Linode Library Home
Linode Library RSS Feed
Home :: Web Servers :: Apache
Print View View Source

mod_security on Apache

Published: by

ModSecurity is a web application firewall for the Apache web server. In addition to providing logging capabilities, ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. ModSecurity also operates as a web intrusion detection tool, allowing you to react to suspicious events that take place at your web systems.

Contents

Installing ModSecurity

Before you install ModSecurity, you'll want to have a LAMP stack set up on your Linode. For instructions, see the LAMP Guides.

Ubuntu / Debian

To install ModSecurity on a Linode running Ubuntu or Debian, enter the following commands, one by one:

sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
sudo apt-get install libapache-mod-security

ModSecurity is now installed on your Linode.

CentOS / Fedora

To install ModSecurity on a Linode running CentOS or Fedora, perform the following steps:

  1. Install the GCC compiler and the dependancies by entering the following commands, one by one:

    sudo yum install mod_security
    
  2. Restart Apache by entering the following command:

    sudo /etc/init.d/httpd restart
    

ModSecurity is now installed on your Linode.

OWASP ModSecurity Core Rule Set

For a base configuration, we are going to use the OWASP core rule set. Installation instructions are in the SpiderLabs GitHub project here:

Configuring ModSecurity

You'll want to use the modsecurity_10_crs_config, so let's copy that from the example:

cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

There are five rules directories:

  • activated_rules
  • base_rules
  • experimental_rules
  • optional_rules
  • slr_rules

Note

The activated_rules directory will be empty in case you wanted to symlink the configuration files for the rules you wish to use into that directory.

There are two ways to configure ModSecurity: use a basic ruleset, or use symbolic links. The following sections explain how to use both methods.

Using a Basic Ruleset

If you want to get started with a basic ruleset and would rather not bother with symbolically linking configuration files, perform the following steps:

  1. Modify your httpd.conf file as shown below:

    File:/etc/apache2/httpd.conf (Debian / Ubuntu)

    <IfModule security2_module>
        Include modsecurity-crs/*.conf
        Include modsecurity-crs/base_rules/*.conf
    </IfModule>
    

    File:/etc/httpd/conf/httpd.conf (CentOS / Fedora)

    <IfModule security2_module>
        Include modsecurity-crs/*.conf
        Include modsecurity-crs/base_rules/*.conf
    </IfModule>
    
  2. In the modsecurity_crs_20_protocol_violations.conf file, rename the REQBODY_ERROR variable to REQBODY_PROCESSOR_ERROR.

  3. Restart Apache for the updates to take effect:

    Debian / Ubuntu:

    /etc/init.d/apache2 restart
    

    CentOS / Fedora:

    /etc/init.d/httpd restart
    

You have successfully configured ModSecurity.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Creative Commons License

This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

Last edited by Sharon Campbell on Friday, February 14th, 2014 (r4248).