ModSecurity adalah salah satu modul Apache yang berguna untuk mengamankan server dari serangan seperti SQL Injection, c99 script dan sejenisnya.
Instalasi Apache dan ModSecurity
eksekusi perintah dibawah ini untuk menginstall apache dan modsecurity
apt-get install apache2 libapache-mod-security -y
download rules dari web ModSecurity dan pindahkan .conf ke /etc/apache2/modsecrules
mkdir /etc/apache2/modsecrules; mkdir /tmp/tempt; cd /tmp/tempt; wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz; tar zxvf modsecurity-core-rules_2.5-1.6.1.tar.gz mv *.conf /etc/apache2/modsecrules/
file konfigurasi ModSecurity berada di /etc/apache2/mods-available/mod-security.load dibagian paling bawah mod-security.load tambahkan
Include /etc/apache2/modsecrules/*.conf
sehingga isi file mod-security.load menjadi
LoadFile /usr/lib/libxml2.so.2 LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so Include /etc/apache2/modsecrules/*.conf
sekarang aktifkan modul ModSecurity dan restart daemon apache agar ModSecurity dikenali
a2enmod mod-security; /etc/init.d/apache2 restart
file log ModSecurity berada di
/var/log/apache2/modsec_debug.log /var/log/apache2/modsec_audit.log
salah satu contoh sql injection yang diblokir oleh ModSecurity
[21/Jun/2013:15:13:35 +0700] [xxxx.com.com/sid#2b1451c3c6f8][rid#2b14565c81d0][/index.php/about_us/select * from where = xksa and][1] Access denied with code 403 (phase 2). Pattern match "(?:\b(?:(?:s(?:elect\b(?:.{1,100}?\b(?:(?:length|count|top)\b.{1,100}?\bfrom|from\b.{1,100}?\bwhere)|.*?\b(?:d(?:ump\b.*\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(? ..." at REQUEST_FILENAME. [file "/etc/apache2/modsecrules/modsecurity_crs_40_generic_attacks.conf"] [line "66"] [id "950001"] [msg "SQL Injection Attack"] [data "select * from where"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"]