instalasi web server di linux
Tutorial ini menggunakan sistem operasi linux fedora core 12 dan versi terbaru dari apache: httpd-2.2.15.tar.bz2, php: php-5.3.2.tar.bz2, modsecurity: modsecurity-apache_2.5.12.tar.gz, modsecurity core rules: modsecurity-crs_2.0.6.tar.gz
instalasi apache:
hapus apache bawaan fedora core 12
$ rpm -qa |grep httpd
httpd-tools-2.2.13-4.fc12.i686
httpd-2.2.13-4.fc12.i686
$ rpm -e gnome-user-share httpd httpd-tools
download apache terbaru
$ wget http://apache.the.net.id/httpd/httpd-2.2.15.tar.bz2
$ tar xjfv httpd-2.2.15.tar.bz2
$ cd httpd-2.2.15
Untuk menyamarkan web server yang dipakai (security in obscurity):
$ cd httpd-2.2.15/include
$ vi ap_release.h
#define AP_SERVER_BASEVENDOR “Apache Software Foundation” -> #define AP_SERVER_BASEVENDOR “software inc.”
#define AP_SERVER_BASEPRODUCT “Apache” -> #define AP_SERVER_BASEPRODUCT “webserv”
save and exit vi dengan perintah :wq
$ cd ..
$ ./configure –-prefix=/usr/local/apache2 –enable-so –enable-ssl –with-ldap –enable-ldap –enable-auth-ldap –disable-info –disable-status –disable-autoindex –disable-imap –disable-include –disable-userdir –enable-rewrite –enable-unique-id
$ make
$ make install
$ cat /etc/passwd |grep apache
jika ditemukan apache:
$vi /usr/local/apache2/conf/httpd.conf
ganti User dan Group daemon menjadi:
User apache
Group apache
save and exit vi
instalasi modsecurity:
$ wget http://nchc.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.5.12/modsecurity-apache_2.5.12.tar.gz
$ tar xzfv modsecurity-apache_2.5.12.tar.gz
$ cd modsecurity-apache_2.5.12/apache2
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs
terjadi error sebagai berikut :
…
…
configure: looking for Apache module support via DSO through APXS
configure: found apxs at /usr/local/apache2/bin/apxs
configure: checking httpd version
configure: httpd is recent enough
checking for libpcre config script… no
configure: *** pcre library not found.
configure: error: pcre library is required
$ wget ftp://fr2.rpmfind.net/linux/fedora/releases/12/Everything/i386/os/Packages/pcre-devel-7.8-3.fc12.i686.rpm
$ rpm -ivh pcre-devel-7.8-3.fc12.i686.rpm
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs
terjadi error lagi sebagai berikut :
…
…
configure: using ‘-lpcre’ for pcre Library
checking for libapr config script… no
configure: *** apr library not found.
configure: error: apr library is required
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apache2/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config
$ make
$ make install
$ vi httpd.conf
tambahkan baris-baris berikut :
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
save and exit vi
instalasi modsecurity core rules :
$ cd /usr/local/apache2
$ wget http://nchc.dl.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.0.6.tar.gz
$ tar xzfv modsecurity-crs_2.0.6.tar.gz
$ mv modsecurity-crs_2.0.6 modsecurity-crs
$ vi httpd.conf
tambahkan baris-baris berikut :
Include conf/modsecurity-crs/*.conf
Include conf/modsecurity-crs/base_rules/*.conf
save and exit vi
membuat startup script untuk apache :
$ vi /etc/rc.d/init.d/httpd2
tambahkan baris-baris berikut :
