==================================
  ModSecurity 2 en CentOS4/RHEL4
==================================
[1] Desde binarios
[2] Desde fuentes


======================== 
Instalando ModSecurity 2
[1] Desde binarios
========================
Dependencias: 
 rpm -Uvh apr-devel-0.9.4-24.1.i386.rpm
 rpm -Uvh apr-util-devel-0.9.4-17.i386.rpm
 rpm -Uvh pcre-devel-4.5-3.i386.rpm
 rpm -Uvh httpd-devel-2.0.52-9.ent.i386.rpm

1) ModSecurity 2.x solo funciona con Apache 2.0.x o superior.

2)Nos aseguramos que mod_unique_id esté instalado.
# vi /etc/httpd/conf/httpd.conf
…LoadModule unique_id_module modules/mod_unique_id.so…

3) Descargamos modsecurity:
#wget http://www.modsecurity.org/download/modsecurity-apache_2.0.4.tar.gz #wget http://www.modsecurity.org/download/modsecurity-core-rules_2.0-1.1.1.zip#md5sum modsecurity-apache_2.0.4.tar.gz

4) (Optional) Install the latest version of libxml2, if it isn't already installed on the server.

5) Unpack the ModSecurity archive
# mkdir /instaladores/modsecurity2# tar zxvf modsecurity-apache_2.0.4.tar.gz

6) Editamos Makefile para configurar el path de Apache HTTPD 
   (for example: top_dir = /usr/local/apache2).
   Nota: Necesitamos tener instalado "httpd-devel" 
  Nota: libxml2 es opcional, podemos comentarlo si no lo usamos
# vi /instaladores/modsecurity/modsecurity-apache_2.0.4/apache2/Makefile
builddir     = .#top_dir      = /usr/share/apache2#top_dir      = /home/ivanr/apache22top_dir      = /usr/lib/httpdtop_srcdir   = ${top_dir}top_builddir = ${top_dir}include ${top_builddir}/build/special.mkAPXS      = apxsAPACHECTL = apachectlINCLUDES = -I /usr/include/libxml2#DEFS = -DWITH_LIBXML2#LIBS = -Lmy/lib/dir -lmylibCFLAGS = -O2 -g -Wuninitialized -Wall -Wmissing-prototypes -Wshadow -Wunused-variable -Wunused-value -Wchar-subscripts -Wsign-compareall: local-shared-buildclean:        -rm -f *.o *.lo *.slo *.la *~ .libs

7) Compilamos
    #make

8) Paramos Apache
    #service httpd stop

9) Instalamos
    #make install

10)(Optional) Add one line to your configuration to load libxml2: 
#vi /etc/httpd/conf/httpd.conf
…LoadFile /usr/lib/libxml2.so…

11)Add one line to your configuration to load ModSecurity: 
#vi /etc/httpd/conf/httpd.conf
…LoadModule security2_module modules/mod_security2.so…

12)Configure ModSecurity
#mkdir /etc/httpd/conf/modsecurity/conf#cd /etc/httpd/conf/modsecurity/conf#unzip modsecurity-core-rules_2.0-1.1.1.zip 	<- unzip the rules in 

13)Agregamos los .conf de modsecurity a Apache
#vi /etc/httpd/conf/httpd.conf
…Include conf/modsecurity/*.conf…

14)Modificamos */etc/httpd/conf/modsecurity/conf/modsecurity_crs_10_config.conf*
#vi /etc/httpd/conf/modsecurity/conf/modsecurity_crs_10_config.conf
…SecDefaultAction log,auditlog,deny,status:403,phase:2,\    t:lowercase,t:replaceNulls,t:compressWhitespace…

15)Start Apache
    #service httpd start


16) Listo!. Ahora atacamos para probarlo =)

Bloqueando RFI, HTTP Post Relay, etc.
# vi modsecurity_crs_20_protocol_violations.conf
#SecDefaultAction "log,pass,phase:1"SecDefaultAction "log,deny,phase:1"…# Proxy access attemptSecRule REQUEST_URI ^http:/ "deny,log,id:60014,severity:2,msg:'Proxy access attempt'"

Y podemos modificar la respuesta HTTP 500
# vi /etc/httpd/conf/httpd.conf
ErrorDocument 500 "Suspicious error. Your IP has been logged."#ErrorDocument 404 /missing.html#ErrorDocument 404 "/cgi-bin/missing_handler.pl"#ErrorDocument 402 http://www.example.com/subscription_info.html

