Apache2: Unterschied zwischen den Versionen

Aus crazylinux.de
Zur Navigation springen Zur Suche springen
K (→‎Module: cc)
K (syntaxhighlight)
 
(13 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 3: Zeile 3:
=== conf.d/myconfig  ===
=== conf.d/myconfig  ===


<source lang="apache">
<syntaxhighlight lang="apache">
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
Zeile 11: Zeile 11:


UseCanonicalName Off
UseCanonicalName Off
</source>  
</syntaxhighlight>  


<br>
<br>
Zeile 17: Zeile 17:
=== conf.d/z_security  ===
=== conf.d/z_security  ===


<source lang="apache"><Directory />
<syntaxhighlight lang="apache"><Directory />
         AllowOverride None
         AllowOverride None
       <IfVersion >= 2.4>
       <IfVersion >= 2.4>
Zeile 39: Zeile 39:


SSLCipherSuite          "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!LOW:!MEDIUM"
SSLCipherSuite          "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!LOW:!MEDIUM"
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!DES:!NULL:!RC2:!RC4:!3DES:!MD5:!ADH:!AECDH:!EXP:!SHA1
# enable only secure protocols: TLSv1.2, but not SSLv2
SSLProtocol -ALL -TLSv1 -TLSv1.1 +TLSv1.2
</syntaxhighlight>
=== conf-avaiable/joomla-admin-block.conf  ===
Blocks access to /administrator, eg. from joomla
and to sample files
But if you have a special cookie you are allowd to access
Just type /admin-mega-hidden
<syntaxhighlight lang="apache">
#this is global
RewriteEngine On
#the rules from the current scope are applied before rules specified in any child's scope
#works only if child has 'RewriteEngine On'
RewriteOptions InheritDownBefore
RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{REQUEST_URI} ^/wp-login.php [or]
RewriteCond %{REQUEST_URI} ^/README.txt [OR]
RewriteCond %{REQUEST_URI} ^/LICENSE.txt [OR]
RewriteCond %{REQUEST_URI} ^/htaccess.txt [OR]
RewriteCond %{REQUEST_URI} ^/robots.txt.dist [OR]
RewriteCond %{REQUEST_URI} ^/web.config.txt
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=19283ddfgdfgdfgdfgdgdgdg65
#send error 404, so it will not be logged in audit.log
RewriteRule .* - [L,F,R=404]
#this php file creates a cookie to access /administrator
Alias /admin-mega-hidden /srv/www/_webrootauth/joomla-admin-12345
<Directory "/srv/www/_webrootauth/joomla-admin-12345/">
        Require all granted
</Directory>
</syntaxhighlight>


<syntaxhighlight lang="php">
#/srv/www/_webrootauth/joomla-admin-12345/index.php
<?php
$admin_cookie_code="19283ddfgdfgdfgdfgdgdgdg65";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>
</syntaxhighlight>


# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
 
SSLProtocol all -SSLv2 -SSLv3
<syntaxhighlight lang="bash">
</source>
#enable module
a2enconf joomla-admin-block
</syntaxhighlight>


== Module ==
== Module ==
Zeile 101: Zeile 154:
     AuthBasicProvider external
     AuthBasicProvider external
     AuthExternal imapauth
     AuthExternal imapauth
 
