Skip to content
CA Spectrum - 10.1 to 10.1.2
Documentation powered by DocOps

Enable ModSecurity Web Application Firewall

Last update December 16, 2016

To prevent malicious remote clients from accessing OneClick server (Tomcat), and for full HTTP traffic logging, you must enable the ModSecurity Web Application Firewall (WAF). ModSecurity is deployed in CA Spectrum environment using the reverse proxy method. If you edit the "httpd.conf" file and set the configuration shown in thThis method is achieved by using a dedicated Apache server as a reverse proxy for Tomcat, and by adding the open source ModSecurity module to it. With this implementation, you get a properĀ web application firewall. When you install OneClick server on Windows, the "apache" folder is created in the $SPECROOT directory. This folder includes the following items:

  • Apache HTTP server 2.4.12 package that is required to install and to start the Apache server.
  • Open source ModSecurity 2.9 package that is required to run the Apache server as a reverse proxy.
  • Open source ModSecurity core rule set 2.2.9 package for the firewall capability.

When you install OneClick server on Linux, a pre-built Apache server 2.4.12 with ModSecurity 2.9 and 2.2.9 core rule set is created in the $SPECROOT directory.

  • You can enable ModSecurity only with any of the following two Apache setups:
    • The Apache setup of CA Spectrum environment on your OneClick host.
    • An existing Apache setup on your OneClick host.
  • Enabling ModSecurity with an Apache setup that is running outside the OneClick host is not supported.


This page contains the following topics:

How ModSecurity Works

When ModSecurity is enabled in the reverse proxy deployment, the following firewall architecture is enabled:

  • Apache server becomes an HTTP router that is designed to stand between the OneClick server and its clients.
  • Clients connect only to the Apache server.
  • Apache forwards and gets the request from Tomcat for clients.
  • Access to the Tomcat server for clients is disabled.

This architecture is configured by setting the following attributes and directives in the "httpd.conf" file that is located at "$SPECROOT\apache\conf" as shown here:

Listen 80
<VirtualHost *:80>

  ProxyPreserveHost On
  ProxyPass /spectrum http://localhost:8081/
  ProxyPassReverse /spectrum http://localhost:8081/
</VirtualHost>

For this example, assume that the tomcat server was listening at port 80. To enable ModSecurity,

Tomcat server port is assigned to the Apache server. A free port 8081 is assigned to the Tomcat

server by adding port 8081 in the server.xml file that is located at "$SPECROOT\tomcat\conf".

If you edit the "httpd.conf" file and set the configuration shown in the example, the Apache server runs as a proxy of the Tomcat server as follows:

  • Tomcat port 80 is assigned to the Apache server.
  • Apache server becomes the virtual host that is mapped to the OneClick url. As a result, the client request with the url "http://<hostname><:80>/spectrum" connects to the Apache server.  
  • The directive ProxyPass instructs the Apache server to pass all client requests to the Tomcat server which now listens at 8081. 
  • The directive ProxyPassReverse rewrites the HTTP Header in the response of Tomcat to make it look for clients as if it came from Apache.

In CA Spectrum environment, ModSecurity is enabled using the "configApacheModsec.sh" script. This script is located at "$SPECROOT\apache\bin". It enables ModSecurity by performing the following functions:

  1. Lets you assign the port of Tomcat server to the Apache server, and lets you assign another free port to the Tomcat server.
  2. Updates the newly assigned port to the Tomcat server in the "server.xml" file.
  3. Configures the "httpd.conf" file based on these port assignments.
  4. Installs and starts the Apache service with ModSecurity.

