Sunday, 8 July 2012

Install ASL-Lite in Linux servers

ASL Lite is a free unsupported lightweight rule updater and basic modsecurity setup project designed specifically as an atomicorp.com mod_security rule downloader for custom apache environments or non-apache/mixed web server implementations. It will on a standard system maintain modsecurity rules to the current version automatically, and upon installation will attempt to determine if modsecurity is installed on the system, and if so, what version if installed. If modsecurity is not installed, it will attempt to install it, and if the installed version is out of date it will attempt to upgrade it to the latest stable version.
For more info: http://www.atomicorp.com/wiki/index.php/ASL_Lite

1. wget -q -O – http://www.atomicorp.com/installers/asl-lite | sh

2. Compare the dates to make sure the security module is the latest.

date

ls -l /usr/local/apache/modules/mod_security2.so

3. Make all the required folders and put them in the right permission

mkdir -v /usr/local/apache/conf/modsec_rules/
cp -pv
/home/cpeasyapache/src/modsecurity-apache_2.5.13/rules/util/modsec-clamscan.pl
/usr/local/apache/conf/modsec_rules/modsec-clamscan.pl
chmod -v /var/asl
chmod -v 705 /var/asl/data
chown nobody.nobody /var/asl/data/msa
chown nobody.nobody /var/asl/data/audit
chown nobody.nobody /var/asl/data/suspicious
chmod o-rx -R /var/asl/data/

chmod ug+rwx -R /var/asl/data/



4. Verify if mod_security is being called correctly.

# cat /usr/local/apache/conf/modsec2.user.conf
=========
SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecRule FILES_TMPNAMES "@inspectFile /usr/local/apache/conf/modsec_rules/modsec-clamscan.pl" "log,auditlog,deny,status:403,severity:2,phase:2,t:none,id:'1010101'"
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial
SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000
Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec_rules/whitelist.conf
========= 

#cat  /usr/local/apache/conf/modsec2.conf
====
 LoadFile /opt/xml2/lib/libxml2.so
 LoadFile /opt/lua/lib/liblua.so
LoadModule security2_module  modules/mod_security2.so
<IfModule mod_security2.c>
SecRuleEngine On
# See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf
#  "Add the rules that will do exactly the same as the directives"
# SecFilterCheckURLEncoding On
# SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecDebugLog logs/modsec_debug_log
SecDebugLogLevel 0
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow
Include "/usr/local/apache/conf/modsec2.user.conf"
</IfModule>
 ====

 In httpd.conf file, make sure that, following entry is available. 
======
Include "/usr/local/apache/conf/modsec2.conf"
======

Configure ASL-Lite, update the rules, and put it in cron and Configure with username “username” and password “password”
======

asl-lite -c

Install the cron “0 5 /var/asl/bin/asl-lite -u”

asl-lite -u

======

Monitor logs for 30 mins to see if there are any errors

tail -f /usr/local/apache/logs/error_log

tail -f /usr/local/apache/logs/modsec_audit.log

Add ASL ClamAV rules and restart ClamD

Check what is the latest clamd signature by going to
www.atomicorp.com/channels/rules/subscription

Download the latest rule using
/usr/bin/wget—no-cache -q -P /usr/local/src/

Replace clamav-201107071712.tar.gz with whatever the latest rule is

Untar the file, change ownership and place it in ClamAV rules folder


cd /usr/local/src/
tar xzvf clamav-201107071712.tar.gz
cd /usr/local/src/clamav
mv -v ASL /usr/share/clamav
cd /usr/share/clamav
chown -v clamav.clamav ASL*

and ASL lite installation is completed successfully!