require valid-user
</syntaxhighlight>
</syntaxhighlight>
==== mod_auth_pam ====
Für den Verzeichnisschutz verwenden wir mod_auth_pam, d.h. wir können die gleichen Logindaten wie am System nutzen. '''Damit man eine Gruppe nutzen kann, wird libapache2-mod-auth-sys-group benötigt!'''
eine bsp. .htaccess:
AuthPAM_Enabled on
AuthType Basic
AuthName "secure area"
require group staff
Falls es nicht geht, vom error.log:
[error] [client 217.229.133.31] PAM: user 'xyz' - not authenticated: Authentication failure
'''Der User www-data muß Mitglied der Gruppe shadow sein!'''
==== mod-auth-imap  ====
Source: http://ben.brillat.net/projects/mod_auth_imap/<br> kleines Howto: https://hw.cs.southern.edu/prot/mod_auth_imap.htm
Patch for dovecot:&nbsp; http://srteam.skyrock.com/2121064465-mod-auth-imap2-et-dovecot-le-patch.html or you get <source lang="apache">mod_auth_imap: Premature server disconnect for user xxx
mod_auth_imap: Server said: * CAPABILITY ...</source>
<br>
<source lang="diff">--- mod_auth_imap.c.orig        2006-05-08 01:22:43.000000000 +0200
+++ mod_auth_imap.c    2012-09-24 19:56:27.000000000 +0200
@@ -44,8 +44,6 @@
 
#define _OK 1
-int Sock;
-
/*******************************************************************************
  * tcp_gets
@@ -141,6 +139,7 @@
    char result[512],buf[512];
    int ret=0;
    int port;
+    int Sock; // Don't know why it used to be global, but having it local solved *all* my problems
    port=atoi(cport);
@@ -164,15 +163,17 @@
    tcp_puts(Sock,buf);
    //get the capability line...
-    tcp_gets(Sock,result,500);
+    //tcp_gets(Sock,result,500);
    //get the "A001 OK CAPABILITY completed" line..
-    tcp_gets(Sock,result,500);
+    //tcp_gets(Sock,result,500);
    //skip lines that start with "*"
-    if (strncmp(result,"* ",2 == 0)) {
+    //if (strncmp(result,"* ",2 == 0)) {
+    do {
        tcp_gets(Sock,result,500);
-    }
+    //}
+    } while (strncmp(result,"* ",2) == 0);
    //Verify that it supports the CAPABILITY command
    if (strncmp(result,"A001 OK", 7) != 0) {
@@ -186,7 +187,11 @@
    memset(buf,0,500);
    sprintf(buf,"A002 LOGIN %s \"%s\"\r\n", username, pass);
    tcp_puts(Sock,buf);
-    tcp_gets(Sock,result,500);
+
+    //skip lines that start with "*" (sometimes needed with dovecot)
+    do {
+      tcp_gets(Sock,result,500);
+    } while (strncmp(result,"* ",2) == 0);
    if (strncmp(result,"A002 OK",7) == 0) {
        if (logflag) {
@@ -197,7 +202,6 @@
    } else if (strncmp(result,"A002 NO",7) == 0) {
        if (logflag) {
            ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Login failed for user %s.", user
name);
-            ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Server said: %s", result);
        }
        ret=!_OK;
@@ -205,7 +209,6 @@
        //it must have told us BYE and disconnected
        if (logflag) {
            ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Premature server disconnect for
user %s.", username);
-            ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Server said: %s", result);
        }
        ret=!_OK;
@@ -218,11 +221,11 @@
    sprintf(buf,"A003 LOGOUT\r\n");
    tcp_puts(Sock,buf);
-    //read the BYE line
-    tcp_gets(Sock,result,500);
+    //read the BYE line, skip lines that start with "*"
+    do {
+        tcp_gets(Sock,result,500);
+    } while (strncmp(result,"* ",2) == 0);
-    //read the OK LOGOUT
-    tcp_gets(Sock,result,500);
    if (strncmp(result,"A003 OK",7) == 0) {
        if (logflag) {
@@ -233,7 +236,6 @@
    } else {
        if (logflag) {
            ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Error in logout for %s.", userna
me);
-            ap_log_rerror(APLOG_MARK,APLOG_WARNING|APLOG_NOERRNO,0,r,"mod_auth_imap: Server said: %s", result);
        }
        ret=!_OK;</source>
<br> <br>
.htaccess
<pre>#Turn on IMAP Authentication
Auth_IMAP_Enabled on
#Give a name to the authentication domain, whatever you want:
AuthName "SAU Email username and password"
#Only basic authentication is supported for now:
AuthType Basic
#If you feel like it, restrict the users or allow all valid users:
Require valid-user
#Make IMAP Authentication authoritative for this .htaccess file:
Auth_IMAP_Authoritative on
#Set the IMAP Server to which you want to connect (default=localhost):
Auth_IMAP_Server imap.southern.edu
#Set the port on which the imap server is running (default=143):
Auth_IMAP_Port 143
#Turn on some extra logging (login attempts, etc.) in Apache's Error Log
Auth_IMAP_Log on
</pre>


