1

A quick run through of what I've done:

  1. apt-get install libapache-mod-security
  2. a2enmod mod-security
  3. create /etc/apache2/mod_security_rules/ with base_rules and optional_rules from the latest core rules set
  4. create /etc/apache2/conf.d/mod_security as below
  5. create /var/www/test.php as below

The conf file looks like

<IfModule security2_module> Include /etc/apache2/mod_security_rules/*.conf Include /etc/apache2/mod_security_rules/base_rules/*.conf Include /etc/apache2/mod_security_rules/optional_rules/*.conf </IfModule>

test.php looks like

<?php $secret_file = $_GET['secret_file']; include ( $secret_file); ?>

which several sites say mod_security should block.

My problem is that accessing test.php?secret_file='whatever' shows me the file.

Is this normal, and is mod_security working, or if not, what do I need to change?

Improve this question
1
  • Hmm, perhaps this belongs on ServerFault afterall... flagging... Commented May 4, 2011 at 3:40

2 Answers 2

Reset to default
0

Looking at /usr/share/doc/libapache-mod-security/examples/modsecurity.conf-minimal you will see that there are more things to add to the conf, like SecRuleEngine On, are you sure that the core ruleset include those basic commands?

You can add it to your conf.d file or maybe use the example file to guide you.

Improve this answer
3
  • I added the minimal conf and it's still not tripping - do I need to add them to my Apache VirtualHosts definitions? Commented May 4, 2011 at 23:28
  • Theoretically its working. Use phpinfo() to check if the module is loaded, and try some other tests like embedding a SQL query on the URL. Commented May 4, 2011 at 23:40
  • Well, it turns out that using the minimal conf enabled it after all (uploads stopped working) - so I'll accept your answer as correct and read up on how to write a decent rules file. Commented May 8, 2011 at 22:50
0

I have same issue ahead, Debian 6.0.6 x64 squeeze, lipapache2-modsecurity 2.6.5-5 installed installed trough apt-get. Looks like working, preventing all the other things, however still allowing to access passwd and other files like apache2.conf trough the script posted in first post, any solution guys?

may it be related to other config of web server itself?

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.