If the Tomcat server port is assigned to the Apache server, clients can use the existing OneClick url to connect to the Apache server. Otherwise, you need to assign a free port to the Apache server. In this case, clients can connect to the Apache server using the OneClick url only when they use the newly assigned port to the Apache server in that url. You must provide to clients the updated OneClick url which contains the newly assigned port to the Apache server. Based on whether you want the clients to use the existing OneClick url or not, you can enable ModSecurity using any one of the following two methods:

Prerequisite for Launching CA Spectrum WebClient

To launch CA Spectrum WebClient, execute the following steps on Windows and Linux before enabling ModSecurity:

  1. Open the "$SPECROOT\apache\modsecurity-crs\activated_rules\whitelist.conf" file with any text editor.
  2. Add the following XML segment at the end of this file, and save the file:

    <LocationMatch /spectrum/serviceDesk/.*>
            <IfModule mod_security2.c>
                    SecRuleRemoveById 981173
            </IfModule>
    </LocationMatch>
  3. Open the "httpd.conf" file in any text editor.
  4. Locate the following directive in this file:

    #Include modsecurity-crs/activated_rules/*.conf
  5. Remove the "#" character in front of this directive, and save the file.

  6. (On Linux only) Open the "$SPECROOT\apache\modsecurity-crs\base_rules\modsecurity_crs_30_http_policy.conf" file with any text editor.
  7. Locate the following SecRule Directive in this file:

    SecRule REQUEST_METHOD "!@within %{tx.allowed_methods}"
  8. Add the "#" character in front of this direcctive, and save the file.
  9. (On Linux only) Open the "$SPECROOT\apache\modsecurity-crs\base_rules\modsecurity_crs_41_sql_injection_attacks.conf" file with any text editor.
  10. Locate the following SecRule directive in this file:

    SecRule ARGS_NAMES|ARGS|XML
  11. Add the "#" character in front of this direcctive, and save the file.

Enable ModSecurity Using the Tomcat port for Apache

By default, Apache listens on port 8080. When you assign the existing tomcat port to Apache, the clients can use the existing url without changing the port number. In this case, the Tomcat server is assigned another port, which is disabled for external clients. Internal client is the client that accesses from the OneClick server host itself. For the following procedure assume that the existing Tomcat port is 80.
Follow these steps:

  1. On Windows, launch the "Services.msc" program, or execute the following command at the command prompt to stop the "SpectrumTomcat" service:
    $SPECROOT\NT-Tools\SRE\bin\bash.exe "$SPECROOT\\tomcat\\bin\\stopTomcat.sh"
    On Linux, execute the following command at the bash prompt (from $SPECROOT\tomcat\bin) to stop the SpectrumTomcat service:
    ./stopTomcat.sh
    The "SpectrumTomcat" service stops, and the Tomcat port 80 is now free to be assigned to the Apache server.
  2. On Linux, execute the following command at the bash prompt (from $SPECROOT\apache\bin) to enable ModSecurity:
    ./configApacheModsec.sh enable
    On Windows, execute the following command at the command prompt to enable ModSecurity:
    $SPECROOT\NT-Tools\SRE\bin\bash.exe "$SPECROOT\\apache\\bin\\configApacheModsec.sh" "enable"
    You are prompted to confirm whether tomcat is running in SSL mode or not. 
    If Tomcat is running in SSL mode, follow the steps in Enable ModSecurity in SSL Mode. The script displays the following message, and does not enable ModSecurity:
    Screenshots for SSL mode
    Windows

    Linux


    Screenshots for non-SSL mode
    Windows 
    If Tomcat is running in non-SSL mode, the script prompts you to select whether you want to assign the tomcat port to Apache or not.

    Linux 
  3. Press the 'y' key, and then press Enter.
    Port 80 is assigned to Apache. The script prompts you to input a free port for Tomcat.
  4. Enter a new port for Tomcat, and then press Enter.
    For example, enter 8081.
    The script applies the following configuration in the httpd.conf file:

    Listen 80 

    <VirtualHost *:80> 

        ProxyPreserveHost On

        ProxyPass          /spectrum http://localhost:8081/spectrum
        ProxyPassReverse   /spectrum http://localhost:8081/spectrum
    </VirtualHost>

    You get the "Apache Service is started" message at the command prompt.