=== mod_security  ===
=== mod_security  ===
Zeile 266: Zeile 168:


====Install====
====Install====
<source lang="apache">
<syntaxhighlight lang="apache">
#/etc/modsecurity/modsecurity.conf
#/etc/modsecurity/modsecurity.conf
SecRuleEngine On
SecRuleEngine On
Zeile 276: Zeile 178:
SecDataDir /var/cache/modsecurity/
SecDataDir /var/cache/modsecurity/
SecUploadDir /var/cache/modsecurity/upload/
SecUploadDir /var/cache/modsecurity/upload/
</source>


  <br> <br> <source lang="bash">
#don't log credentials to logfile
SecDefaultAction "phase:1,deny,log,sanitiseRequestHeader:Authorization"
SecDefaultAction "phase:2,deny,log,sanitiseRequestHeader:Authorization"
</syntaxhighlight>
  <br> <br> <syntaxhighlight lang="bash">
cd /etc/modsecurity
cd /etc/modsecurity
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Zeile 293: Zeile 198:


ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf
ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf
</source>
</syntaxhighlight>
 


====Enable module in apache====
====Enable module in apache====
<source lang="apache">
<syntaxhighlight lang="apache">
#/etc/apache2/mods-available/mod-security.conf
#/etc/apache2/mods-available/mod-security.conf
...
...
Zeile 304: Zeile 208:
Include "/etc/modsecurity/activated_optional_rules/*.conf"
Include "/etc/modsecurity/activated_optional_rules/*.conf"
...
...
</source>  
</syntaxhighlight>  


====optional disable filter====
====optional disable filter====
Für bestimmte Verzeichnisse kann man den Filter auch ausstellen: <source lang="apache">
Für bestimmte Verzeichnisse kann man den Filter auch ausstellen: <syntaxhighlight lang="apache">


<LocationMatch "/ajaxplorer/">
<LocationMatch "/ajaxplorer/">
Zeile 319: Zeile 223:
     SecFilterInheritance Off
     SecFilterInheritance Off
</Location>
</Location>
</source>  
</syntaxhighlight>  




====Virus-Scanner for uploaded files ====
====Virus-Scanner for uploaded files ====
<source lang="apache">
<syntaxhighlight lang="apache">
#in modsecurity_crs_46_av_scanning.conf
#in modsecurity_crs_46_av_scanning.conf
#
#
Zeile 332: Zeile 236:
SecRule FILES_TMPNAMES "@inspectFile /usr/bin/runAV.pl" \
SecRule FILES_TMPNAMES "@inspectFile /usr/bin/runAV.pl" \
         "phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
         "phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"
</source>  
</syntaxhighlight>  


==== Global Blacklist ====
==== Global Blacklist ====
<source lang="apache">
<syntaxhighlight lang="apache">
#/etc/apache2/conf.d/modsecurity-blacklist  
#/etc/apache2/conf.d/modsecurity-blacklist  
#disable rule for all domains
#disable rule for all domains
Zeile 344: Zeile 248:
#Request Missing a User Agent Header
#Request Missing a User Agent Header
SecRuleRemoveById 960009
SecRuleRemoveById 960009
</source>
</syntaxhighlight>




Zeile 366: Zeile 270:
[http://httpd.apache.org/docs/2.0/mod/mod_dav.html WEBDAV-Modul] für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). installieren: a2enmod dav  
[http://httpd.apache.org/docs/2.0/mod/mod_dav.html WEBDAV-Modul] für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). installieren: a2enmod dav  


