Apache Server security ( mod-security)

[Aerosol]

ModSecurity

ModSecurity is an Open Source Web Application project (Apache module) that aims to secure web applications running on webservers and block penetration or hacking attempts investigating in the body of http requests. It provides intrusion detection and prevention for web applications and aims at shielding web applications from attacks like SQL injections, cross-site scripting and path traversal attacks ...

About Apache modules

The Apache WebServer is a modular application where the user can choose the functionality to include in the server by selecting desired modules. Modules can be either statically compiled into the httpd binary when the server is built or compiled as Dynamic Shared Objects (DSOs) separately from the main httpd binary file. DSO modules may be compiled at the time the server is built, or they may be compiled and added at a later time using the Apache Extension Tool (apxs). After a module is compiled into a DSO, it will have an extension like mod.so.

Installing mod-security

Mod-security can be installed with apt-get manager on Debian, or on Fedora system Yum can be used. First, we'll update apt-get source database:

LinuxBox# apt-get update

 Ign http://ftp.de.debian.org lenny Release.gpg
 Ign http://ftp.de.debian.org/debian/ lenny/main Translation-en
 Hit http://security.debian.org squeeze/updates Release.gpg
 Ign http://security.debian.org/ squeeze/updates/contrib Translation-en
 Ign http://security.debian.org/ squeeze/updates/contrib Translation-en_US
 Ign http://ftp.de.debian.org/debian/ lenny/main Translation-en_US
 Hit http://ftp.de.debian.org squeeze Release.gpg
 Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en
 Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en_US
 Ign http://ftp.de.debian.org lenny Release
 Ign http://security.debian.org/ squeeze/updates/main Translation-en
 Ign http://security.debian.org/ squeeze/updates/main Translation-en_US
 Hit http://security.debian.org squeeze/updates Release
 Hit http://ftp.de.debian.org squeeze Release
 ...
 ..
 .

After updating source list, we can install mod-security:

LinuxBox# apt-get install libapache-mod-security

 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
 The following extra packages will be installed:
   liblua5.1-0 mod-security-common
 The following NEW packages will be installed:
   libapache-mod-security liblua5.1-0 mod-security-common
 0 upgraded, 3 newly installed, 0 to remove and 73 not upgraded.
 Need to get 1,158 kB of archives.
 After this operation, 3,490 kB of additional disk space will be used.
 Do you want to continue [Y/n]?
 ...
 ..
 .
 Setting up libapache-mod-security (2.5.12-1) ...
 Reloading web server config: apache2.

In /etc/apache2/mods-available/ we can find available apache modules and mod-security:

LinuxBox# ls /etc/apache2/mods-available/ | grep mod 
 mod-security.load
 LinuxBox#

(In /etc/apache2/mods-enbled are located symlinks on modules which are enabled)

Enabling or disabling Apache modules

Once apache module is installed we can enable it with a2dismod, or disable it with a2dismod command, after which we have to restart the Apache server with "/etc/init.d/apache2 restart" command:

LinuxBox# a2dismod mod-security && /etc/init.d/apache2 restart
 Module mod-security disabled.
 Run '/etc/init.d/apache2 restart' to activate new configuration!
 Restarting web server: apache2 ... waiting .

 LinuxBox# a2enmod mod-security && /etc/init.d/apache2 restart
 Enabling module mod-security.
 Run '/etc/init.d/apache2 restart' to activate new configuration!
 Restarting web server: apache2 ... waiting .

Check loaded modules

To check and see loaded modules, modules which are enabled, apachectl -M can be used:

LinuxBox# apachectl -M

Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 security2_module (shared)
 negotiation_module (shared)
 perl_module (shared)
 php5_module (shared)
 python_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 status_module (shared)
 unique_id_module (shared)
Syntax OK

 LinuxBox#

Source

[wildchild]

Since we're talking about Apache security, tell me how can you use this module to protect against Slow Loris.

[Aerosol]

to be honest I'm not good when it comes to servers so I can't tell, I posted

for those who are interested.

[wildchild]

Oh well, I was trying to engage you in a technical debate regarding this subject and see if others would participate given the fact that Apache has a great percentage of being used as a webserver nowadays. This topic would have been indexed and proved useful amongst sysadmins and security professionals.

[PingLord]

As far as i remember slowloris is doing half http session . I have not used Mod_security for some time but i think nginx could help with this with limit req conn directive ( i think aelius knows better how the directive is called ).

[Guest]

Since we're talking about Apache security, tell me how can you use this module to protect against Slow Loris.

Well, modsec will not protect you from all kind of slowloris, I'd recommend using libapache2-mod-antiloris (deb) or mod_qos or even some IPTables / Netfilter rules.

PS: If you really need to filter the malware traffic via apache's modsec, you may use COMODO's Free ModSecurity Rules, it does the job for a large pattern of attacks/intrusions: https://waf.comodo.com/

[wildchild]

That's correct, modsec can only partially used for this kind of attack.

Using nginx as a reverse proxy is a way of dealing with it because its design is not flawed by the Maximum Clients model. nginx uses worker threads so basically there's no limit to the number of connections that it can handle.

Tweaking sysctl.conf properly can also contribute to the matter.

[Guest]

That's correct, modsec can only partially used for this kind of attack.

Using nginx as a reverse proxy is a way of dealing with it because its design is not flawed by the Maximum Clients model. nginx uses worker threads so basically there's no limit to the number of connections that it can handle.

Tweaking sysctl.conf properly can also contribute to the matter.

Well ... yes and no.

It's way more efficient to secure apache than turning it into a backend webserver using nginx as a reverse proxy because if you do that, then you basically have two webservers running and serving the same amount of connections and traffic ... so, in most cases the resource consumption will be a little bit higher than using apache as a standalone webserver (and the only one).

But if you hate apache, I'd recommend using ONLY nginx as a standalone webserver, replacing apache.

[wildchild]

You'd be amazed how well they can work if you configure them properly, especially with all kinds of plugins like magento. nginx is also better for caching static files rather than using some apache mods. It's up to anyone, I personally never leave apache without a haproxy/varnish/nginx in front of it. You can always make a proxy_pass.

Sincerely, an nginx user.

PS: my clients usually use dedicated hardware in production and there's no bottleneck. Maybe on smaller machines I'd use only apache, however a regular FreeBSD uses very few resources so an nginx in almost unnoticed.

Edited December 9, 2014 by wildchild