Mod security is crucial for having a layer of defense against hackers.
Note:ModSecurity 2.x works with Apache 2.0.x or better.
It is assumed here that you are using a Red Hat or Fedora CentOS but you'll findalso instructions for Slackware install
Red Hat/Fedora/CentOS Install:
Check to see if you have libxml2 installed
Code:
#rpm -q libxml2
You will also need to have the following - query each and install them if you do not have them. After mod_security is done installing, we will remove these packages.
Code:
#rpm -q httpd-devel#rpm -q apr-devel
#rpm -q apr-util-devel
#rpm -q pcre-devel
if not, install it.
Code:
#wget ftp://xmlsoft.org/libxml2/libxml2-2.6.27-1.i386.rpm
#rpm -Uvh libxml2-2.6.27-1.i386.rpm
Get mod_security
Code:
#wget http://www.modsecurity.org/download/modsecurity-apache_2.1.1.tar.gz
#tar zxf modsecurity-apache_2.1.1.tar.gz
Edit the makefile to put in your http root for param top_dir .
For FC4 its most likely
Code:
top_dir = /etc/httpd
For RHEL4 it is most likely
Code:
top_dir = /usr/lib/httpd
Note: Depending on your installation the FC4 may work for all RHEL/FC installs
Compile with make
Stop Apache
Install with make install
Now, go to your httpd.conf file, typically located at /etc/httpd/conf/
Code:
#nano -w /etc/httpd/conf/httpd.conf
find the section that contains the LoadModule portion.
Above all of the LoadModule directives add
Code:
LoadFile /usr/lib/libxml2.so
Then go to the end of the LoadModule section and add
Code:
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
now we need to get the configuration policies
Code:
#mkdir /etc/httpd/conf/modsecurity;cd /etc/httpd/conf/modsecurity
#wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.tar.gz
#tar zxf modsecurity-core-rules_2.1-1.4.tar.gz
#rm -f modsecurity-core-rules_2.1-1.4.tar.gz
Edit the *.conf files to fit your machines usage and expected rule sets
Copy modsecurity.conf-minimal to apache conf.d directory :
cp modsecurity.conf-minimal /etc/httpd/conf.d/modsecurity2.confand give it these contents at the end:
<ifmodule security2_module>
Include /etc/httpd/conf/modsecurity/*.conf
</ifmodule>
restart apache - it will fail to stop, thats fine.
Code:
/sbin/service httpd restart
remove those packages we don't need anymore
Code:
#rpm -e httpd-devel
#rpm -e apr-util-devel
#rpm -e apr-devel
#rpm -e pcre-devel
Slackware install:
#wget http://www.modsecurity.org/download/modsecurity-apache_2.5.7.tar.gz
#tar -vxzf modsecurity-apache_2.5.7.tar.gz
#cd modsecurity-apache_2.5.7/apache2/
#make
#checkinstall --fstrans=no -S -y
#installpkg apache2--i386-1.tgz
Put this in /etc/httpd/httpd.conf:
# Modsecurity
Include /etc/httpd/extra/httpd-modsecurity.conf
#mkdir -p /etc/httpd/extra/modsecurity/
#cd /etc/httpd/extra/modsecurity/
#wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
#tar -vxzf modsecurity-core-rules_2.5-1.6.1.tar.gz
#rm -rf modsecurity-core-rules_2.5-1.6.1.tar.gz CHANGELOG LICENSE README
Put this int /etc/httpd/extra/httpd-modsecurity.conf :LoadModule security2_module lib/httpd/modules/mod_security2.so
Include /etc/httpd/extra/modsecurity/*.conf
Modify in /etc/httpd/extra/modsecurity/modsecurity_crs_10_config.conf:SecAuditLog /var/log/httpd/modsec_audit.log
SecDebugLog /var/log/httpd/modsec_debug.log
Restart the apache daemon:
# /etc/rc.d/rc.httpd restart
Testing Mod_security:
At this point, it would be nice to test mod_security and make sure it's really filtering through the traffic. This can be done with a simple wget test. Wget can be configured to identify itself as something other than wget, so all we need to do is change it to something that should trigger mod_security. You'll probably want to do this from somewhere other than the web server itself. If you followed my firewall services tutorials, for instance, it won't work unless running this command from somewhere outside of the firewall.
wget -O - -U "webtrends security analyzer" http://<your server>
If mod_security is working, the machine you issued the command from should receive a 404 or 400 error.You now have Mod_Security installed, congratulations!
Mod_security white list:You can also add a white list to this module. For this you need to add the folowing lines to the modsecurity_crs_10_config.conf:
#Whitelist
SecRule REMOTE_ADDR "^192\.2\.1\.1$"phase:1,nolog,allow,ctl:ruleEngine=Off
#SecResponseBodyLimit
You can increase SecResponseBodyLimit if you get a message like:
"ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified)".
Have a look into modsecurity_crs_10_config.conf file and modify on the last line the "524288" value to "2097152" :
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2097152
Note:
We use Hosting and VPS Hosting, from: www.star-host.org
We like and trust them.
Good prices, high security.