  5. On Linux, execute the following command at the bash prompt to start the "SpectrumTomcat" service:
    ./startTomcat.sh
    On Windows, Launch "Services.mcs" program, or execute the following command at the command prompt to start the SpectrumTomcat service:
    $SPECROOT\NT-Tools\SRE\bin\bash.exe "$SPECROOT\\tomcat\\bin\\startTomcat.sh
  6. On Linux, execute the following command at the bash prompt to verify that the Apache service has started:
  7. On Windows, launch the "Services.msc" program to verify that the Apache service has started.

When clients use the existing url "http://<hostname:80>/spectrum", they connect to the Apache server and get the response from it. To disable the Tomcat port 8081 for external clients, the Loopback address  is added in the server.xml file that is located at "$SPECROOT\tomcat\conf".

Enable ModSecurity Using a Free Port for Apache

When you do not assign the existing tomcat port to Apache, the clients have to use the url with a newly assigned port to the Apache server. In this case also, the existing tomcat port is disabled for external clients. For the following procedure assume that the existing Tomcat port is 80.

Follow these steps:

  1. On Linux, execute the following command at the bash prompt (from $SPECROOT\apache\bin) to enable ModSecurity:
    ./configApacheModsec.sh enable

    On Windows, execute the following command at the command prompt to enable ModSecurity:
    $SPECROOT\NT-Tools\SRE\bin\bash.exe "$SPECROOT\\apache\\bin\\configApacheModsec.sh" "enable"

    You are prompted to confirm whether tomcat is running in SSL mode or not. 
    If Tomcat is running in SSL mode, follow the steps in Enable ModSecurity in SSL Mode. The script displays the following message, and does not enable ModSecurity:

    Windows Screenshots

    If Tomcat is running in non-SSL mode, the script prompts you to select whether you want to assign the tomcat port to Apache or not as shown in the following image:

    Linux Screenshots


  2. Press the 'n' key, and then press Enter.
    The script prompts you to enter a free port for the Apache server as shown in the earlier image. In this example, 8082 is assigned to the Apache server.

    The script applies the following configuration in the "httpd.conf" file:

    Listen 8082
    <VirtualHost *:8082>

        ProxyPreserveHost On

        ProxyPass          /spectrum http://localhost:8082/spectrum
        ProxyPassReverse   /spectrum http://localhost:8082/spectrum
    </VirtualHost>

    You get the "Apache Service is started" message at the command prompt.

  3. On Linux, execute the following command at the bash prompt to verify that the Apache service has started:
  4. On Windows, launch the "Services.msc" program to verify that the Apache service has started.

When clients use the existing url "http://<hostname:80>/spectrum", they cannot connect to Apache server. Clients must use the updated url "http://<hostname:8082>/spectrum" to connect to the Apache server and get the response from it. To disable the Tomcat port 80 for external clients, the Loopback address  is added in the server.xml file that is located at "$SPECROOT\tomcat\conf".

Prevent Clickjack attack using ModSecurity

Clickjacking (User Interface redress attack) is a malicious practice of manipulating an activity of a website user by concealing hyperlinks beneath legitimate clickable content, thereby causing the user to perform actions of which they are unaware.

To protect CA Spectrum from clickjacking attacks, you need to control the cache of your web browser by defining a mod_headers in httpd.conf file that is located at "$SPECROOT\apache\conf" as shown here:

<IfModule mod_headers.c>
 Header set Cache-Control "no-cache, no-store, must-revalidate,max-age=0"
 Header set Pragma "no-cache"
 Header set Expires 0
</IfModule>

After updating the httpd.conf file, you can see all the calls that are going from CA Spectrum are controlled with the cache directives mentioned in the web browser. You can see the cache control directives in the http response header.

