1

A quick run through of what I've done:

  1. apt-get install libapache-mod-security
  2. a2enmod mod-security
  3. create /etc/apache2/mod_security_rules/ with base_rules and optional_rules from the latest core rules set
  4. create /etc/apache2/conf.d/mod_security as below
  5. create /var/www/test.php as below

The conf file looks like

<IfModule security2_module>
Include /etc/apache2/mod_security_rules/*.conf
Include /etc/apache2/mod_security_rules/base_rules/*.conf
Include /etc/apache2/mod_security_rules/optional_rules/*.conf
</IfModule>

test.php looks like

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

which several sites say mod_security should block.

My problem is that accessing test.php?secret_file='whatever' shows me the file.

Is this normal, and is mod_security working, or if not, what do I need to change?

Andrew
  • 7,772
  • 3
  • 34
  • 43

2 Answers2

0

Looking at /usr/share/doc/libapache-mod-security/examples/modsecurity.conf-minimal you will see that there are more things to add to the conf, like SecRuleEngine On, are you sure that the core ruleset include those basic commands?

You can add it to your conf.d file or maybe use the example file to guide you.

coredump
  • 12,573
  • 2
  • 34
  • 53
  • I added the minimal conf and it's still not tripping - do I need to add them to my Apache VirtualHosts definitions? – Andrew May 04 '11 at 23:28
  • Theoretically its working. Use `phpinfo()` to check if the module is loaded, and try some other tests like embedding a SQL query on the URL. – coredump May 04 '11 at 23:40
  • Well, it turns out that using the minimal conf enabled it after all (uploads stopped working) - so I'll accept your answer as correct and read up on how to write a decent rules file. – Andrew May 08 '11 at 22:50
0

I have same issue ahead, Debian 6.0.6 x64 squeeze, lipapache2-modsecurity 2.6.5-5 installed installed trough apt-get. Looks like working, preventing all the other things, however still allowing to access passwd and other files like apache2.conf trough the script posted in first post, any solution guys?

may it be related to other config of web server itself?

Wizzy
  • 1