ModSecurity is an open source web application firewall and intrusion detection and prevention system that provide filtering and other security features to the Apache HTTP Server. ModSecurity is a web application layer firewall and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.
1. Install some dependency packages for mod_security :
[root@centos63 ~]# yum install gcc make libxml2 libxml2-devel httpd-devel pcre-devel curl-devel -y
Compile the modsecurity source code and module to install mod_security in your httpd.conf file. Run the followings commands as root :
[root@centos63 ~]# cd /usr/src/
2. Download mod_security :
[root@centos63 src]# wget http://www.modsecurity.org/download/modsecurity-apache_2.6.7.tar.gz
Examples :
[root@centos63 src]# wget http://www.modsecurity.org/download/modsecurity-apache_2.6.7.tar.gz --2012-09-17 16:06:20-- http://www.modsecurity.org/download/modsecurity-apache_2.6.7.tar.gz Resolving www.modsecurity.org... 204.13.200.240 Connecting to www.modsecurity.org|204.13.200.240|:80... connected. HTTP request sent, awaiting response... 302 Found Location: http://downloads.sourceforge.net/mod-security/modsecurity-apache_2.6.7.tar.gz?use_mirror= [following] --2012-09-17 16:06:21-- http://downloads.sourceforge.net/mod-security/modsecurity-apache_2.6.7.tar.gz?use_mirror= Resolving downloads.sourceforge.net... 216.34.181.59 Connecting to downloads.sourceforge.net|216.34.181.59|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://downloads.sourceforge.net/project/mod-security/modsecurity-apache/2.6.7/modsecurity-apache_2.6.7.tar.gz?use_mirror= [following] --2012-09-17 16:06:22-- http://downloads.sourceforge.net/project/mod-security/modsecurity-apache/2.6.7/modsecurity-apache_2.6.7.tar.gz?use_mirror= Reusing existing connection to downloads.sourceforge.net:80. HTTP request sent, awaiting response... 302 Found Location: http://cdnetworks-kr-1.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.7/modsecurity-apache_2.6.7.tar.gz [following] --2012-09-17 16:06:23-- http://cdnetworks-kr-1.dl.sourceforge.net/project/mod-security/modsecurity-apache/2.6.7/modsecurity-apache_2.6.7.tar.gz Resolving cdnetworks-kr-1.dl.sourceforge.net... 211.39.135.162 Connecting to cdnetworks-kr-1.dl.sourceforge.net|211.39.135.162|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 785852 (767K) [application/x-gzip] Saving to: âmodsecurity-apache_2.6.7.tar.gzâ 100%[==========================================================>] 785,852 88.6K/s in 8.7s 2012-09-17 16:06:32 (88.1 KB/s) - âmodsecurity-apache_2.6.7.tar.gzâ
3. Unpack the ModSecurity archive :
[root@centos63 src]# tar xzvf modsecurity-apache_2.6.7.tar.gz
4. Enter the extracted mod_security’s directory :
[root@centos63 src]# cd modsecurity-apache_2.6.7
5. Run the configure script to generate a Makefile. Typically no options are needed.
[root@centos63 modsecurity-apache_2.6.7]# ./configure
6. Install the ModSecurity module with :
[root@centos63 modsecurity-apache_2.6.7]# make install
7. Copy the The configuration file to /etc/httpd/conf.d directory :
[root@centos63 modsecurity-apache_2.6.7]# cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
8. Mod_Security requires OWASP (Open Web Application Security Project) core rules for base configuration. It’s used to protect from unknown vulnerabilities which often found on web applications :
[root@centos63 ~]# cd /etc/httpd [root@centos63 httpd]# wget http://downloads.sourceforge.net/project/mod-security/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz [root@centos63 httpd]# tar xzvf modsecurity-crs_2.2.5.tar.gz [root@centos63 httpd]# mv modsecurity-crs_2.2.5 modsecurity-crs [root@centos63 modsecurity-crs]# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
9. Configure Apache httpd config file :
[root@centos63 ~]# vi /etc/httpd/conf/httpd.conf
Search for the line LoadModule in your httpd.conf and make sure you load the ModSecurity module with the following line :
.. .. LoadModule security2_module modules/mod_security2.so .. ..
Configure ModSecurity. Add these line at the bottom of http.conf file :
<IfModule security2_module>
Include modsecurity-crs/modsecurity_crs_10_setup.conf
Include modsecurity-crs/base_rules/*.conf
</IfModule>
10. Restart the Apache service to enable mod_security module and their rules :
[root@centos63 ~]# /etc/init.d/httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
11. Verify everything working fine :
[root@centos63 ~]# httpd -t Syntax OK
[root@centos63 ~]# tail -f /var/log/httpd/error_log [Mon Sep 17 18:49:58 2012] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.3.3 configured -- resuming normal operations [Mon Sep 17 20:24:27 2012] [notice] caught SIGTERM, shutting down [Mon Sep 17 20:24:28 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Mon Sep 17 20:24:28 2012] [notice] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured. [Mon Sep 17 20:24:28 2012] [notice] ModSecurity: APR compiled version="1.3.9"; loaded version="1.3.9" [Mon Sep 17 20:24:28 2012] [notice] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" [Mon Sep 17 20:24:28 2012] [notice] ModSecurity: LIBXML compiled version="2.7.6" [Mon Sep 17 20:24:28 2012] [notice] Digest: generating secret for digest authentication ... [Mon Sep 17 20:24:28 2012] [notice] Digest: done [Mon Sep 17 20:24:28 2012] [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.3.3 configured -- resuming normal operations
