After the previous steps are suggested that should continue to be safe to use. After you install the RHEL/CentOS 7 7 and this section will discuss the steps to install LAMP (Linux, Apache, PHP, MariaDB) and mod_security.
Install Apache
Start by installing Apache from the command yum install package will be involved or would like to work with apache more to come, as well.
1 [somchai@site2 ~]$ sudo yum install httpd
After installing successfully. Requires apache to start from are turned on at all times.
1 [somchai@site2 ~]$ sudo systemctl enable httpd.service
2 ln -s ‘/usr/lib/systemd/system/httpd.service’ ‘/etc/systemd/system/multi-user.target.wants/httpd.service’
The command start/stop/restart the service
1 [somchai@site2 ~]$ sudo systemctl start httpd.service
2 [somchai@site2 ~]$ sudo systemctl restart httpd.service
3 [somchai@site2 ~]$ sudo systemctl stop httpd.service
Command to verify that the httpd service is active or not.
1 [somchai@site2 ~]$ systemctl is-active httpd.service
Check the Firewall so that other client machines can activate the port 80 from the server.
1 [somchai@site2 ~]$ sudo firewall-cmd –permanent –add-service=http
2 [somchai@site2 ~]$ sudo firewall-cmd –permanent –list-all
3 [somchai@site2 ~]$ sudo firewall-cmd –reload
Process of checking for IP itself.
1 [somchai@site2 ~]$ sudo ip addr list eth0 | awk ‘/inet /{sub(/\/[0-9]+/,””,$2); print $2}’
2 …#or
3 [somchai@site2 ~]$ sudo ip addr list
Test the web page called http://[IP ADDRESS] and/or Domain name that is set up to use as http://site2.example.com.
Default values for httpd
Default config file: /etc/httpd/conf/httpd.conf
Configuration files which load modules : /etc/httpd/conf.modules.d/
Default ports: 80 and 443 (SSL)
Default log files: /var/log/httpd/{access_log,error_log}
Installation, MariaDB
For mariadb is a Database on RedHat and CentOS has been selected as the Default instead of a MySQL database for use as a part of that is coming from MySQL-MariaDB so change MySQL work, so instead of MariaDB rarely need to edit the code of an additional PHP still enabled the function.
Installation, MariaDB
1 [somchai@site2 ~]$ sudo yum install mariadb-server mariadb
Start order service
1 [somchai@site2 ~]$ sudo systemctl start mariadb.service
MariaDB is set to start from are turned on.
1 [somchai@site2 ~]$ sudo systemctl enable mariadb.service
The command start/stop/restart the service
1 [somchai@site2 ~]$ sudo systemctl start mariadb.service
2 [somchai@site2 ~]$ sudo systemctl restart mariadb.service
3 [somchai@site2 ~]$ sudo systemctl stop mariadb.service
Command to verify that the service is running MariaDB or not.
1 [somchai@site2 ~]$ systemctl is-active mariadb.service
Define security increased to MariaDB server
01 [somchai@site2 ~]$ sudo /usr/bin/mysql_secure_installation
2 …
3 Enter current password for root (enter for none): press enter to skip the.
04 Set root password? [Y/n] Y
5 New password: enter the password that you want to assign.
6 Re-enter new password: enter the password that must be set again.
07 Remove anonymous users? [Y/n] Y
08 Disallow root login remotely? [Y/n] Y
09 Remove test database and access to it? [Y/n] Y
10 Reload privilege tables now? [Y/n] Y
11 …
12 All done! If you’ve completed all of the above steps, your MariaDB
13 installation should now be secure.
14
15 Thanks for using MariaDB!
If the message indicates that the operation successfully.
To test the login command as well.
01 [somchai@site2 ~]$ sudo mysql -u root -p
2 Enter password: enter the password that was defined earlier.
03 Welcome to the MariaDB monitor. Commands end with ; or \g.
04 Your MariaDB connection id is 8
05 Server version: 5.5.40-MariaDB MariaDB Server
6
07 Copyright (c) 2000, 2014, Oracle, Monty Program Ab and others.
8
09 Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
10
11 MariaDB [(none)]>
Assigned to work through the firewall
1 [somchai@site2 ~]$ sudo firewall-cmd –permanent –add-service=mysql
2 [somchai@site2 ~]$ sudo firewall-cmd –permanent –list-all
3 [somchai@site2 ~]$ sudo firewall-cmd –reload
Install PHP
Starting from installation of php and the extension that you want to use.
