Installation and simple configuration for Ossec and Mod_security on Centos

What is Mod Security? It is an open source application that acts as a firewall to prevent and block any intrusion in web applications. Protect and monitor HTTP traffic in real-time and web applications from brutal attack. http://en.wikipedia.org/wiki/ModSecurity

Installation and  simple configuration for Ossec and Mod_security on Centos

Mod_security install

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install -y mod_security

We do small adjustments in configuration

nano /etc/httpd/conf.d/mod_security.conf

Increase the limit for SecRequestBodyNoFilesLimit (otherwise you can not upload a picture in wordpress exceeding 120K). Default is 131072

SecRequestBodyNoFilesLimit 3145728

If you have a fixed IP and do not want to be block by mod_security add a new rule (whitelist IP address)

SecRule REMOTE_ADDR "^xxx.xxx.xxx.xxx$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:200016"

If you install wordpress on a server then you should apply the following rule.

SecRule REQUEST_URI "xmlrpc.php" \ "id:'200007',phase:2,severity:'3',deny,log,msg:'Spam on xmlrpc.php'"

What is the rule above? Do not let wordpress from your server to spam another site. Someone can make requests on xmlpc.php and pings are directed to a victim site. Command example for sends pings: $ curl -D –  “www.wordpress-from-your-server.com/xmlrpc.php” -d ‘<methodCall><methodName>pingback.ping</methodName><params><param><value><string>http://victim-site.com</string></value></param><param><value><string>www.wordpress-from-your-server.com/random-post</string></value></param></params></methodCall>’

service httpd restart

Ossec Installation (ossec monitors logs and acts to block and reject possible intrusions)

yum install ossec-hids ossec-hids-server

Default configuration is good.

service httpd restart

Done!

If you want a better protection we can install another set of rules for mod_security

cd  /etc/httpd/
wget http://pkgs.fedoraproject.org/repo/pkgs/mod_security_crs/owasp-modsecurity-crs-2.2.8.tar.gz/fdee278c02d41a1377dc20a616b2f327/owasp-modsecurity-crs-2.2.8.tar.gz
tar -xzvf owasp-modsecurity-crs-2.2.8.tar.gz
mv owasp-modsecurity-crs-2.2.8 modsecurity-crs
cd modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup

Edit the mod_security configuration file

nano /etc/httpd/conf.d/mod_security.conf

Add new rules:

Include modsecurity-crs/modsecurity_crs_10_setup.conf

Save file and exit (ctrl+o AND exit ctrl+x)

service httpd restart

Leave a Reply

Your email address will not be published. Required fields are marked *