Disable ModSecurity

On Linux, execute the following command (from $SPECROOT\apache\bin) at the bash prompt to disable ModSecurity:

 

On Windows, use the command prompt with the following syntax to disable ModSecurity:

C:\win32app\Spectrum\NT-Tools\SRE\bin\bash.exe "C:\\win32app\\Spectrum\\apache\\bin\\configApacheModsec.sh" "disable"

If you enabled ModSecurity using the Tomcat port for the Apache server, the script disables ModSecurity by making the following changes:

  • The Apache service is stopped, uninstalled, and the configuration that is applied to the "httpd.conf" file becomes inapplicable.
  • Port 80 is assigned back to the Tomcat server, and port 8080 is assigned back to the Apache server.
  • The Loopback address is removed and port 80 is added back in the server.xml file. As a result, external clients can directly access the Tomcat server using port 80.

If you enabled ModSecurity using the default port for the Apache server, the script disables ModSecurity by making the following changes:

  • The Apache service is stopped, uninstalled, and the configuration applied to "httpd.conf" file becomes inapplicable.
  • The Loopback address is removed from the "server.xml" file.

    In this case, you must add the existing port number (which is 80 in this example) in the server.xml file.

     

Finally, you get the following message at the command prompt:

Apache Service is unregistered Successfully

Enable ModSecurity in SSL Mode

To enable ModSecurity in SSL mode, the Apache server is first configured to run in SSL mode. The following configuration tasks are performed to execute Apache in SSL mode:

  • Editing the "$SPECROOT\apache\conf\extra\httpd-ssl.conf" file to configure the virtual host configuration (setting the Apache SSL port, proxypass and proxypassreverse directives) to map the OneClick url with the Apache SSL port.
  • Uncommenting the "#Include conf/extra/httpd-ssl.conf" directive in the httpd.conf file so that the Apache server runs in the SSL mode when it is started.
  • Configuring the log file paths in the "$SPECROOT\apache\conf\extra\httpd-ssl.conf" file for logging SSL logs.
  • Configuring the paths of SSL certificate files (server.crt and server.key), and generating those files using the "openssl" command.

After performing these configurations enable ModSecurity in SSL mode by manually installing and starting the Apache service.

  • Do not use the "configApacheModsec.sh" script to enable ModSecurity in SSL mode.
  • To enable ModSecurity in SSL mode, the Tomcat server must also run in SSL mode. If the Tomcat server is running in non-SSL mode, disable that mode and enable SSL mode. To configure Tomcat in SSL mode, follow the instructions provided in the Configure OneClick for Secure Sockets Layer section.

Follow these steps to Enable ModSecurity in SSL Mode:

  1. Change the "httpd-ssl.conf" and the "httpd.conf" file from read-only mode to write mode.

    Note: Before proceeding to step 2, search for the following attribute and comment / hide it in the "httpd.conf" file to avoid creating multiple host configuration.

    Listen 80
    <VirtualHost *:80>

      ProxyPreserveHost On
      ProxyPass /spectrum http://localhost:8081/
      ProxyPassReverse /spectrum http://localhost:8081/
    </VirtualHost> 

  2. Find the "<VirtualHost *:443>" tag in the "httpd-ssl.conf". Add the following virtual host configuration in between <VirtualHost *:443> and </VirtualHost> tags as shown in the following example:

    <VirtualHost *:443>

      ProxyPreserveHost on
      SSLEngine on
      SSLProxyEngine on
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off
      ProxyPass /spectrum https://localhost:8443/spectrum
      ProxyPassReverse /spectrum https://localhost:8443/spectrum
    </VirtualHost>


    *This configuration indicates that ModSecurity on httpd (Apache Web Server) is running in SSL mode on port TCP/443 and Tomcat is also running in SSL mode on port TCP/8443 locally.

