在 Slitaz, 先安裝套件: slitaz-toolchain, gcc, apache-dev, apr-dev, lua-dev, curl-dev, apr-util-dev, pcre-dev, libxml2-dev, expat-dev

用 modsecurity  網站所提及既步驟便可: 1. 先解壓 source; 2. cd ./apache2; 3. 執行 ./configure; 4. 執行 make; 5. 執行 make test; [...]]]> 近日對 Slitaz 既興趣越來越高, 但係原來佢都係有唔完美缺點既. 佢既優點當然係容量小, 電腦硬件要求低. 正正因為容量小, 軟件包支援亦相對少, 而且就算有支援亦並非代表可以有功能上既擴展. 例如, 沒有 mod_security 軟件包提供, 要各位努力 compile. 雖然 modsecurity 有完善既說明文件, 但在 Slitaz 身上卻變成有點困難. 下文會先列出必須既軟件, 最後才將安裝步驟簡單列出.

在 Slitaz, 先安裝套件:
slitaz-toolchain, gcc, apache-dev, apr-dev, lua-dev, curl-dev, apr-util-dev, pcre-dev, libxml2-dev, expat-dev

用 modsecurity  網站所提及既步驟便可:
1. 先解壓 source;
2. cd ./apache2;
3. 執行 ./configure;
4. 執行 make;
5. 執行 make test;
6. mlogc 因為還未找到方法安裝, 所以在此省略;
7. 執行 make install 安裝 apache module 至/usr/share/apache/modules/mod_security2.so
8. 修改 apache 設定檔, 在 LoadModule 段最後一行加入 LoadModule security2_module share/apache/modules/mod_security2.so;
9. 重啟 apache

下一步便是加入 mod_security rules set 及進一步針對自己需要修改 rules set. 因為小弟仲未完全掌握, 所以就請各位多多交流.

English Version:
mini-Howto Slitaz apache with mod_security

I know it is quite straight forward, but it’s a good way for my reference.

1. install Slitaz
2. install apache, you may got a ssl cert. problem by default, please read my other article or search in web
3. install the following packages:
   slitaz-toolchain, gcc, apache-dev, apr-dev, lua-dev, curl-dev, apr-util-dev, pcre-dev, libxml2-dev, expat-dev
4. download the mod_security source from the official web site – http://www.modsecurity.org
5. unzip the tarball
6. cd to ./apache2
7. make
8. make test
9. mlogc is optional, so ignored it
10. make install
11. copy mod_security module to /usr/share/apache/modules/mod_security2.so
12. edit apache config, in the last line of LoadModule, add an extra entry:
    LoadModule security2_module share/apache/modules/mod_security2.so;
13. save the changes in config file
14. restart apache

The final stage will be applied the rule sets and fine tune it. As my skill is also limited on this, it’s welcome you all to share with me.

Answer2: This is happening because ModSecurity thinks that you are trying to inject some code to [...]]]> Question2: I am hosting my own Blog, and every time I add a post I keep getting a not implemented error. Why is this happening? And how can I disable it for my posts? (I.e: disabling ModSecurity2 for a specific file).

Answer2: This is happening because ModSecurity thinks that you are trying to inject some code to the PHP files of your Blog based on the pretested rules BreachSecurity provides with the ModSecurity2 package. It is called “False Positives”, because it is a false alert (you are only posting a new post) and it’s positive because it matched one of the rules that ModSecurity2 depends on.

Disabling it shall need some work from your side, because as I told in the beginning, ModSecurity2 does not work like ModSecurity Version1, and disabling it in version 1 was much easier, but here in ModSecurity2 it is really much more powerful. First you need to monitor your Apache error log files. So let us start the following:

# tail -f /var/log/httpd/error_log

I shall assume that we have the Blog parked on the domain www.example.com. Open your favorite browser and goto:

http://www.example.com/wp-admin/post-new.php

And write the same post you got an error from. Now you shall get the same error, right? Great, now lets go and check what our error log has reported us. We shall see something like this:

[Mon Sep 22 11:01:12 2008] [error] [client 211.158.21.152] ModSecurity: Access denied with code 501 (phase 2). Pattern match “^(?:ht|f)tp:/” at ARGS:referredby. [file "/etc/httpd/conf.d/modsecurity2/optional_rules/modsecurity_crs_42_tight_security.conf"] [line "32"] [id "950117"] [msg "Remote File Inclusion Attack"] [severity "CRITICAL"] [hostname "www.example.com"] [uri "/wp-admin/post-new.php"] [unique_id "dGP7GXAAA8AAAPQC4AAEAAFZ"]

Hey, wait a minute, What are these????

This is actually a single line of error. Let me explain the important parts of it, and what we shall need to disable this alert from happening in the future. I am interested now in:

1st: 211.158.21.152 this is the IP of the host who because of him the alert was raised.
2nd: modsecurity_crs_42_tight_security.conf is the file that includes the rule.
3rd: ModSecurity classified this as a Remote File Inclusion Attack.
4th: www.example.com is the domain where the problem came from (in case you are hosting more domains on the same server).
5th: The file that made the alert is /wp-admin/post-new.php.
Finally: id, This is the important thing for us here, because we shall be using this number which is actually a rule number from the ModSecurity rule set.

Great we have the id let us disable this error from happening again. Goto Apache’s main config file and edit it:

# vim /etc/httpd/conf/httpd.conf

Add the following lines to disable the error above:

<LocationMatch “/wp-admin/post-new.php”>
SecRuleRemoveById 950117
</LocationMatch>

Now save, close the file and reload Apache.

Try making the same post again. If everything went well then great, if you get another error? then go back to the log files and get the id and add it to the SecRuleRemoveById we wrote above.

Notes:
1- If you are hosting more than one domain on the server (VirtualHosting), then it is better to add the lines above to the configuration file of that domain.

2- You can also solve this error by witting your own rules, but it is not quite easy and you need some knowledge in writing Regex codes, and to be more precise you need to know how to write Perl Compatible Regular Expression (PCRE), which ModSecurity rules are written with.

If you are looking for further documentation, then the main site is always a good place to look in:

http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/html-multipage/installation.html

So that’s it

Quoted from:
http://www.binary-zone.com/Projects/modsecurity2-eng.pdf