1 [somchai@site2 ~]$ sudo yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel
Restart apache to start using php
1 [somchai@site2 ~]$ sudo systemctl restart httpd.service
Create a php file to test
1 [somchai@site2 ~]$ sudo vi /var/www/html/testphp.php
2 ?
Test the web page, call: http://site2.example.com/testphp.php
Installing mod_security
ModSecurity is a web application firewall (WAF), used to detect and prevent intrusions, as well as increase security in running the wrong category for Web server.
Start the installation.
1 [somchai@site2 ~]$ sudo yum install mod_security.x86_64
Make sure apache is loading the module mod_security is enabled.
1 [somchai@site2 ~]$ sudo apachectl -M | grep –color security
2 security2_module (shared)
In most cases related to the config:
/etc/httpd/conf.d/mod_security.conf
/etc/httpd/modsecurity.d
Get started.
1 [somchai@site2 ~]$ sudo systemctl restart httpd.service
The mod_security config
Editing config files default to the default values of the config mod_security.conf is defined as the DetectionOnly means that there will be monitoring data from the rule set, but it will not block any values, so if we want to activate those settings can be edited, or it can be enabled after it has been successfully tested in various sections, as well.
If you want to activate.
1 [somchai@site2 ~]$ sudo vi /etc/httpd/conf.d/mod_security.conf
Fix from
1 SecRuleEngine DetectionOnly > On
For a directive that will have to change the value of the following is SecResponseBodyAccess because when they are enabled in this section will cause a buffer is activated, and also increase the size of the log file to a larger size, so this value is initially off first.
This is to disable the global section, and then select Enable. In certain circumstances that are specific to a certain type of pass directive: SecResponseBodyMimeType.
Fix from
1 SecResponseBodyAccess On > Off
For directive: SecRequestBodyLimit is the maximum size of configuration data POST data that is larger than the value that is specified will receive Error 413: “Request Entity Too Large” values for reduction in the event that web site is not part of the file upload large amounts of data, so we will edit a value below that of approximately 12.5 MB.
1 SecRequestBodyLimit 13107200
Another directive that have similar features, including SecRequestBodyNoFilesLimit, which is the smallest size of configuration data, which we’ll POST the fix below. About 128KB
1 SecRequestBodyInMemoryLimit 131072
To set the path for storing debug log
1 SecDebugLog /var/log/httpd/modsec_debug.log
To configure the log storage levels can be set from 0-9, which is the default value of 0 for the filling 1-3 these log will be written to the log of apache already exists. If you want to check the implementation can be added as appropriate. If the machine is turned on. It is not recommended to be set higher than 3 because this may affect the performance of the system.
Details for storing debug log
0: no logging
1: errors (intercepted requests) only
2: warnings
3: notices
4: details of how transactions are handled
5: as above, but including information about each piece of information handled
9: log everything, including very detailed debugging information
In this section we will define the constants by default.
1 SecDebugLogLevel 0
Install an additional package, which is the base crs mod_security rules from section (Core Rule Set)
1 [somchai@site2 ~]$ sudo yum install mod_security_crs.noarch
When you try to install a completely different files, you’ll rule is based on the path below.
1 /usr/lib/modsecurity.d/base_rules/
And the symlinks to the initial path of modsecurity
1 /etc/httpd/modsecurity.d
2 /etc/httpd/modsecurity.d/activated_rules
After the rule, then we will start the test run.
Testing sql injection rule
Preliminary tests, which we will use only a few. In here we will test for sql injection is only began editing as follows:
somchai@site2 ~]$ sudo vi /etc/httpd/conf.d/mod_security.conf
2 .. edit
3 IncludeOptional modsecurity.d/*.conf
4 IncludeOptional modsecurity.d/activated_rules/*.conf
5 .. change is.
6 #IncludeOptional modsecurity.d/*.conf
7 #IncludeOptional modsecurity.d/activated_rules/*.conf
8 IncludeOptional modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
Save config file and load order.
1 [somchai@site2 ~]$ sudo systemctl reload httpd.service
Login into mysql
1 [somchai@site2 ~]$ sudo mysql -u root -p
When the login prompt, you’ll be able to pass the MariaDB [(none)] >, run the command below.
