ModSecurity is a web application firewall for the Apache web server. In addition to providing logging facilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. In this case ModSecurity operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.
Contents
You'll want to have your LAMP setup completed before installing mod_security.
To install mod_security, run these commands as root:
Debian / Ubuntu:
apt-get install libxml2 libxml2-dev libxml2-utils apt-get install libaprutil1 libaprutil1-dev apt-get install libapache-mod-security
CentOS / Fedora:
yum install gcc make yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel
We'll need to install mod_security from source on CentOS/Fedora as there is no maintained package as of yet. So, let's grab the mod_security package:
cd /usr/src wget http://www.modsecurity.org/download/modsecurity-apache_2.6.2.tar.gz tar xzf modsecurity-apache_2.6.2.tar.gz cd modsecurity-apache_2.6.2 ./configure make install cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
You will then need to modify your Apache configuration to load the ModSecurity module, so find the LoadModule section in your httpd.conf and add this line to the end:
File:/etc/httpd/conf/httpd.conf
LoadModule security2_module modules/mod_security2.so
You'll then need to restart Apache:
/etc/init.d/httpd restart
For a base configuration, we are going to use the OWASP core rule set, so we'll need to grab the latest tarball:
Debian / Ubuntu:
cd /etc/apache2 wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.2.tar.gz tar xzf modsecurity-crs_2.2.2.tar.gz mv modsecurity-crs_2.2.2 modsecurity-crs cd modsecurity-crs
CentOS / Fedora:
cd /etc/httpd/conf wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.2.tar.gz tar xzf modsecurity-crs_2.2.2.tar.gz mv modsecurity-crs_2.2.2 modsecurity-crs cd modsecurity-crs
We'll want to use the modsecurity_10_crs_config, so let's copy that from the example:
cp modsecurity_crs_10_config.conf.example modsecurity_crs_10_config.conf
There are five rules directories:
- activated_rules
- base_rules
- experimental_rules
- optional_rules
- slr_rules
The activated_rules directory will be empty in case you wanted to symlink the configuration files for the rules you wish to use into that directory. If you want to get started with a basic rule set and not bother with symlinking configuration files, you can modify your httpd.conf file:
File:/etc/apache2/httpd.conf (Debian / Ubuntu)
<IfModule security2_module>
Include modsecurity_crs/modsecurity_crs_10_config.conf
Include modsecurity_crs/base_rules/*.conf
</IfModule>
File:/etc/httpd/conf/httpd.conf (CentOS / Fedora)
<IfModule security2_module>
Include modsecurity_crs/modsecurity_crs_10_config.conf
Include modsecurity_crs/base_rules/*.conf
</IfModule>
If you would rather symlink just those configuration files you wish to use over to the activated_rules directory, your IfModule would look like this:
File:/etc/apache2/httpd.conf (Debian / Ubuntu)
<IfModule security2_module>
Include modsecurity_crs/modsecurity_crs_10_config.conf
Include modsecurity_crs/activated_rules/*.conf
</IfModule>
File:/etc/httpd/conf/httpd.conf (CentOS / Fedora)
<IfModule security2_module>
Include modsecurity_crs/modsecurity_crs_10_config.conf
Include modsecurity_crs/activated_rules/*.conf
</IfModule>
If you are taking the symlink route, you'll need to make sure you place those symlinks before restarting Apache. A few examples are shown here:
To copy all the base_rules over to activated_rules:
for f in `ls base_rules/` ; do ln -s /usr/local/apache/conf/crs/base_rules/$f activated_rules/$f ; done
To copy the comment spam rules from the optional_rules directory to the activated_rules directory:
for f in `ls optional_rules/ | grep comment_spam` ; do sudo ln -s /usr/local/apache/conf/crs/optional_rules/$f activated_rules/$f ; done
You'll then need to restart Apache for your updates to take effect:
Debian / Ubuntu:
/etc/init.d/apache2 restart
CentOS / Fedora:
/etc/init.d/httpd restart
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.
Last edited by Amanda Folson on Monday, November 14th, 2011 (r2677).