modsecurity whitelist for pingdom servers

Pingdom provides free service to monitor status of a website. When the website is down, pingdom will send notification to a registered email. And also when the website is up again.

But if the website is protected by mod_security, pingdom will not be able to carry out it’s job. So we need to create a whitelist for pingdom’s server. First we need to go to directory where mod_security rules reside ( usually  in the same directory as modsecurity-crs). Copy the following lines and then

$ vi whitelist.conf

change to write mode and then paste and then save and exit. And then don’t forget to restart apache.

To make sure the ip address are valid, check here. You need to have an accout at pingdom. It’s free.

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445000,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445001,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445002,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445003,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445004,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445005,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445006,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445007,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445008,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445009,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445010,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445011,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445012,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445013,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445014,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445015,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445016,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445017,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445018,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445019,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445020,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445021,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445022,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445023,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445024,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445025,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445026,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445027,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445028,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445029,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445030,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445031,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445032,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445033,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445034,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445035,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445036,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445037,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445038,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445039,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445040,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445041,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445042,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445043,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445044,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445045,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445046,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445047,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445048,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445049,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445050,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445051,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445052,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445053,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445054,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445055,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445056,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445057,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445058,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445059,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445060,ctl:ruleEngine=off

SecRule REMOTE_ADDR “^” phase:1,nolog,allow,id:445061,ctl:ruleEngine=off

If you copy paste from the list above, make sure it’s double quote before and after the ip address. Otherwise it won’t work. I’ve been there. I had to copy paste in gedit and then used it’s find replace tool.

Also make sure that whitelist.conf is included in httpd.conf just like this :

<IfModule security2_module>
Include /usr/local/apache2/modsecurity-crs/*.conf
Include /usr/local/apache2/modsecurity-crs/base_rules/*.conf

instalasi web server di linux

Tutorial ini menggunakan sistem operasi linux fedora core 12 dan versi terbaru dari apache: httpd-2.2.15.tar.bz2, php: php-5.3.2.tar.bz2, modsecurity: modsecurity-apache_2.5.12.tar.gz, modsecurity core rules: modsecurity-crs_2.0.6.tar.gz . Jika akan melakukan instalasi di linux 64 bit tolong lihat sejenak disini.

instalasi apache:
hapus apache bawaan fedora core 12
$ rpm -qa |grep httpd


$ rpm -e gnome-user-share httpd httpd-tools

download apache terbaru
$ wget
$ tar xjfv httpd-2.2.15.tar.bz2
$ cd httpd-2.2.15

Untuk menyamarkan web server yang dipakai (security in obscurity):

$ cd httpd-2.2.15/include
$ vi ap_release.h

#define AP_SERVER_BASEVENDOR “Apache Software Foundation” -> #define AP_SERVER_BASEVENDOR “software inc.”
#define AP_SERVER_BASEPRODUCT “Apache” -> #define AP_SERVER_BASEPRODUCT “webserv”

save and exit vi dengan perintah :wq
$ cd ..

$ ./configure –-prefix=/usr/local/apache2 –enable-so –enable-ssl –with-ldap –enable-ldap –enable-auth-ldap –disable-info –disable-status –disable-autoindex –disable-imap –disable-include –disable-userdir –enable-rewrite –enable-unique-id

$ make
$ make install
$ cat /etc/passwd |grep apache

jika ditemukan apache:

$vi /usr/local/apache2/conf/httpd.conf

ganti User dan Group daemon menjadi:

User apache
Group apache

save and exit vi

instalasi modsecurity:
$ wget
$ tar xzfv modsecurity-apache_2.5.12.tar.gz
$ cd modsecurity-apache_2.5.12/apache2
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs

terjadi error sebagai berikut :

configure: looking for Apache module support via DSO through APXS
configure: found apxs at /usr/local/apache2/bin/apxs
configure: checking httpd version
configure: httpd is recent enough
checking for libpcre config script… no
configure: *** pcre library not found.
configure: error: pcre library is required

$ wget
$ rpm -ivh pcre-devel-7.8-3.fc12.i686.rpm
$ ./configure –with-apxs=/usr/local/apache2/bin/apxs

terjadi error lagi sebagai berikut :

configure: using ‘-lpcre’ for pcre Library
checking for libapr config script… no
configure: *** apr library not found.
configure: error: apr library is required

$ ./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apache2/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config
$ make
$ make install

$ vi httpd.conf
tambahkan baris-baris berikut :

LoadFile /usr/lib/
LoadFile /usr/lib/
LoadModule security2_module modules/

save and exit vi
instalasi modsecurity core rules :

$ cd /usr/local/apache2
$ wget
$ tar xzfv modsecurity-crs_2.0.6.tar.gz
$ mv modsecurity-crs_2.0.6 modsecurity-crs
$ vi httpd.conf
tambahkan baris-baris berikut :

Include conf/modsecurity-crs/*.conf
Include conf/modsecurity-crs/base_rules/*.conf

save and exit vi

membuat startup script untuk apache :

$ vi /etc/rc.d/init.d/httpd2

tambahkan baris-baris berikut :