#!/bin/sh
#
# Startup script for the Apache Web Server
# chkconfig: 345 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /var/run/httpd.pid
# config: /usr/local/apache2/conf/access.conf
# config: /usr/local/apache2/conf/httpd.conf
# config: /usr/local/apache2/conf/srm.conf
# Source function library.
. /etc/rc.d/init.d/functions
case “$1″ in
’start’)
/usr/local/apache2/bin/apachectl start
;;
’stop’)
/usr/local/apache2/bin/apachectl stop
;;
‘restart’)
/usr/local/apache2/bin/apachectl restart
;;
*)
echo “Usage: $0 {start|stop|restart}”
exit 1
esac
exit 0
save and exit vi
$ chkconfig –add httpd2
$ service httpd2 start
httpd: Syntax error on line 55 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/lib/liblua5.1.s into server: /usr/lib/liblua5.1.s: cannot open shared object file: No such file or directory
$ wget ftp://fr2.rpmfind.net/linux/fedora/releases/12/Everything/i386/os/Packages/lua-devel-5.1.4-4.fc12.i686.rpm
$ rpm -Uvh lua-devel-5.1.4-4.fc12.i686.rpm
$ service httpd2 start
instalasi PHP :
$ wget http://id.php.net/distributions/php-5.3.2.tar.bz2
$ tar xjfv php-5.3.2.tar.bz2
$ cd php-5.3.2
$ ./configure –with-apxs2=/usr/local/apache2/bin/apxs –enable-magic-quotes –with-openssl –with-zlib –with-bz2 –enable-ftp –with-gd –enable-mbstring –with-freetype-dir –with-jpeg-dir
terjadi error sebagai berikut :
….
checking for fabsf… yes
checking for floorf… yes
configure: error: libjpeg.(a|so) not found.
insert fedora DVD and mount
$ cd /mnt/Packages
$ ls *jpeg*
$ rpm -Uvh libjpeg-6b-46.fc12.i686.rpm libjpeg-devel-6b-46.fc12.i686.rpm
lakukan configure lagi
$ make
$ make test
$ make install
$ cp php.ini-development /usr/local/lib/php.ini
$ vi /usr/local/lib/php.ini
sesuaikan beberapa opsi sebagai berikut :
expose_php = Off
display_erros = Off
short_open_tag = On
date.timezone = Asia/Jakarta
save and exit vi
$ mkdir /var/log/httpd
$ vi /usr/local/apache2/conf/httpd.conf
tambahkan baris-baris berikut :
LoadModule php5_module modules/libphp5.so
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
ErrorLog “/var/log/httpd/error_log”
CustomLog “/var/log/httpd/access_log” combined
DirectoryIndex index.php index.html
save and exit vi
$ service apache2 restart
$ cd /usr/local/apache2/conf/modsecurity-crs/base_rules
$ vi modsecurity_crs_50_outbound.conf
untuk menampilkan nomor baris pada vi berikan perintah :set number lalu cari baris 85 seperti berikut:
SecRule RESPONSE_BODY “!@pmFromFile modsecurity_50_outbound.data” \
“phase:4,rev:’2.0.6′,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,nolog,skipAfter:END_OUTBOUND_CHECK”
lalu edit menjadi :
SecRule RESPONSE_BODY “!@pmFromFile modsecurity_50_outbound.data” \
“phase:4,rev:’2.0.6′,t:none,capture,t:urlDecodeUni,t:htmlEntityDecode,pass,nolog,skipAfter:END_OUTBOUND_CHECK”
save and exit vi
$ cd /usr/local/apache2/conf/modsecurity-crs/
$ vi modsecurity_crs_10_config.conf
SecDefaultAction “phase:2,deny”
SecRuleEngine On
SecAuditEngine RelevantOnly
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/modsec_audit.log
SecAuditLogParts ABIFHZ
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
SecDebugLogLevel 3
save and exit vi
$ mkdir /var/log/modsecurity
$ mkdir /var/log/modsecurity/SecTmpDir
$ mkdir /var/log/modsecurity/SecDataDir
$ mkdir /var/log/modsecurity/SecUploadDir
$ chown -R apache.apache /var/log/modsecurity
$ service apache2 restart
test instalasi dengan :
$ vi ls /usr/local/apache2/htdocs/test.php
<?php
echo “testing”;
?>
save and exit vi
dari browser panggil http://192.168.5.18/test.php. jika instalasi berhasil maka akan muncul testing
Firefox Indonesia 501 (Not Implemented) akses ke apache+modsecurity
Seorang bernama Romi Hardiyanto yang mengaku sebagai anggota pelokalan Mozilla Firefox Bahasa Indonesia mengirimkan email yang memberitahukan bahwa web server kami menjawab 501 (Not Implemented) jika diakses dari Firefox Bahasa Indonesia. Menurut beliau ada yang harus dihapus sedikit pada rules modsecurity. Lakukan back up sebelum melakukan perubahan.
