Posts Tagged 'Centos'

April 29, 2013

Web Development - Installing mod_security with OWASP

You want to secure your web application, but you don't know where to start. A number of open-source resources and modules exist, but that variety is more intimidating than it is liberating. If you're going to take the time to implement application security, you don't want to put your eggs in the wrong basket, so you wind up suffering from analysis paralysis as you compare all of the options. You want a powerful, flexible security solution that isn't overly complex, so to save you the headache of making the decision, I'll make it for you: Start with mod_security and OWASP.

ModSecurity (mod_security) is an open-source Apache module that acts as a web application firewall. It is used to help protect your server (and websites) from several methods of attack, most common being brute force. You can think of mod_security as an invisible layer that separates users and the content on your server, quietly monitoring HTTP traffic and other interactions. It's easy to understand and simple to implement.

The challenge is that without some advanced configuration, mod_security isn't very functional, and that advanced configuration can get complex pretty quickly. You need to determine and set additional rules so that mod_security knows how to respond when approached with a potential threat. That's where Open Web Application Security Project (OWASP) comes in. You can think of the OWASP as an enhanced core ruleset that the mod_security module will follow to prevent attacks on your server.

The process of getting started with mod_security and OWASP might seem like a lot of work, but it's actually quite simple. Let's look at the installation and configuration process in a CentOS environment. First, we want to install the dependencies that mod_security needs:

## Install the GCC compiler and mod_security dependencies ##
$ sudo yum install gcc make
$ sudo yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

Now that we have the dependencies in place, let's install mod_security. Unfortunately, there is no yum for mod_security because it is not a maintained package, so you'll have to install it directly from the source:

## Get mod_security from its source ##
$ cd /usr/src
$ git clone https://github.com/SpiderLabs/ModSecurity.git

Now that we have mod_security on our server, we'll install it:

## Install mod_security ##
$ cd ModSecurity
$ ./configure
$ make install

And we'll copy over the default mod_security configuration file into the necessary Apache directory:

## Copy configuration file ##
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

We've got mod_security installed now, so we need to tell Apache about it ... It's no use having mod_security installed if our server doesn't know it's supposed to be using it:

## Apache configuration for mod_security ##
$ vi /etc/httpd/conf/httpd.conf

We'll need to load our Apache config file to include our dependencies (BEFORE the mod_security module) and the mod_security file module itself:

## Load dependencies ##
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
## Load mod_security ##
LoadModule security2_module modules/mod_security2.so

We'll save our configuration changes and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

As I mentioned at the top of this post, our installation of mod_security is good, but we want to enhance our ruleset with the help of OWASP. If you've made it this far, you won't have a problem following a similar process to install OWASP:

## OWASP ##
$ cd /etc/httpd/
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ mv owasp-modsecurity-crs modsecurity-crs

Just like with mod_security, we'll set up our configuration file:

## OWASP configuration file ##
$ cd modsecurity-crs
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Now we have mod_security and the OWASP core ruleset ready to go! The last step we need to take is to update the Apache config file to set up our basic ruleset:

## Apache configuration ##
$ vi /etc/httpd/conf/httpd.conf

We'll add an IfModule and point it to our new OWASP rule set at the end of the file:

<IfModule security2_module>
    Include modsecurity-crs/modsecurity_crs_10_config.conf
    Include modsecurity-crs/base_rules/*.conf
</IfModule>

And to complete the installation, we save the config file and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

And we've got mod_security installed with the OWASP core ruleset! With this default installation, we're leveraging the rules the OWASP open source community has come up with, and we have the flexibility to tweak and enhance those rules as our needs dictate. If you have any questions about this installation or you have any other technical blog topics you'd like to hear from us about, please let us know!

-Cassandra

January 24, 2011

5 Steps to Start Using IPv6 (not IPv5)

As Kevin mentioned on Friday, we are less than 45 days from "doomsday." The IANA only has about 3% of the resources required to sustain our current way of life. 6.8 billion people with only 4.3 billion addresses in existence. It's the 2012 saga in 2011: The exhaustion of the Internet's available IP version 4 (IPv4) addresses. What are we going to do?!

Luckily, a lot of people have been hard at work to mitigate the impending Internet crisis. IP version 6 (IPv6) is on the horizon and is already supported by most modern internet enabled devices. If you're like me, the fact that we went from IPv4 to IPv6 might make you wonder, "What happened to IPv5?"

The powers that be didn't decide to rid the number system of the number five because of its mixture of curves and right angles, and it wasn't because they only wanted to use round numbers. IP version 5 (IPv5) was a work in progress and part of a family of experimental protocols by the name of ST (Internet Stream Protocol). ST and later ST-II were connection-oriented protocols that were intended to support the efficient delivery of data streams to applications that required guaranteed data throughput.

An ST packet looks very similar to its IPv4 sibling, and both use the first 8 bits to identify a version number. IPv4 uses those 8 bits to identify IPv4 packets, and ST used the same 8 bits to identify IPv5 packets. Since "version 5" was spoken for, the next iteration in IP advancement became version 6.

If you've been around the SoftLayer blog for a while, you already know a fair bit about IPv6, but you're probably wondering, "What’s next?" How do you actually start using IPv6 yourself?