<source lang="apache">
<syntaxhighlight lang="apache">
#httpd.conf  
#httpd.conf  
  Alias /phparea /home/gstein/php_files
  Alias /phparea /home/gstein/php_files
Zeile 379: Zeile 283:
   php_flag engine off # oder  ForceType text/plain
   php_flag engine off # oder  ForceType text/plain
  </Location>
  </Location>
</source>
</syntaxhighlight>


=== mod_evasive ===
=== mod_evasive ===
Zeile 391: Zeile 295:
*Making any requests while temporarily blacklisted (on a blocking list)
*Making any requests while temporarily blacklisted (on a blocking list)


<source lang="apache">
<syntaxhighlight lang="apache">
<IfModule mod_evasive.c>
<IfModule mod_evasive.c>
   #DOSHashTableSize gibt die Größe der Hashtabelle in Bytes an
   #DOSHashTableSize gibt die Größe der Hashtabelle in Bytes an
Zeile 421: Zeile 325:
   DOSWhitelist 127.0.0.1
   DOSWhitelist 127.0.0.1
</IfModule>
</IfModule>
</source>
</syntaxhighlight>


=== mod_cband  ===
=== mod_cband  ===
Zeile 448: Zeile 352:


</syntaxhighlight>
</syntaxhighlight>


== Links ==
== Links ==
Zeile 454: Zeile 357:
* http://www.modsecurity.org/
* http://www.modsecurity.org/
* http://www.nuclearelephant.com/projects/mod_evasive/
* http://www.nuclearelephant.com/projects/mod_evasive/
* [http://www.askapache.com/2006/htaccess/speed-up-sites-with-htaccess-caching.html/ Speed Up Sites with htaccess Caching]
* [https://www.askapache.com/htaccess/speed-up-sites-with-htaccess-caching/ Speed Up Sites with htaccess Caching]


[[Kategorie:WWW]]
[[Kategorie:WWW]]
[[Kategorie:Apache]]
[[Kategorie:Apache]]

Aktuelle Version vom 13. September 2024, 12:21 Uhr

als Webserver verwenden wir Apache2 mit PHP, mod_security, mod_auth_pam, mod_deflate. Desweiteren lassen wir die Logfiles nach einem Tag rotieren.

conf.d/myconfig

LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" vcombined
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined

# global access log
CustomLog "|| /usr/sbin/vlogger -s access.log -t access.log.%Y.%m -u ${APACHE_RUN_USER} -g ${APACHE_RUN_GROUP} ${APACHE_LOG_DIR}/vlogger" vcombined

UseCanonicalName Off


conf.d/z_security

<Directory />
        AllowOverride None
      <IfVersion >= 2.4>
    Require all denied
    </IfVersion>
    <IfVersion < 2.4>
        Order Deny,Allow
        Deny from all
    </IfVersion>
</Directory>


ServerTokens Prod
ServerSignature Off
TraceEnable Off

#SSL

#against BEAST
SSLHonorCipherOrder On

SSLCipherSuite          "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!LOW:!MEDIUM"
SSLCipherSuite AES256+EECDH:AES256+EDH:AES128+EECDH:AES128+EDH:!DES:!NULL:!RC2:!RC4:!3DES:!MD5:!ADH:!AECDH:!EXP:!SHA1

# enable only secure protocols: TLSv1.2, but not SSLv2
SSLProtocol -ALL -TLSv1 -TLSv1.1 +TLSv1.2

conf-avaiable/joomla-admin-block.conf

Blocks access to /administrator, eg. from joomla and to sample files

But if you have a special cookie you are allowd to access

Just type /admin-mega-hidden

#this is global
RewriteEngine On

#the rules from the current scope are applied before rules specified in any child's scope
#works only if child has 'RewriteEngine On'
RewriteOptions InheritDownBefore

