Project 16: Protecting Apache with mod_security (20 pts.)

Requirements

• A Linux Apache2 Web server (any version is OK, I used Ubuntu 10.04)
• A Windows attacker (any version is OK, I used Windows XP)

Introducing mod_security

Installing mod_security

Start Ubuntu and log in. From the Menu bar, click Applications, Accessories, Terminal. Ping ubuntu.com and make sure you are getting replies. If you are not, you need to fix your networking before you can proceed.

In the Terminal window, execute this command (when you are prompted to, enter your password):

sudo apt-get install libapache-mod-security -y

Creating the modsecurity Configuration File

sudo nano /etc/apache2/conf.d/modsecurity2.conf

<ifmodule mod_security2.c>
Include modsecurity-rules/*.conf
</ifmodule>


Adding Rules

In the Terminal window, execute these commands:

cd /tmp

wget http://downloads.sourceforge.net/project/mod-security/modsecurity-apache/2.5.12/modsecurity-apache_2.5.12.tar.gz

tar -xzf modsecurity-apache_2.5.12.tar.gz

cd modsecurity-apache_2.5.12

sudo mkdir /etc/apache2/modsecurity-rules

sudo cp rules/*.conf /etc/apache2/modsecurity-rules/

sudo cp rules/base_rules/* /etc/apache2/modsecurity-rules/

Restarting Apache

sudo /etc/init.d/apache2 restart

Testing modsecurity

In the Terminal window, execute these commands:

sudo apt-get install curl -y

curl -i http://localhost/

In the Terminal window, execute this command:

curl -i http://localhost/ -A Nessus

Saving the Screen Image

Make sure you can see the 403 Forbidden message, as shown in the image above on this page.

Save a screen image with the filename Proj 16a from Your Name.

Upgrading modsecurity to version 2.5.13

sudo apt-get install apache2-threaded-dev lua5.1 liblua5.1-0-dev libxml++2.6-dev libpcre3 -y

cd /tmp

sudo wget http://www.modsecurity.org/download/modsecurity-apache_2.5.13.tar.gz

sudo tar -xzf modsecurity-apache_2.5.13.tar.gz

cd modsecurity-apache_2.5.13

cd apache2

sudo make

sudo make install

sudo cp /tmp/modsecurity-apache_2.5.13/rules/base_rules/* /etc/apache2/modsecurity-rules/

sudo /etc/init.d/apache2 restart

Testing modsecurity Again

curl -i http://localhost/ -A Nessus

Viewing the Apache Server Status

You should see only one letter in the grid, indicating that only one client is being served at the moment, as shown below on this page.

Attacking Apache

• Attack Type: Slow headers
• Connections: 40000
• Connection rate: 50
• Timeout(s): 100

Click the "Run attack" button. You should see the "HTTP Attack information" box, as shown below on this page.

Viewing the Apache Server Status

You should see the grid full of letters, indicating that all possible connections are in use, as shown below on this page.

Stopping the Attack

Enabling Layer 7 DoS Protection

In the Linux machine, in the Terminal window, execute these commands:

cd /etc/apache2/modsecurity-rules

sudo nano modsecurity_crs_10_config.conf

Move the cursor to the end of this file. Add these lines, as shown below on this page:

#
# Stop Layer 7 Slow Request Attacks
#
SecReadStateLimit 5


Save the file with Ctrl+X, Y, Enter.

Now, to restart Apache, in the Terminal window, enter this command:

sudo /etc/init.d/apache2 restart

Attacking Apache Again

Viewing the Apache Server Status

You should see only six letters in the grid. Modsecurity is stopping the attack!

Saving the Screen Image

Make sure you can see the status grid with only six letters, as shown in the image above on this page.

Save a screen image with the filename Proj 16b from Your Name.

Stopping the Attack

Turning in Your Project

Email the images to [email protected] with a Subject line of Proj 16 from Your Name.

Sources

http://blog.spiderlabs.com/modsecurity/page/2/

http://mdessus.free.fr/?p=7

http://blog.ebizdaddy.com/2010/11/fortify-apache-web-server-with-mod_evasive-and-mod_security-on-ubuntu-10-04-lts-server/

Last modified: 9 pm 4-13-11