======================== 
Instalando ModSecurity 2
[2] Desde fuentes
========================

Instalamos Apache2
#tar zxvf httpd-2.2.3.tar.gz#cd httpd-2.2.3#./configure --prefix=/web/apache2 --enable-so --enable-module=unique_id#make#make install

Editar httpd.conf al gusto:
#vi /web/apache2/conf/httpd.conf

Si no instalamos algún módulo lo instalamos luego así:
#/web/apache2/bin/apxs -cia /instaladores/apache-2_2_3/httpd-2.2.3/modules/metadata/mod_unique_id.c

2)Nos aseguramos que mod_unique_id esté instalado.
# vi /web/apache2/conf/httpd.conf
…LoadModule unique_id_module modules/mod_unique_id.so…

3) Descargamos modsecurity:
#wget http://www.modsecurity.org/download/modsecurity-apache_2.0.4.tar.gz #wget http://www.modsecurity.org/download/modsecurity-core-rules_2.0-1.1.1.zip#md5sum modsecurity-apache_2.0.4.tar.gz

4) (Opcional) Instalamos la última version de libxml2.

5) Desempaquetamos modsecurity
# mkdir /instaladores/modsecurity2# tar zxvf modsecurity-apache_2.0.4.tar.gz

6) Editamos Makefile para configurar el path de Apache HTTPD 
   (for example: top_dir = /usr/local/apache2).
   Nota: Necesitamos tener instalado "httpd-devel" 
  Nota: libxml2 es opcional, podemos comentarlo si no lo usamos
# vi /instaladores/modsecurity2/modsecurity-apache_2.0.4/apache2/Makefile
builddir     = .#top_dir      = /usr/share/apache2#top_dir      = /usr/lib/httpdtop_dir      = /instaladores/apache-2_2_3/httpd-2.2.3/top_srcdir   = ${top_dir}top_builddir = ${top_dir}include ${top_builddir}/build/special.mkAPXS      = apxsAPACHECTL = apachectlINCLUDES = -I /usr/include/libxml2#DEFS = -DWITH_LIBXML2#LIBS = -Lmy/lib/dir -lmylibCFLAGS = -O2 -g -Wuninitialized -Wall -Wmissing-prototypes -Wshadow -Wunused-variable -Wunused-value -Wchar-subscripts -Wsign-compareall: local-shared-buildclean:        -rm -f *.o *.lo *.slo *.la *~ .libs

7) Compilamos
    #make

8) Paramos Apache
    #/web/apache2/bin/apachectl stop

9) Instalamos
    #make install

10)(Optional) Add one line to your configuration to load libxml2: 
# vi /web/apache2/conf/httpd.conf
…LoadFile /usr/lib/libxml2.so…

11)Add one line to your configuration to load ModSecurity: 
# vi /web/apache2/conf/httpd.conf
…LoadModule security2_module modules/mod_security2.so…

12)Configure ModSecurity
# mkdir /web/apache2/modsecurity/conf#cd /web/apache2/modsecurity/conf#unzip modsecurity-core-rules_2.0-1.1.1.zip 	<- unzip the rules in 

13)Agregamos los .conf de modsecurity a Apache
# vi /web/apache2/conf/httpd.conf
…Include conf/modsecurity/*.conf…

14)Modificamos */etc/httpd/conf/modsecurity/conf/modsecurity_crs_10_config.conf*
# vi /web/apache2/modsecurity/conf /modsecurity_crs_10_config.conf
…SecDefaultAction log,auditlog,deny,status:403,phase:2,\    t:lowercase,t:replaceNulls,t:compressWhitespace…

15)Start Apache
#/web/apache2/bin/apachectl start

16) Listo!. Ahora atacamos para probarlo =)

http://www.web.com/../../etc/passwd/../../p?=http://google.com/../../p=><script>alert(¡)</script>/form?login= 101 OR 1=1/form?login= ' or 'a'='a&pass= ' or 'a'='a/form?login=admin&pass= 101 AND (asc( mid((SELECT first_name FROM user_data WHERE userid=15613) , 2 , 1) ) > 109 );/form?login=&pass= <script type="text/javascript">if ( navigator.appName.indexOf("Microsoft") !=-1) {var xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("TRACE", "./", false); xmlHttp.send();str1=xmlHttp.responseText; while (str1.indexOf("\n") > -1) str1 = str1.replace("\n","<br>"); document.write(str1);}</script>


===========================================================================
por Hugo Martin, SCNP			2006 (cc) www.hackcraft.com