Ubuntu - ModSecurity - Setting Up Rules
To make your life easier, there are a lot of rules which are already installed along with mod_security.
These are called CRS (Core Rule Set) and are located in
ls -l /usr/share/modsecurity-crs/
returns:
total 40 drwxr-xr-x 2 root root 4096 Oct 20 09:45 activated_rules drwxr-xr-x 2 root root 4096 Oct 20 09:45 base_rules drwxr-xr-x 2 root root 4096 Oct 20 09:45 experimental_rules drwxr-xr-x 2 root root 4096 Oct 20 09:45 lua -rw-r--r-- 1 root root 13544 Jul 2 2012 modsecurity_crs_10_setup.conf drwxr-xr-x 2 root root 4096 Oct 20 09:45 optional_rules drwxr-xr-x 3 root root 4096 Oct 20 09:45 util
The documentation is available at
ls -l /usr/share/doc/modsecurity-crs/
returns:
total 40 -rw-r--r-- 1 root root 469 Jul 2 2012 changelog.Debian.gz -rw-r--r-- 1 root root 12387 Jun 18 2012 changelog.gz -rw-r--r-- 1 root root 1297 Jul 2 2012 copyright drwxr-xr-x 3 root root 4096 Oct 20 09:45 examples -rw-r--r-- 1 root root 1138 Mar 16 2012 README.Debian -rw-r--r-- 1 root root 6495 Mar 16 2012 README.gz
To load these rules, we need to tell Apache to look into these directories. Edit the modsecurity.conf file.
vi /etc/apache2/mods-enabled/modsecurity.conf
Add the following directives inside <IfModule security2_module> </IfModule>:
- /etc/apache2/mods-enabled/modsecurity.conf
Include "/usr/share/modsecurity-crs/*.conf" Include "/usr/share/modsecurity-crs/activated_rules/*.conf"
The activated_rules directory is similar to Apache's mods-enabled directory. The rules are available in directories:
/usr/share/modsecurity-crs/base_rules /usr/share/modsecurity-crs/optional_rules /usr/share/modsecurity-crs/experimental_rules
Symlinks must be created inside the activated_rules directory to activate these. Let us activate the SQL injection rules.
cd /usr/share/modsecurity-crs/activated_rules/ ln -s /usr/share/modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf .
Apache has to be reloaded for the rules to take effect.
service apache2 reload
Now open the login page we created earlier and try using the SQL injection query on the username field.
If you had changed the SecRuleEngine directive to On, you'll see a 403 Forbidden error.
If it was left to the DetectionOnly option, the injection will be successful but the attempt would be logged in the modsec_audit.log file.