ You should get a 403 Access Forbidden. If you don't have this error, ▐▌
█ and it opens fine then view '5.' above. Error logs will state: ▐▌
█ [error] [client 192.168.1.2] ModSecurity: Warning. Pattern match ▐▌
█ "\\.\\./" at ARGS:abc. [file"D:/xampp/apache/conf/modsecurity.conf"] ▐▌
█ [line "33"] [id "99999"] [msg "Drive Access"] [severity "WARNING"] ▐▌
█ [hostname "my.host.name.com"] [uri "/"] [unique_id "SiCQz8Cfgdfg"] ▐▌
█ ▐▌
█ 10. To add the other rules included in the zip: Rename 'rules' directory ▐▌
█ (from zip) to 'core', copy it including contents to: ▐▌
█ /xampp/apache/conf/core ▐▌
█ ▐▌
█ 11. Edit: httpd.conf (\xampp\apache\conf\httpd.conf) ▐▌
█ a. Add this line at the bottom of Include conf/.. section : ▐▌
█ Include conf/core/*.conf ▐▌
█ ▐▌
█ save and exit. ▐▌
█ ▐▌
█ 12. Restart Apache. Done! For more info beyond this read included docs, ▐▌
█ the .conf files and go to their forums. ▐▌
█ ▐▌
█ TROUBLE SHOOTING ERRORS: ▐▌
█ ```````````````````````` ▐▌
█ 1. If you allow users to upload files and now they can't after installing ▐▌
█ the firewall, this is how I fixed it: ▐▌
█ Create a directory named: tmp in the root of your drive where xampp is ▐▌
█ installed. For me this is: D:\tmp\ ▐▌
█ Restart Apache. ▐▌
█ Uploads were once again allowed (and no, the uploads won't go in there). ▐▌
█ ▐▌
█ 2. If you want to allow users to upload files larger than 131,072 bytes ▐▌
█ Edit modsecurity.conf ▐▌
█ Has this: ▐▌
█ SecRequestBodyLimit 131072 ▐▌
█ Change to (6MB), or what ever size you want to allow: ▐▌
█ SecRequestBodyLimit 6000000 ▐▌
█ ▐▌
█ Error for this is: "Message: Request body (Content-Length) is larger than ▐▌
█ the configured limit (131072)." ▐▌
█ ▐▌
█ 3. If you have large web pages (anything over 524,288 bytes)and your users ▐▌
█ can't load them now. You'll see in error.log something like: ModSecurity: ▐▌
█ Output filter: Content-Length (850886) over the limit (524288). [hostname ▐▌
█ "yoursite.com"] [uri "/mewbie/test.html"] [unique_id ▐▌
█ "Sj8738CoAQIAACCgDNEAAAD5"] ▐▌
█ To be able to load larger web pages you need to edit this file: ▐▌
█ D:\xampp\apache\conf\core\modsecurity_crs_10_config.conf ▐▌
█ Line (76): SecResponseBodyLimit 524288 ▐▌
█ Has: 524288 ▐▌
█ I changed to: 1124288 ▐▌
█ which will now allow my site to load webpages as large as 1,124,288 bytes ▐▌
█ ▐▌
█ 4. ON ERROR.LOG: (only when restarting apache, not using it) ▐▌
█ [error] SecServerSignature: original signature too short. Please set ▐▌
█ ServerTokens to Full. ▐▌
█ I have this error as an earlier security measure I had ServerTokens to ▐▌
█ Prod. So to stop this error: ▐▌
█ A. Get into the core file #10 and comment out the SecServerSignature line ▐▌
█ B. In httpd.conf ... uncomment the Include conf/extra/httpd-default.conf ▐▌
█ ▐▌
█ 5. PHP script. If you have a PHP script that needs to get and send out ▐▌
█ data from a users port, such as the Ident Check script, you'll most ▐▌
█ likely won't be able to load it and have errors here ▐▌
█ \xampp\apache\logs\error.logs like this: ▐▌
█ [Wed Dec 02 18:01:41 2009] [error] [client 192.168.1.2] ModSecurity: ▐▌
█ Access denied with code 500 (phase 4). Pattern match "<b>Warning<\\/b>. ▐▌
█ {0,100}?:.{0,1000}?\\bon line\\b" at RESPONSE_BODY. [file "D:/xampp/apache ▐▌
█ /conf/core/modsecurity_crs_50_outbound.conf"] [line "42"] [id "970009"] ▐▌
█ [msg "PHP Information Leakage"] [severity "WARNING"] [tag "LEAKAGE/ ▐▌
█ ERRORS"] [hostname "yourhost.com"] [uri "/xampp/ident_check.php"] ▐▌
█ [unique_id "SxY658CoAQIAAA5YT6UAAADx"] ▐▌
█ ▐▌
█ To fix this; open up modsecurity_crs_50_outbound.conf that is located here ▐▌
█ \xampp\apache\conf\core\optional_rules\ and comment out the rules under ▐▌
█ # PHP Information Leakage. ▐▌
█ It has this: ▐▌
█ # PHP Information Leakage ▐▌
█ SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
█ "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information
█ Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
█ ▐▌
█ Change it to: ▐▌
█ # PHP Information Leakage
█ #SecRule RESPONSE_BODY "<b>Warning<\/b>.{0,100}?:.{0,1000}?\bon line\b" \
█ # "phase:4,t:none,ctl:auditLogParts=+E,deny,log,auditlog,status:500,msg:'PHP Information
█ #Leakage',id:'970009',tag:'LEAKAGE/ERRORS',severity:'4'"
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 18 Jun '13 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██