Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache 2.2.4 and mod_security 2.5.3 on windows |
|
| Author |
|
Kanar
Joined: 08 May 2008
Posts: 2
|
 Posted: Thu 08 May '08 14:29 Post subject: Apache 2.2.4 and mod_security 2.5.3 on windows |
 |
|
Hi all,
I would like to know why my mod_security2 doesn't work with my apache config.
Here are my configuration :
I followed the instructions gived in the doc folder of the mod_security-2.5.3-win32.zip file.
I unzip file and put the mod_security2.so and libxml2.dll in a new folder named mod_security2 in the apache/modules/ directory.
I installed Install the Visual C++ 2008 Redistributable Package,
Then i added theses lines in the httpd.conf file :
LoadFile bin/libxml2.dll (i also put this file in th bin apache/bin directory)
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2/mod_security2.so
Include conf/extra/httpd-modsecurity.conf
then i created a httpd-modsecurity.conf file like this :
| Code: | <IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature "POTATOE"
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/mod_security2.log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule> |
There is no error during the apache starting but when i'm trying to see if the rules work , i.e I look the server banner response, i see
| Code: | HTTP/1.1 200 OK
Date: Thu, 08 May 2008 12:15:25 GMT
Server: Apache
Content-Length: 4387
Connection: close
Content-Type: text/html
|
So, I think the security rules don't work because I should see Server: POTATOE.
I tried to remove the <IfModule mod_security2.c> directive and it is worst!
i got an error message saying SecFilterEngine is not a valid command, it is the same thing for SecFilterCheckURLEncoding and SecFilterCheckUnicodeEncoding commands, etc..
I read that the SecFilterEngine was not supported anymore by the mod_sercurty2 module so I commented it but the other commands weren't still valid.
Where are my mystakes? I spend hours for solve the problem and it doesn't still work.
Thank you very much and I apologized for my english.
 |
|
| Back to top |
|
tdonovan
Moderator
Joined: 17 Dec 2005
Posts: 611
Location: Milford, MA, USA
|
| Posted: Thu 08 May '08 19:03 Post subject: |
|
|
It looks like you are using mod_security v1 directives. Many v1 directives are changed for mod_security2. The list of valid directives for mod_security2 is here.
re: "I tried to remove the <IfModule mod_security2.c> directive and it is worst! "
Your httpd-modsecurity.conf has: | Code: | | <IfModule mod_security.c> |
but your comment says: | Code: | | <IfModule mod_security2.c> |
The correct form for Apache 2.2 is like this: | Code: | | <IfModule security2_module> |
-tom- |
|
| Back to top |
|
Kanar
Joined: 08 May 2008
Posts: 2
|
| Posted: Thu 08 May '08 20:24 Post subject: Problem solved |
|
|
Thank you very much tdonovan.
It is working fine now.
it was a problem with mod_security v1 directives. |
|
| Back to top |
|
|
|
|
|
|
