Home / server / Questions / 266044
Accepted
Andrew
Asked: 2011-05-04 19:30:23 +0800 CST

How do I enable mod_security in Ubuntu 10.04?

  • 772

A quick run through of what I've done:

  1. apt-get install libapache-mod-security
  2. a2enmod mod-security
  3. create /etc/apache2/mod_security_rules/ with base_rules and optional_rules from the latest core rules set
  4. create /etc/apache2/conf.d/mod_security as below
  5. create /var/www/test.php as below

The conf file looks like

<IfModule security2_module>
Include /etc/apache2/mod_security_rules/*.conf
Include /etc/apache2/mod_security_rules/base_rules/*.conf
Include /etc/apache2/mod_security_rules/optional_rules/*.conf
</IfModule>

test.php looks like

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

which several sites say mod_security should block.

My problem is that accessing test.php?secret_file='whatever' shows me the file.

Is this normal, and is mod_security working, or if not, what do I need to change?

apache-2.2 mod-security ubuntu-10.04

2 Answers

  1. Best Answer

    Looking at /usr/share/doc/libapache-mod-security/examples/modsecurity.conf-minimal you will see that there are more things to add to the conf, like SecRuleEngine On, are you sure that the core ruleset include those basic commands?

    You can add it to your conf.d file or maybe use the example file to guide you.

    • 0

  2. I have same issue ahead, Debian 6.0.6 x64 squeeze, lipapache2-modsecurity 2.6.5-5 installed installed trough apt-get. Looks like working, preventing all the other things, however still allowing to access passwd and other files like apache2.conf trough the script posted in first post, any solution guys?

    may it be related to other config of web server itself?

    • 0