How to protect Java based web application using mod_security
- Install mod_security
yum install mod_security
httpd -M | grep security
security2_module (shared)
--> mod_security is loaded.
- mod_security Settings
/etc/httpd/conf.d/mod_security.conf
SecRuleEngine On -->enacle (choise this)
SecRuleEngine Off -->disable
DetectionOnly --> Detection Only
- Create rules
/etc/httpd/modsecurity.d/activated_rules/cve-s2-045.conf
SecRule REQUEST_HEADERS "OgnlContext|OgnlUtil"
"id:001,phase:2,t:none,log,deny,msg:attack"
- (Install mod_proxy)
[root@struts-sv modules]# ls /etc/httpd/modules/mod_proxy*
/etc/httpd/modules/mod_proxy.so
/etc/httpd/modules/mod_proxy_ajp.so
--> mod_proxy.so and mod_proxy_ajp.so are installed by default.
- mod_proxy Settings
- (Load mod_proxy in httpd.conf)
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
[root@struts-sv modules]# httpd -M | grep proxy
Syntax OK
proxy_module (shared)
proxy_ajp_module (shared)
--> mod_proxy.so and mod_proxy_ajp.so are loaded by default.
- Proxy requests to ajp in httpd.conf
ProxyPass /struts2-showcase-2.3.31/ ajp://localhost:8009/struts2-showcase-2.3.31/
Above example, a request to http://hostname/struts2-showcase-2.3.31/ is forwardes to
http://hostname:8080/struts2-showcase-2.3.31/ via 8009(ajp).
- Restart httpd and tomcat
- Access Struts URI via http port (80) containing malicious requiest
e.g. http://hostname/struts2-showcase-2.3.31
- Request is denied by mod_security
Message: Access denied with code 403 (phase 2). Pattern match "OgnlContext|OgnlUtil" at
REQUEST_HEADERS:Content-Type. [file "/etc/httpd/modsecurity.d/activated_rules/cve-s2-045.conf"]
[line "1"] [id "001"] [msg "attack"]