Home > Server Administration > Linux Server Tips > ModSecurity

Installing ModSecurity

ModSecurity is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.

Before installing ModSecurity, you need to get latest version of ModSecurity from

http://www.modsecurity.org/download/index.html

Download latest ModSecurity

wget http://www.modsecurity.org/download/modsecurity-apache_1.9.3.tar.gz

Uncompress the file

tar -zxvf modsecurity-apache_1.9.3.tar.gz

Go to the folder

cd modsecurity-apache_1.9.3

cd apache1 (or apache2 if you are using Apache 2)

Now run

apxs -cia mod_security.c

Now you will see some thing like

server20# /usr/local/apache/bin/apxs -cia mod_security.c
gcc -funsigned-char -DMOD_SSL=208125 -DEAPI -fpic -DSHARED_MODULE -I/usr/local/apache/include -c mod_security.c
gcc -shared -o mod_security.so mod_security.o
[activating module `security' in /usr/local/apache/conf/httpd.conf]
cp mod_security.so /usr/local/apache/libexec/mod_security.so
chmod 755 /usr/local/apache/libexec/mod_security.so
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak
cp /usr/local/apache/conf/httpd.conf.new /usr/local/apache/conf/httpd.conf
rm /usr/local/apache/conf/httpd.conf.new
server20#

Edit httpd.conf file

vi /etc/httpd/conf/httpd.conf

Find

DefaultType text/plain

Add below

SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:500"
SecFilter /etc/
SecFilter /initrd/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /usr/local/apache
SecFilter /usr/local/cpanel
SecFilter /usr/local/mysql
SecFilter /var/
SecFilter /boot/
SecFilter /bin/cc
SecFilter /bin/gcc
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*:.*@"
SecFilterSelective ARGS_VALUES "MIME-Version: 1.0"
SecFilterSelective ARGS_VALUES "Content-Transfer-Encoding: 7bit"
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "perl "
SecFilterSelective THE_REQUEST "lynx "
SecFilterSelective THE_REQUEST "cd /tmp"
SecFilterSelective THE_REQUEST "cd /var/tmp"

Now restart apache web server, your web server is protected with mod_security

# apachectl stop
# apachectl start