Rules yang dimaksud adalah nomer 950006 pada file modsecurity_crs_40_generic_attacks.conf sebagai berikut:
# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:’/(Cookie|Referer|X-OS-Prefs)/’|REQUEST_COOKIES|REQUEST_COOKIES_NAMES “(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:[\'\"\|\;\`\-\s]|$))” \
“capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:’System Command Injection. Matched signature <%{TX.0}>’,,id:’950006′,severity:’2′”
Ada 2 bagian yang harus dihapus, yang saya beri cetak tebal dan dicoret (|id) sehingga menjadi :
# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:’/(Cookie|Referer|X-OS-Prefs)/’|REQUEST_COOKIES|REQUEST_COOKIES_NAMES “(?:\b(?:(?:n(?:et(?:\b\W+?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\/c)|d(?:\b\W*?[\\\/]|\W*?\.\.)|hmod.{0,40}?\+.{0,3}x))|[\;\|\`]\W*?\b(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)\b|g(?:\+\+|cc\b))|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo)(?:[\'\"\|\;\`\-\s]|$))” \
“capture,ctl:auditLogParts=+E,deny,log,auditlog,status:501,msg:’System Command Injection. Matched signature <%{TX.0}>’,,id:’950006′,severity:’2′”
Simpan perubahan tersebut dan restart apache. Terima kasih mas Romi.
Bad Request caused by modsecurity core rules
today a user tried to import (upload) a mysql database using phpmydmin. an error like this showed up:
Bad Request
Your browser sent a request that this server could not understand
i cheked the apache’s error log file and found some lines indicating that it had something to do with modsecurity. those lines got REQBODY_PROCESSOR_ERROR in them so i checked modsecurity configuration files :
$ grep REQBODY_PROCESSOR_ERROR modsecurity*conf
the search found it in
modsecurity_crs_20_protocol_violations.conf file so i did :
$ vi modsecurity_crs_20_protocol_violations.conf
and found a rule like this :
SecRule REQBODY_PROCESSOR_ERROR “!@eq 0″ “t:none,deny,log,auditlog,status:400,msg:’Invalid request body’,,id:’960912′,severity:’2′”
i then red the modsecurity reference and found answer that deny can be changed with pass to continue processing with the next rule. so i changed deny with pass, saved the file and exit. restart apache to make the change take effect and then tested it. no error, the import process was success.
but i will have to change it back to deny again as soon as the guy finish his database import.
i think this case is not only for phpmyadmin but also any applications that requires uploading.
modsecurity causing Internal Server Error
one of our programmer complained that when his application run in our new server, it caused the following error :
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, admin@domain.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log
so based on the information above i searched in the error log file of our new server, here’s the line that i suspected related with it :
[Fri Jan 04 10:02:51 2008] [error] [client 172.18.10.1] ModSecurity: Output filter: Response body too large (over limit of 524288, total length not known). [hostname "domain.com"] [uri "/folder/application.php"] [unique_id "vdNGNn8AAAEAAA1-HmEAAAAN"]
so then i went to directory where modsecurity rules reside and try to find in what file the limit was.
$ grep 524288 *conf
result
modsecurity_crs_10_config.conf:SecResponseBodyLimit 524288
the programmer told me before that his application was to view a sets of result from a select command. i think the problem is the size of the selection was too large and over the limit set in modsecurity_crs_10_config.conf.
when i asked him, he told me that the result is about 8000 records. no wonder……
so i suggested him to fix the selection, not to select all records at a time.
