Installing Mod Secure

Another method that is used to track unusual activity is to install a security module from Apache called mod-secure. This module will inspect incoming requests and posts for known patterns that are used to compromise an Apache server and block them.

In order to install mod-secure on Red Hat platforms, perform the following steps:

The mod_security_crs module includes several pre-defined rules to block known exploit patterns. However, a few of these patterns will break RTM due to RTM passing large base64 encoded strings through post variables. Therefore, you will have to install some rules to allow specific activity from a few of the pages.

Once you restart Apache, if you are accessing RTM using an IP address, you will no longer be able to access the RTM Web Site. Instead, you will receive a permission denied message. In addition, you will find a modsec_audit.log file in /var/log/httpd that includes a message that the web site was blocked due to use of an IP Address to access the website.

When using mod_secure_crs, there are several known rules that must be bypassed for RTM to function. Those rules should be placed into a config file in /etc/httpd/modsecure.d called modsecurity_crs_20_cacti_config.conf. In that file, add the following lines:

#SecRuleEngine Off
SecRuleRemoveByID 960017 981172 981204 981257

Note the SecRuleEngine Off line is commented out. If you uncomment this line, and restart Apache, any blocked pages will be allowed by default, but will generate an audit message. It is suggested that you test the RTM website for a few days and audit the audit log for rule violations.

In the near term, you can bypass the rule violation by simply adding the rule ID to the bypass list. However, it will be important to contact IBM support to inform them of the rule violations so that they can be evaluated and either verified safe to bypass, or for some other disposition.