1. Get a Block of IPv6 Addresses

Lucky for you, the SoftLayer platform is IPv6 ready, and we're already issuing and routing IPv6 traffic. Obtaining a block of public IPs from us is as easy as logging into the portal, pulling up the hardware page of a server and ordering a /64 block of IPv6 IPs for $4/mo per subnet ($10 if you want a portable subnet)!

For those of you that have ordered IPs from us in the past, IPv4 addresses are usually $0.50-$1.00 each. To get a /64 of public static IPv6 addresses, it’s a whopping $0.00 for the entire range. So just how many IPs is in a /64? 256? Try again. 512? Keep going. 1 Million? You’re still cold. Let's try 18.4 quintillion. For those that understand scientific notation better, that is 1.84 x 1019. If you just want to see the number written in long form, it's 18,446,744,073,709,551,616 IP addresses. That allocation should probably tide you over for a little while.

2. Make Sure Your Server is IPv6 Ready

Most current server operating systems are ready to take the IPv6 leap. This includes Windows 2003 SP1 and most Linux OSes with 2.6.x Linux kernels. We'll focus on Windows and RedHat/CentOS here.

To ready your Windows 2003 server for IPv6, do this:

  1. In Control Panel, double-click Network Connections.
  2. Right-click any local area connection, and then click Properties.
  3. Click Install.
  4. In the "Select Network Component Type" dialog box, click Protocol, then Add.
  5. In the "Select Network Protocol" dialog box, click Microsoft TCP/IP version 6, then OK.
  6. Click Close to save changes to your network connection.

Once IPv6 is installed, IIS will automatically support IPv6 on your web server. If a website was running when you installed the IPv6 stack, you must restart the IIS service before the site begins to listen for IPv6 requests. Sites that you create after you enable IPv6 automatically listen for IPv6. Windows 2008 server should have IPv6 enabled by default.

When your Windows server is ready for IPv6, you will add IPv6 addresses to the server just as you'd add IPv4 addresses ... The only difference is you will edit the properties to the Internet Protocol Version 6 (TCP/IPv6) network protocol.

To ready your RedHat/CentOS servers, do this:

  1. Using your favorite editor, edit /etc/sysconfig/network and enable NETWORKING_IPV6 by changing the "no" to a "yes."

    Example:

    NETWORKING=yes
    HOSTNAME=ipv6test.yourdomain.com
    GATEWAY=10.13.40.1
    NETWORKING_IPV6=yes
  2. Next edit /etc/sysconfig/network-scripts/ifcfg-eth1 to add IPv6 parameters.

    Add the following to end of the file:

    IPV6INIT=yes
    IPV6ADDR=YOURIPV6ADDRESS
    IPV6_DEFAULTGW=YOURGATEWAY

    Example:

    IPV6INIT=yes
    IPV6ADDR=2607:f0d0:2001:0000:0000:0000:0000:0010/64
    IPV6_DEFAULTGW=2607:f0d0:2001:0000:0000:0000:0000:0001
  3. Once you have successfully added your assigned IP addresses, you must restart networking with this command:
    [root@ipv6test /]# service network restart

Once you have completed these steps on your respective OS, you should be able to communicate over the IPv6 stack. To test, you can ping ipv6.google.com and see if it works.

3. Bind Your New IPv6 Address to Apache/IIS

Now that you have more IPv6 addresses for your server(s) than what's available to the entire world in IPv4 space, you must bind them to IIS or Apache. This is done the similarly to the way you bind IPv4 addresses.

In IIS, all IPs that have been added to the system will now be available for use in the website properties. Within Apache, you will add a few directives to ensure your web servers is listening on the IPv6 stack ... which brings us to a very important point when it comes to discussing IPv6. Due to the fact that it's full of colons (:), you can’t just write out the IP as you would a 32-bit address.

IPv6 addresses must be specified in square brackets or the optional port number could not be determined. To enable Apache to listen to both stacks on separate sockets you will need to add a new "Listen" directive:

Listen [::]:80
Listen 0.0.0.0:80

And for your Virtual Hosts, the will look like this:

<VirtualHost [2101:db8::a00:200f:fda7:00ea]>
ServerAdmin webmaster@yourdomain.com
DocumentRoot /www/docs/ipv6test.yourdomain.com
ServerName ipv6test.yourdomain.com
ErrorLog logs/ipv6test.yourdomain.com-error_log
TransferLog logs/ipv6test.yourdomain.com-access_log
<VirtualHost>

4. Add Addresses to DNS

The final step in getting up and running is to add your new IPv6 addresses to your DNS server. If you're using a IPv6 enabled DNS server, you will simply insert an 'AAAA' resource record (aka quad-A record) for your host.

5. Test Your Server's IPv6 Accessibility

While your DNS is propagating, you can still test your webserver to see if it responds to the IP you assigned by using square brackets in your browser: http://[2101:db8::a00:200f:fda7:00ea]

This test, of course, will only work if your computer is on a IPv6 network. If you are limited to IPv4, you will need sign up with a tunnel broker or switch to an ISP that offers IPv6 connectivity.

After about 24 hours, your server and new host should be ready to serve websites on the IPv6 stack.

Good luck!

-Harold

Subscribe to centos