  3. Edit the "httpd.conf" file to:
    1. Include the "httpd-ssl.conf" file in the "httpd.conf" file by removing the '#' symbol in front of the "Include conf/extra/httpd-ssl.conf" directive in the "httpd.conf" file.
    2. Load the module "mod_ssl.so" in the "httpd.conf" file by removing the '#' symbol in front of the "LoadModule ssl_module modules/mod_ssl.so" directive in the "httpd.conf" file.
  4. Replace the default path with the "$SPECROOT" path for DocumentRoot, Errorlog and TransferLog in the "httpd-ssl.conf" file.
  5. Execute the following command on Windows to generate the "server.crt" and the "server.key" file:
    $SPECROOT\NT-Tools\SRE\bin\bash.exe "$SPECROOT\\apache\\conf\\openssl req -newkey rsa:1024 -keyout server.key -nodes -x509 -out server.crt"
    Execute the following command on Linux to generate the "server.crt" and the "server.key" file:
    $SPECROOT\Apache\conf>openssl req -newkey rsa:1024 -keyout server.key -nodes -x509 -out server.crt
    You are prompted to enter the following details.
    1. Enter your Country Name in the (2 letter code) [XX] format, and press Enter.
    2. Enter your State or Province Name, and press Enter.
    3. Enter your Locality Name, and press Enter.
    4. Enter your Organization Name, and press Enter
    5. Enter your Organizational Unit Name, and press Enter.
    6. Enter your Common Name in the following format, and press Enter.
      <host_name>@domain.com
    7. Enter your Email address in the following format:
      id@domain.com
      You are prompted to verify whether the information that you provided is correct or not.
    8. Type 'yes', and press Enter.
  6. Do the following edits to the httpd-ssl.conf file to update the path of the server.crt and server.key certificate files:
    1. Find the "SSLCertificateFile "c:/Apache24/conf/server.crt" line, and update the path to "$SPECROOT/apache/conf/server.crt".
    2. Find the "SSLCertificateKeyFile "c:/Apache24/conf/server.key" line, and update the path to "$SPECROOT/apache/conf/server.key".
  7. On Linux, execute the following command at the bash prompt to enable ModSecurity in SSL mode:

    #./httpd -d /$SPECROOT/apache -k start

  8. On Windows, execute the following commands at the bash prompt to enable ModSecurity in SSL mode:

    C:\$SPECROOT\apache\bin>httpd.exe -k install

    C:\$SPECROOT\apache\bin>httpd.exe -k start

    ModSecurity is enabled with the Apache server running at the default SSL port 443. Now, clients must use the "https://<hostname><:443>/spectrum" url to connect to the Apache server. Execute the following steps to disable the existing Tomcat port (SSL) for the external clients, so that the tomcat cannot be accessed directly from external clients:

    1. Find the "<!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->" segment in the server.xml file.
    2. Add the "address=127.0.0.1" attribute in the next <Connector /> tag segment.
  • On Linux, execute the "./httpd -d /$SPECROOT/apache -k stop" command at the bash prompt to disable ModSecurity in SSL mode.
  • On Windows, execute the "httpd.exe -k stop" command at the bash prompt to disable ModSecurity in SSL mode.
  • On Windows, execute the "httpd.exe -k uninstall" command at the bash prompt to uninstall the Apache server.

After disabling ModSecurity, change the "httpd-ssl.conf" and the "httpd.conf" file from write mode to read-only mode.

Import Third Party SSL Certificate

You can also import the SSL certificate of a third party organization. When you raise a request for a third party SSL certificate, that particular third party organization gives the following files:

  • server.crt (server certificate)
  • server.key (private key)

Warning

Restrict the access to these files to only the root user.

Follow these steps:

  1. Download the "server.crt" and "server.key" files from the third party, and save it in the filesystem of the Apache server host.
  2. Locate the following line in the httpd.conf file, and remove the '#' character in this line to load the "mod_ssl.so" module:

    Loading mod_ssl.so Module
    #LoadModule ssl_module modules/mod_ssl.so

    Save the file.