1 MariaDB [(none)]> create database member;
2 MariaDB [(none)]> connect member;
3 MariaDB [(none)]> create table accounts(username VARCHAR(100),password VARCHAR(100));
4 MariaDB [(none)]> insert into accounts values(‘sompong’,’February’);
5 MariaDB [(none)]> insert into accounts values(‘somsri’,’March’);
6 MariaDB [(none)]> quit;
Create a test php file to run the test.
01 [somchai@site2 ~]$ sudo vi /var/www/html/login.php
02
03
4
05 $username = $_POST[‘username’];
08 $password = $_POST[‘password’];
09
$con = mysqli_connect(‘localhost’,’root’,'[YOUR PASSWORD]’,’members’);
10
$result = mysqli_query($con, “SELECT * FROM ‘accounts’ WHERE username=’$username’ AND password=’$password'”);
11
if(mysqli_num_rows($result) == 0) echo ‘
You have entered an invalid username or password.
‘;
12
else echo ‘
Signed in
Hello!! ‘.$username.’
‘;
13 } else {
14
?>
15
22
23}
24 ?>
Sign in to test by test, enter a value that is valid and not valid to verify and contact database.
http://site2.example.com/login.php
Username: somsri
Password: March
After that, try a test password: sample below.
‘ Is the Single quotes.
True – true SPACE DASH SPACE – SPACE is SPACE DASH.
Select * from mysql select STAR from SPACE is SPACE; mysql SEMICOLON.
And check the operation of the ModSecurity log files
/var/log/httpd/modsec_audit.log
/var/log/httpd/error_log
For example,
1 [Thu Feb 12 11:42:04.076964 2015] [:error] [pid 25324] [client 192.168.0.12] ModSecurity: Warning. Pattern match “(/\\\\*!?|\\\\*/|[‘;]–|–[\\\\s\\\\r\\\\n\\\\v\\\\f]|(?:–[^-]*?-)|([^\\\\-&])#.*?[\\\\s\\\\r\\\\n\\\\v\\\\f]|;?\\\\x00)” at ARGS:password. [file “/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “49”] [id “981231”] [rev “2”] [msg “SQL Comment Sequence Detected.”] [data “Matched Data: — found within ARGS:password: true — “] [severity “CRITICAL”] [ver “OWASP_CRS/2.2.6”] [maturity “8”] [accuracy “8”] [tag “OWASP_CRS/WEB_ATTACK/SQL_INJECTION”] [tag “WASCTC/WASC-19”] [tag “OWASP_TOP_10/A1”] [tag “OWASP_AppSensor/CIE1”] [tag “PCI/6.5.2”] [hostname “site2.example.com”] [uri “/login.php”] [unique_id “VOVpnGfJ3dFwzEZxC4Wx8wAAAAM”]
Testing the new Rule to be used.
Starting from the first Rule will block for IP 192.168.0.12.
1 [somchai@site2 ~]$ sudo vi /etc/httpd/conf.d/mod_security.conf
2 … Add config as below.
3 SecRule REMOTE_ADDR “^192.168.0.12$” “id:’5001’,log,auditlog,deny,msg:’Test Rule'”
Save config file and load order.
1 [somchai@site2 ~]$ sudo systemctl reload httpd.service
Test run from web 192.168.0.12 IP if does not work, check the log file for more.
[Thu Feb 12 14:44:18.166166 2015] [:error] [pid 26980] [client 192.168.0.12] ModSecurity: Access denied with code 403 (phase 2). Pattern match “^192.168.0.12$” at REMOTE_ADDR. [file “/etc/httpd/conf.d/mod_security.conf”] [line “56”] [id “5001”] [msg “Test Rule”] [hostname “site2.example.com”] [uri “/login.php”] [unique_id “VOWU5Km6ppso-fMuh0vBRQAAAAM”]
And for the Rule to be introduced as an additional block to activate URL when calling up httpd.conf or passwd.
1 [somchai@site2 ~]$ sudo vi /etc/httpd/conf.d/mod_security.conf
2 … Add config as below.
3 SecRule REQUEST_URI “(?:\b(?:passwd|httpd\.conf)\b)” “id:’5002’deny,log,msg:’Remote File Access Attempt'”
Save config file and load order.
1 [somchai@site2 ~]$ sudo systemctl reload httpd.service
Test web run from http://site2.example.com/login.php?passwd if it does not work, check the log file for more.
[Thu Feb 12 15:34:32.568072 2015] [:error] [pid 27134] [client 192.168.0.12] ModSecurity: Access denied with code 403 (phase 2).