RewriteCond %{REQUEST_URI} ^/administrator
RewriteCond %{REQUEST_URI} ^/wp-login.php [or]
RewriteCond %{REQUEST_URI} ^/README.txt [OR]
RewriteCond %{REQUEST_URI} ^/LICENSE.txt [OR]
RewriteCond %{REQUEST_URI} ^/htaccess.txt [OR]
RewriteCond %{REQUEST_URI} ^/robots.txt.dist [OR]
RewriteCond %{REQUEST_URI} ^/web.config.txt
RewriteCond %{HTTP_COOKIE} !JoomlaAdminSession=19283ddfgdfgdfgdfgdgdgdg65

#send error 404, so it will not be logged in audit.log
RewriteRule .* - [L,F,R=404]



#this php file creates a cookie to access /administrator
Alias /admin-mega-hidden /srv/www/_webrootauth/joomla-admin-12345
<Directory "/srv/www/_webrootauth/joomla-admin-12345/">
        Require all granted
</Directory>


#/srv/www/_webrootauth/joomla-admin-12345/index.php
<?php
$admin_cookie_code="19283ddfgdfgdfgdfgdgdgdg65";
setcookie("JoomlaAdminSession",$admin_cookie_code,0,"/");
header("Location: /administrator/index.php");
?>


#enable module
a2enconf joomla-admin-block

Module

Verzeichnisschutz

authnz_external (pwauth)

replaces mod_auth_pam

apt-get install libapache2-mod-authnz-external pwauth


#/etc/apache2/conf-available/auth_external.conf
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe


AuthBasicProvider external
AuthExternal pwauth
Require user user

see http://icephoenix.us/linuxunix/apache-and-http-authentication-with-pam/

authnz_external (imap)

replaces mod_auth_imap Download

#/etc/checkpasswd-imap.ini
[localhost]
host = localhost
port = 1143
cache-dir = /srv/www/_tmp
allow-everybody = .*


#/etc/apache2/conf-available/auth_external.conf
AddExternalAuth imapauth /usr/bin/checkpasswd-imap-pipe.py
SetExternalAuthMethod imapauth pipe


#virtual host
AuthType Basic
    AuthName "Authentication Required"
    AuthBasicProvider external
    AuthExternal imapauth
require valid-user

mod_security

ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

Installation http://www.thefanclub.co.za/how-to/how-install-apache2-modsecurity-and-modevasive-ubuntu-1204-lts-server

Links

Install

#/etc/modsecurity/modsecurity.conf
SecRuleEngine On

SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

SecTmpDir /var/cache/modsecurity/
SecDataDir /var/cache/modsecurity/
SecUploadDir /var/cache/modsecurity/upload/

#don't log credentials to logfile
SecDefaultAction "phase:1,deny,log,sanitiseRequestHeader:Authorization"
SecDefaultAction "phase:2,deny,log,sanitiseRequestHeader:Authorization"



cd /etc/modsecurity
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
mkdir activated_rules activated_optional_rules
ln -s /usr/share/modsecurity-crs/base_rules base_rules
ln -s /usr/share/modsecurity-crs/optional_rules/ optional_rules
cd base_rules
for f in `ls *` ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd ..

cd optional_rules
for f in `ls *` ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_optional_rules/$f ; done
cd ..

ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_config.conf

Enable module in apache

#/etc/apache2/mods-available/mod-security.conf
...
Include "/etc/modsecurity/*.conf"
Include "/etc/modsecurity/activated_rules/*.conf"
Include "/etc/modsecurity/activated_optional_rules/*.conf"
...

optional disable filter

Für bestimmte Verzeichnisse kann man den Filter auch ausstellen:

<LocationMatch "/ajaxplorer/">
SecRuleRemoveById 200003 960024 960915
</LocationMatch>

OR

<Location /upload.php>
    # Do not inherit filters from the parent folder
    SecFilterInheritance Off
</Location>


