www.linuxexpert.ro

Tutorials

  • Home
  • BGP Tutorials
    • Remove private AS
  • cPanel Tutorials
    • Install ImageMagick on cPanel
    • Install Softaculous
  • Linux Tutorials
    • Auto-reboot Linux after kernel panic
    • Building a firewall with Iptables
    • Change array RAID 1 disk order
    • Configure ntfs-3g on Linux Slackware
    • DHCP Option Codes
    • DansGuardian with Squid and ClamAV
    • Fetchmail for Gmail accounts
    • Install Zend & APC PHP Optimizers
    • Install Atheros AR242x PCI Express Adapter
    • Install awstats with DirectAdmin
    • Install DBD::mysql via CPAN shell
    • Install DjbDNS on Ubuntu
    • Installing fail2ban on Centos 5
    • Install GoDaddy SSL Certificate
    • Install i386 packages under x86_64
    • Install Linux via USB flashdrive
    • Install ModSecurity2 on Apache2.0.x
    • Install Nginx on CentOS
    • Install webalizer with ispconfig
    • Install intel A/B/G/N wireless on linux
    • Kernel Upgrade
    • Mobile phone access via bluetooth
    • Optimize MySQL
    • Optimize Qmail
    • Optimize server load
    • Optimize and Tune Apache for performance
    • Optimize and Tune Nginx for performance
    • Perfect Mailserver on Debian
    • Pidgin "Now Playing" Status Message
    • PHP hardening
    • PHP hardening with Suhosin
    • PHP5 Support allong with PHP4
    • Previewing your site before making DNS changes
    • Proxy Auto Configuration
    • PXE boot install rescue
    • Setup awstats on CentOS
    • Setup EC2 Amazon L2TP IPSec VPN
    • Setup email piping with Qmail
    • Setup Exim with DKIM
    • Setup Exim smart relay with cPanel
    • Setup OpenVPN
    • Setup postfix on nonstandard port
    • Setup SS5 Socks Proxy
    • Setup vsftp with no shell access
    • Sendmail smart relay with gmail auth
    • Squid proxy NCSA authentication
    • Tcpdump filters
    • Upgrade PHP to 5.3 in Plesk 10
    • Useful regular expressions
    • X with [SiS] 771/671 VGA controller
  • Joomla Tutorials
    • Hardening Joomla
    • Module Positions
    • Remove Joomla description meta tag
  • Looking Glasses
  • Optimize Firefox
  • Security
    • Crack WiFi WEP passwords
    • Defend against UDP isc.org DNS query DDOS
    • Detect DDoS attack
    • Remove malware from web sites
    • Sniff SSL passwords with ettercap
    • Snort2BGP
    • Track Hackers
    • What Is My IP
  • Troubleshooting
    • Grub error no such disk
    • named dumping master file: tmp-XXXXXXXXXX: open: permission denied
    • Nginx 413 Request Entity Too Large
    • SSH conection closed by remote host
    • Troubleshooting sis190.c
  • Unix Tutorials
    • FreeBSD reset root password
    • Installing snort on OpenBSD
    • Unix Toolbox
  • Virtualization Tutorials
    • Convert VirtualBox image to VMWare
    • VMware SNMP Enable
  • VoIP Tutorials
    • Install Elastix
    • Qos for Asterisk

Who's Online

We have 19 guests and no members online

Most Read

  • Setup SS5 Socks Proxy
  • Install webalizer with ispconfig
  • Sniff SSL passwords with ettercap
  • __404__
  • Optimize and Tune Apache for performance

Products and Services

  • Home
  • Linux Products and Services
  • Buy VPN Account
  • Privacy Policy for Linuxexpert
  • Remove malware

Install ModSecurity2 on Apache2.0.x

  • Print
  • Email
Details
Parent Category: Tutorials
Published: 25 October 2008
Hits: 13196

 

Mod security is crucial for having a layer of defense against hackers.

Note:ModSecurity 2.x works with Apache 2.0.x or better.


It is assumed here that you are using a Red Hat or Fedora CentOS but you'll find

also instructions for Slackware install

 

Red Hat/Fedora/CentOS Install:

Check to see if you have libxml2 installed
Code:

#rpm -q libxml2

You will also need to have the following - query each and install them if you do not have them. After mod_security is done installing, we will remove these packages.
Code:

#rpm -q httpd-devel

#rpm -q apr-devel

#rpm -q apr-util-devel

#rpm -q pcre-devel

if not, install it.
Code:

#wget ftp://xmlsoft.org/libxml2/libxml2-2.6.27-1.i386.rpm
#rpm -Uvh libxml2-2.6.27-1.i386.rpm

Get mod_security
Code:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz
#tar zxf modsecurity-apache_2.1.1.tar.gz

Edit the makefile to put in your http root for param top_dir .

