Mod security is crucial for having a layer of defense against hackers.

Note:ModSecurity 2.x works with Apache 2.0.x or better.


It is assumed here that you are using a Red Hat or Fedora CentOS but you'll find

also instructions for Slackware install

 

Red Hat/Fedora/CentOS Install:

Check to see if you have libxml2 installed
Code:

#rpm -q libxml2

You will also need to have the following - query each and install them if you do not have them. After mod_security is done installing, we will remove these packages.
Code:

#rpm -q httpd-devel

#rpm -q apr-devel

#rpm -q apr-util-devel

#rpm -q pcre-devel

if not, install it.
Code:

#wget ftp://xmlsoft.org/libxml2/libxml2-2.6.27-1.i386.rpm
#rpm -Uvh libxml2-2.6.27-1.i386.rpm

Get mod_security
Code:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz
#tar zxf modsecurity-apache_2.1.1.tar.gz

Edit the makefile to put in your http root for param top_dir .

For FC4 its most likely
Code:

top_dir = /etc/httpd

For RHEL4 it is most likely
Code:

top_dir = /usr/lib/httpd

Note: Depending on your installation the FC4 may work for all RHEL/FC installs

Compile with make

Stop Apache

Install with make install

Now, go to your httpd.conf file, typically located at /etc/httpd/conf/
Code:

#nano -w /etc/httpd/conf/httpd.conf

find the section that contains the LoadModule portion.

Above all of the LoadModule directives add
Code:

LoadFile /usr/lib/libxml2.so

Then go to the end of the LoadModule section and add
Code:

LoadModule security2_module modules/mod_security2.so

Include conf/modsecurity/*.conf

now we need to get the configuration policies
Code:

#mkdir /etc/httpd/conf/modsecurity;cd /etc/httpd/conf/modsecurity
#wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz
#tar zxf modsecurity-core-rules_2.1-1.4.tar.gz
#rm -f modsecurity-core-rules_2.1-1.4.tar.gz

Edit the *.conf files to fit your machines usage and expected rule sets

Copy modsecurity.conf-minimal to apache conf.d directory :

cp modsecurity.conf-minimal /etc/httpd/conf.d/modsecurity2.conf

and  give it these contents at the end:

<ifmodule security2_module>
Include /etc/httpd/conf/modsecurity/*.conf
</ifmodule>

restart apache - it will fail to stop, thats fine.
Code:

/sbin/service httpd restart

remove those packages we don't need anymore
Code:

#rpm -e httpd-devel
#rpm -e apr-util-devel
#rpm -e apr-devel
#rpm -e pcre-devel

Slackware install:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.7.tar.gz
#tar -vxzf modsecurity-apache_2.5.7.tar.gz
#cd modsecurity-apache_2.5.7/apache2/
#make
#checkinstall --fstrans=no -S -y
#installpkg apache2--i386-1.tgz

Put this in /etc/httpd/httpd.conf:

# Modsecurity
Include /etc/httpd/extra/httpd-modsecurity.conf

#mkdir -p /etc/httpd/extra/modsecurity/
#cd /etc/httpd/extra/modsecurity/
#wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
#tar -vxzf modsecurity-core-rules_2.5-1.6.1.tar.gz
#rm -rf modsecurity-core-rules_2.5-1.6.1.tar.gz CHANGELOG LICENSE README

Put this int /etc/httpd/extra/httpd-modsecurity.conf :

LoadModule security2_module lib/httpd/modules/mod_security2.so
Include /etc/httpd/extra/modsecurity/*.conf

Modify in /etc/httpd/extra/modsecurity/modsecurity_crs_10_config.conf:

SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log

Restart the apache daemon:

# /etc/rc.d/rc.httpd restart

 

Testing Mod_security:

At this point, it would be nice to test mod_security and make sure it's really filtering through the traffic. This can be done with a simple wget test. Wget can be configured to identify itself as something other than wget, so all we need to do is change it to something that should trigger mod_security. You'll probably want to do this from somewhere other than the web server itself. If you followed my firewall services tutorials, for instance, it won't work unless running this command from somewhere outside of the firewall.
wget -O - -U "webtrends security analyzer" http://<your server>

If mod_security is working, the machine you issued the command from should receive a 404 or 400 error.

You now have Mod_Security installed, congratulations!

Mod_security white list:

You can also add a white list to this module. For this you need to add the folowing lines to the modsecurity_crs_10_config.conf:

 

#Whitelist

SecRule REMOTE_ADDR "^192\.2\.1\.1$"phase:1,nolog,allow,ctl:ruleEngine=Off

 

#SecResponseBodyLimit

You can increase SecResponseBodyLimit if you get a message like:

"ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified)".

Have a look into modsecurity_crs_10_config.conf file and modify on the last line the "524288" value to "2097152" :

SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2097152

Note: We use Hosting and VPS Hosting, from: www.star-host.org We like and trust them. Good prices, high security.

fShare

Tweet