Virus-Scanner for uploaded files

#in modsecurity_crs_46_av_scanning.conf
#
# Modify the operator to use the correct AV scanning script/tool
# Example tools are in the util directory.
#

SecRule FILES_TMPNAMES "@inspectFile /usr/bin/runAV.pl" \
        "phase:2,t:none,block,msg:'Virus found in uploaded file',id:'950115',tag:'MALICIOUS_SOFTWARE/VIRUS',tag:'PCI/5.1',severity:'2',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-MALICIOUS_SOFTWARE/VIRUS-%{matched_var_name}=%{tx.0}"

Global Blacklist

#/etc/apache2/conf.d/modsecurity-blacklist 
#disable rule for all domains

#missing_request_header
SecRuleRemoveById 960015

#Request Missing a User Agent Header
SecRuleRemoveById 960009


bad robot data

/etc/modsecurity/activated_rules/modsecurity_35_bad_robots.data e.g. to remove surveybot

Links

mod_php

see PHP

mod_dav

WEBDAV-Modul für Apache. Damit ist es möglich Dateien über https zu manipulieren (ändern, löschen, erstellen usw.). installieren: a2enmod dav

#httpd.conf 
 Alias /phparea /home/gstein/php_files
 Alias /php-source /home/gstein/php_files
 DavLockDB /tmp/DavLock.myvhost
 <Location /php-source>
  Dav On
  AuthType Basic
  AuthName DAV
  AuthPAM_Enabled on
  require group staff
  php_flag engine off # oder  ForceType text/plain
 </Location>

mod_evasive

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

  • Requesting the same page more than a few times per second
  • Making more than 50 concurrent requests on the same child per second
  • Making any requests while temporarily blacklisted (on a blocking list)
<IfModule mod_evasive.c>
  #DOSHashTableSize gibt die Größe der Hashtabelle in Bytes an
  DOSHashTableSize 3097

  #DOSPageCount gibt die Anzahl der Seitenaufrufe eines Clients pro DOSPageInterval-Zeitintervall
  DOSPageCount 2

  #DOSSiteCount gibt die Anzahl der Seitenaufrufe auf einen Child-Prozess pro DOSSiteInterval-Zeitintervall
  DOSSiteCount 50

  #DOSPageInterval und DOSSiteInterval werden in Sekunden angegeben
  DOSPageInterval 1
  DOSSiteInterval 1

  #DOSBlockingPeriod gibt die Sperrzeit in Seknunden an
  DOSBlockingPeriod 60

  #DOSEmailNotify gibts die eMail Adresse an, an welche eine Warnmail geschickt wird
  DOSEmailNotify admin@mydomain.net

  #DOSSystemCommand führt bei einem Angriff weitere Programme/Scripte aus wenn gewünscht
  #DOSSystemCommand "su - someuser -c '/sbin/... %s ...'"

  #DOSLogDir gibt das Verzeichnis an in dem das Modul seine Logfiles schreibt
  DOSLogDir /srv/www/vlogger/_mod_evasive

  #DOSWhitelist beinhaltet eine Aufzählung aller IP-Adressen für die mod_evasive NICHT gilt
  DOSWhitelist 127.0.0.1
</IfModule>

mod_cband

Bandbreiten-Beschränkung http://nodomain.cc/archives/2007/01/05/684-Apache2-Zugriffskontrolle-mit-mod_cband.html

mod_ssl

config see above (z_security)

SSL-Test: https://www.ssllabs.com/ssltest/ or https://observatory.mozilla.org/

Logging POST requests with Apache

found on https://www.technovelty.org/web/logging-post-requests-with-apache.html

SecRuleEngine On
SecAuditEngine on
SecAuditLog /var/log/apache2/website-audit.log
SecRequestBodyAccess on
SecAuditLogParts ABIFHZ

SecDefaultAction "nolog,noauditlog,allow,phase:2"

SecRule REQUEST_METHOD "^POST$" "chain,allow,phase:2"
SecRule REQUEST_URI ".*" "auditlog"

Links