For FC4 its most likely
Code:

top_dir = /etc/httpd

For RHEL4 it is most likely
Code:

top_dir = /usr/lib/httpd

Note: Depending on your installation the FC4 may work for all RHEL/FC installs

Compile with make

Stop Apache

Install with make install

Now, go to your httpd.conf file, typically located at /etc/httpd/conf/
Code:

#nano -w /etc/httpd/conf/httpd.conf

find the section that contains the LoadModule portion.

Above all of the LoadModule directives add
Code:

LoadFile /usr/lib/libxml2.so

Then go to the end of the LoadModule section and add
Code:

LoadModule security2_module modules/mod_security2.so

Include conf/modsecurity/*.conf


now we need to get the configuration policies
Code:

#mkdir /etc/httpd/conf/modsecurity;cd /etc/httpd/conf/modsecurity
#wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz
#tar zxf modsecurity-core-rules_2.1-1.4.tar.gz
#rm -f modsecurity-core-rules_2.1-1.4.tar.gz


Edit the *.conf files to fit your machines usage and expected rule sets

Copy modsecurity.conf-minimal to apache conf.d directory :

cp modsecurity.conf-minimal /etc/httpd/conf.d/modsecurity2.conf

and  give it these contents at the end:

<ifmodule security2_module>
Include /etc/httpd/conf/modsecurity/*.conf
</ifmodule>


restart apache - it will fail to stop, thats fine.
Code:

/sbin/service httpd restart

remove those packages we don't need anymore
Code:

#rpm -e httpd-devel
#rpm -e apr-util-devel
#rpm -e apr-devel
#rpm -e pcre-devel

Slackware install:

#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.7.tar.gz
#tar -vxzf modsecurity-apache_2.5.7.tar.gz
#cd modsecurity-apache_2.5.7/apache2/
#make
#checkinstall --fstrans=no -S -y
#installpkg apache2--i386-1.tgz


Put this in /etc/httpd/httpd.conf:

# Modsecurity
Include /etc/httpd/extra/httpd-modsecurity.conf


#mkdir -p /etc/httpd/extra/modsecurity/
#cd /etc/httpd/extra/modsecurity/
#wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
#tar -vxzf modsecurity-core-rules_2.5-1.6.1.tar.gz
#rm -rf modsecurity-core-rules_2.5-1.6.1.tar.gz CHANGELOG LICENSE README


Put this int /etc/httpd/extra/httpd-modsecurity.conf :

LoadModule security2_module lib/httpd/modules/mod_security2.so
Include /etc/httpd/extra/modsecurity/*.conf


Modify in /etc/httpd/extra/modsecurity/modsecurity_crs_10_config.conf:

SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log


Restart the apache daemon:


# /etc/rc.d/rc.httpd restart

 

Testing Mod_security:


At this point, it would be nice to test mod_security and make sure it's really filtering through the traffic. This can be done with a simple wget test. Wget can be configured to identify itself as something other than wget, so all we need to do is change it to something that should trigger mod_security. You'll probably want to do this from somewhere other than the web server itself. If you followed my firewall services tutorials, for instance, it won't work unless running this command from somewhere outside of the firewall.
wget -O - -U "webtrends security analyzer" http://<your server>

If mod_security is working, the machine you issued the command from should receive a 404 or 400 error.

You now have Mod_Security installed, congratulations!


Mod_security white list:

You can also add a white list to this module. For this you need to add the folowing lines to the modsecurity_crs_10_config.conf:

 

#Whitelist

SecRule REMOTE_ADDR "^192\.2\.1\.1$"phase:1,nolog,allow,ctl:ruleEngine=Off

 

#SecResponseBodyLimit

You can increase SecResponseBodyLimit if you get a message like:

"ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified)".

Have a look into modsecurity_crs_10_config.conf file and modify on the last line the "524288" value to "2097152" :


SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2097152

Note:

We use Hosting and VPS Hosting, from: www.star-host.org

We like and trust them.

Good prices, high security.

fShare
Tweet