# Startup script for the Apache Web Server
# chkconfig: 345 85 15
# description: Apache is a World Wide Web server.  It is used to serve
#              HTML files and CGI.
# processname: httpd
# pidfile: /var/run/
# config: /usr/local/apache2/conf/access.conf
# config: /usr/local/apache2/conf/httpd.conf
# config: /usr/local/apache2/conf/srm.conf
# Source function library.
. /etc/rc.d/init.d/functions
case “$1” in
/usr/local/apache2/bin/apachectl start
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl restart
echo “Usage: $0 {start|stop|restart}”
exit 1
exit 0

save and exit vi

$ chkconfig –add httpd2
$ service httpd2 start

httpd: Syntax error on line 55 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/lib/liblua5.1.s into server: /usr/lib/liblua5.1.s: cannot open shared object file: No such file or directory

$ wget
$ rpm -Uvh lua-devel-5.1.4-4.fc12.i686.rpm
$ service httpd2 start

instalasi PHP :
$ wget
$ tar xjfv php-5.3.2.tar.bz2
$ cd php-5.3.2
$ ./configure –with-apxs2=/usr/local/apache2/bin/apxs –enable-magic-quotes –with-openssl –with-zlib –with-bz2 –enable-ftp –with-gd –enable-mbstring –with-freetype-dir –with-jpeg-dir

terjadi error sebagai berikut :
checking for fabsf… yes
checking for floorf… yes
configure: error: libjpeg.(a|so) not found.

insert fedora DVD and mount
$ cd /mnt/Packages
$ ls *jpeg*
$ rpm -Uvh libjpeg-6b-46.fc12.i686.rpm libjpeg-devel-6b-46.fc12.i686.rpm

lakukan configure lagi

$ make
$ make test
$ make install
$ cp php.ini-development /usr/local/lib/php.ini
$ vi /usr/local/lib/php.ini
sesuaikan beberapa opsi sebagai berikut :

expose_php = Off
display_erros = Off
short_open_tag = On

date.timezone = Asia/Jakarta

save and exit vi

$ mkdir /var/log/httpd
$ vi /usr/local/apache2/conf/httpd.conf

tambahkan baris-baris berikut :

LoadModule php5_module modules/
<FilesMatch .php$>
SetHandler application/x-httpd-php
ErrorLog “/var/log/httpd/error_log”
CustomLog “/var/log/httpd/access_log” combined
DirectoryIndex index.php index.html

save and exit vi

$ service apache2 restart
$ cd /usr/local/apache2/conf/modsecurity-crs/base_rules
$ vi modsecurity_crs_50_outbound.conf

untuk menampilkan nomor baris pada vi berikan perintah :set number lalu cari baris 85 seperti berikut:

SecRule RESPONSE_BODY “!@pmFromFile”

lalu edit menjadi :

SecRule RESPONSE_BODY “!@pmFromFile”

save and exit vi

$ cd /usr/local/apache2/conf/modsecurity-crs/
$ vi modsecurity_crs_10_config.conf

SecDefaultAction “phase:2,deny”

SecRuleEngine On

SecAuditEngine RelevantOnly
SecUploadDir /var/log/modsecurity/SecUploadDir
SecAuditLog /var/log/modsecurity/modsec_audit.log
SecAuditLogParts ABIFHZ
SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir
SecDebugLog /var/log/modsecurity/modsec_debug.log
SecDataDir /var/log/modsecurity/SecDataDir
SecTmpDir /var/log/modsecurity/SecTmpDir
SecDebugLogLevel 3

save and exit vi

$ mkdir /var/log/modsecurity
$ mkdir /var/log/modsecurity/SecTmpDir
$ mkdir /var/log/modsecurity/SecDataDir
$ mkdir /var/log/modsecurity/SecUploadDir
$ chown -R apache.apache /var/log/modsecurity
$ service apache2 restart

test instalasi dengan :

$ vi ls /usr/local/apache2/htdocs/test.php

echo “testing”;

save and exit vi
dari browser panggil jika instalasi berhasil maka akan muncul testing

Jika muncul Permission Denied, kemungkinan besar disebabkan oleh false positive oleh rule modsecurity. Cara untuk disable / bypass sebuah rule modsecurity dapat dilakukan sebagai berikut :

1. lihat error.log apache untuk domain yang mengalami permission denied dan cari baris yang serupa berikut

[Fri Aug 30 08:07:28 2013] [error] [client] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file “/usr/local/apache2/modsecurity-crs/base_rules/modsecurity_crs_21_protocol_anomalies.conf”] [line “47”] [id “960015”]

catat id 960015

2. masuk ke direktori modsecurity-crs lalu

$ vi exception.conf

lalu ketik

<LocationMatch .*>
<IfModule mod_security2.c>
SecRuleRemoveById 960015

simpan dan keluar dari vi lalu restart apache. jika ada lebih dari satu id, tulis disebelahnya pisahkan dengan spasi.

Jika SELinux enforcing dan document root apache tidak standar, dapat timbul error. Untuk itu berikan perintah :

$ chcon -R system_u:object_r:httpd_sys_content_t:s0 /path/doc/root

juga untuk sshd dengan port tidak standar harus disesuaikan dengan :

$ /usr/sbin/semanage port -a -t ssh_port_t -p tcp 222

jika semanage belum ada, install dengan :

$ yum -y install policycoreutils-python