  3. Locate the following line in the  httpd-ssl.conf file, and remove the existing path in the SSLCertificateFile "c:/Apache24/conf/server.crt" statement:

    #   Server Certificate:
    #   Point SSLCertificateFile at a PEM encoded certificate.  If
    #   the certificate is encrypted, then you will be prompted for a
    #   pass phrase.  Note that a kill -HUP will prompt again.  Keep
    #   in mind that if you have both an RSA and a DSA certificate you
    #   can configure both in parallel (to also allow the use of DSA
    #   ciphers, etc.)
    #   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
    #   require an ECC certificate which can also be configured in
    #   parallel.
    SSLCertificateFile "c:/Apache24/conf/server.crt"
    #SSLCertificateFile "c:/Apache24/conf/server-dsa.crt"
    #SSLCertificateFile "c:/Apache24/conf/server-ecc.crt"

    Specify the absolute path to the downloaded "server.crt" file using the following syntax:

    SSLCertificateFile "<absolute path to the downloaded server.crt>"
  4. Locate the following line in the  httpd-ssl.conf file, and remove the existing path in the SSLCertificateKeyFile "c:/Apache24/conf/server.key" statement:

    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    #   ECC keys, when in use, can also be configured in parallel
    SSLCertificateKeyFile "c:/Apache24/conf/server.key"
    #SSLCertificateKeyFile "c:/Apache24/conf/server-dsa.key"
    #SSLCertificateKeyFile "c:/Apache24/conf/server-ecc.key"

    Specify the absolute path to the downloaded "server.key" file using the following syntax:

    SSLCertificateFile "<absolute path to the downloaded server.key>"

    Save the file.

  5. Locate the following line in the "httpd.conf" file, and remove the '#' character in this line to include the "httpd-ssl.conf" file:

    #Include conf/extra/httpd-ssl.conf

    Save the file.

  6. Restart the Apache server.

How to enable ModSecurity in an Existing Apache Setup

If an Apache service is already running on your OneClick server host, perform the following steps to enable ModSecurity:

  1. Stop the Apache service.
  2. Access the following folders which are required to enable ModSecurity, and copy them to your existing Apache setup:
    $SPECROOT\apache\modsecurity-crs
    $SPECROOT\apache\modules
  3. Find the "Dynamic Shared Object (DSO) Support" segment in the "$SPECROOT\apache\conf\httpd.conf" file.
  4. Compare the "LoadModule" directives of your existing httpd.conf file with the "LoadModule" directives present in the "$SPECROOT\apache\conf\httpd.conf" file .
    The "LoadModule" directive includes a module that enables a functionality. To enable ModSecurity, you must include ModSecurity modules in your existing "httpd.conf" file.
  5. Copy the "LoadModule" directives that are present in the "httpd.conf" of the CA Spectrum environment, and paste them in your existing "httpd.conf" file.
  6. Read the following topics to understand how to enable ModSecurity:
  7. Configure the httpd.conf file as explained in these topics, and start the Apache service.

How ModSecurity Blocks Malicious Clients

The "httpd.conf" file includes ModSecurity core rule set configuration files (base rules) that are located at "$SPECROOT\apache\modsecurity-crs\base_rules". The core rule set thresholds and parameters of these base rules are configured in "modsecurity_crs_10_setup.conf" file that is located at "$SPECROOT\apache\modsecurity-crs\". The "httpd.conf" file includes this core rule set configuration file and all the base rules. These base rules provide a strong firewall capabilities to the Apache server. The following table lists each base rule and its corresponding firewall capabilities:

ModSecurity Base Rule Firewall Capability
modsecurity_crs_20_protocol_violations.conf

Some protocol violations are common in HTTP attacks.
Validating HTTP requests eliminates a large number of application layer attacks.

The purpose of this rules file is to enforce HTTP RFC requirements that state how
the client is supposed to interact with the server.
Identify Invalid URIs.

modsecurity_crs_21_protocol_anomalies.conf

All HTTP web requests include Host, User-Agent and Accept headers. In legitimate HTTP requests these headers exists, but are not empty.
This rule checks if these headers exist, and also if they are empty. If the headers are empty, such HTTP requests without common headers are blocked.

modsecurity_crs_23_request_limits.conf

This rule defines limitations on the number of arguments and argument lengths in HTTP requests. For example, an HTTP request with 400 arguments, can be suspicious.
You can define the length in this rule. HTTP requests violating this length are blocked.

modsecurity_crs_30_http_policy.conf

This rule set sets limitations on the use of HTTP by clients. Very few requests require the breadth and depth of the HTTP protocol. Many HTTP attacks abuse such valid but rare HTTP use patterns. You can restrict such patterns and usages with this rule.

modsecurity_crs_35_bad_robots.conf

Bad robots detection is based on checking elements easily controlled by the client. As such a determined attack can bypass
those checks. Therefore bad robots detection should not be viewed as a security mechanism against targeted attacks but rather as a nuisance
reduction. This rule eliminates most of the random attacks against your website.
For example, you can prevent a security scanner from scanning your server.

modsecurity_crs_40_generic_attacks.conf

This rule checks against HTTP requests contaning OS Command Injection Attacks. These rules look for attempts to access OS commands such as "curl", "wget", and "cc". These commands are used in injection attacks to force the victim web application to initiate a connection to a hacker site to download, compile, and install malicious tool kits such as those to participate in Botnets.

modsecurity_crs_41_sql_injection_attacks.conf This rule blocks HTTP requests that contain sql injection attacks.
modsecurity_crs_41_xss_attacks.conf

This rule blocks cross-site scripting attacks coming from unknown and malicious web requests. If these script attacks are not blocked, the malicious scripts can access cookies, session tokens, or other sensitive information retained by the browser.

modsecurity_crs_42_tight_security.conf This rule detects Path Traversal Attack in the HTTP requests, and blocks such http requests.
modsecurity_crs_45_trojans.conf

This rule detects access to known Trojans already installed on a server. Uploading of Trojans is part of the Anti-Virus rules and uses external Anti Virus program when uploading files. Detection of Trojans access is especially important in a hosting environment, where the actual Trojan upload may be done through valid methods and not through hacking. Trojans detection is based on checking elements controlled by the client.

modsecurity_crs_47_common_exceptions.conf

This rule is used as an exception mechanism to remove common false positives.

modsecurity_crs_49_inbound_blocking.conf This rule denies access or redirects the malicious requests based on anomaly score settings specified in the 10 config file.
modsecurity_crs_50_outbound.conf  
modsecurity_crs_59_outbound_blocking.conf This rule checks the overall anomaly score, and the configured action for those threshold violations, and prevents outbound data leakages.
modsecurity_crs_60_correlation.conf

This rule is used in post processing after the response has been sent to the client (in the logging phase). Its purpose is to provide inbound and outbound correlation of events to provide a more intelligent designation as to the outcome, or result of the transaction, that is to confirm whether it was a successful attack, or not.

You cannot disable a specific ModSecurity base rule.

ModSecurity Logs

When ModSecurity is enabled, the following types of log files are generated:

Install Log

The "install.log" is created when you first enable ModSecurity using the script. Install log logs the following type of information:

    • Domain name, ServerName, ServerAdmin, and ServerRoot details of the Apache server.
    • The value of the ServerSslPort.
    • The port number with which Apache is installed.
    • The names and locations of all the configuration files which are loaded for the Apache server.

Error Log

The "error.log" file is generated when an error or any malicious attempt is encountered on Apache. All error logs (Apache error logs + ModSecurity Error logs) are generated in this file. It means all Apache error logs, warnings, fatal errors, and the ModSecurity error logs are found in this log file.

Audit Log

The "audit.log" file contains the detailed information about all of the HTTP client intrusions that are detected by ModSecurity. When ModSecurity detects a malicious event, and finds that the event is logged into the error log file, an audit log entry for the same event is logged in this log file. It is the most useful piece of information the system collects, because it contains the actual client request including the client header and data payload about the attack or event.

Debug Log

The "debug.log" file logs all of the ModSecurity errors and exceptions that are useful for debugging.

During CA Spectrum uninstallation on Windows, the uninstaller removes the "apache" folder only when the Apache service is stopped using the "Services.msc" program.

Was this helpful?

Please log in to post comments.