Installation & configuration of ModSecurity on APACHE

Installation & configuration of ModSecurity on APACHE

Mod Security is a web based firewall (WAF) designed for apache (though there is a version available for IIS too). It is widely used and highly effective. But there is a learning curve in using modsec. You can start exploring by installing ModSec on your system.


To install modsec from YUM you will need to install EPEL ( Extra Packages for Enterprise Linux )

Depending upon your Linux installation run the following command

[yOMan@ x-machine ~]# uname -a

     Linux 2.6.18-308.1.1.el5 #1 SMP Wed Mar 7 04:57:35 EST 2012 x86_64           

Install Extended Packages

As you can see this is an EL5 installation so we will install EL5 rpm on this machine

rpm -Uvh

for EL6 you can use following

rpm -Uvh

Now you can install extra packages on Linux. Lets install ModSec

Installing ModSecurity

Modsec has two parts

1) ModSec Engine

2) ModSec Rules

You will need to install both for a working ModSec installation.

If you dont know exact package name, you can search the repository using the following

yum search modsec

======================== Matched: modsec ============================

                mlogc.x86_64 : ModSecurity Audit Log Collector

                mod_security.x86_64 : Security module for the Apache HTTP Server

                mod_security_crs.noarch : ModSecurity Rules

                mod_security_crs-extras.noarch : Supplementary mod_security rules


Proceed to installation

yum install mod_security.x86_64 mod_security_crs.noarch
Package                             Arch            Version        Repository         Size
mod_security                       x86_64                   2.6.8-6.el5     epel                   160 k
mod_security_crs                   noarch                   2.2.5-5.el5     epel                   103 k
Installing for dependencies:
lua                                 x86_64                   5.1.4-4.el5     epel                   229k


There you go ModSec has been installed on your Server.

NOTE: ModSec rules installed here are the Standard OWASP rules. If you like to use other rules you can always download and include them in the modsecurity.d directory located in your httpd installation.

NOTE2: As of writing this primer, there is a bug in mod_security 2.6.8-6.el5 , to resolve this you will have to install a patch

yum update --enablerepo=epel-testing mod_security-2.6.8-6.el5
Confirm by navigating to
[yoMan@x-machine ~]# cd /etc/httpd
[yoMan@x-machine httpd]# ll
drwxr-xr-x 2 root root 4096 Apr 25 15:49 conf
drwxr-xr-x 2 root root 4096 Apr 25 15:49 conf.d
drwxr-xr-x 3 root root 4096 Apr 18 21:11 modsecurity.d
lrwxrwxrwx 1 root root   29 Apr 25 15:49 modules -> ../../usr/lib64/httpd/modules

lrwxrwxrwx 1 root root   13 Apr 25 15:49 run -> ../../var/run

lrwxrwxrwx 1 root root   19 Apr 25 15:49 logs -> ../../var/log/httpd



You will find modsecurity configuration file and rules in following directory

[yoMan@x-machine httpd]# ll conf.d
-rw-r--r-- 1 root root 3161 Apr 25 13:18 mod_security.conf
 [yoMan@x-machine httpd]# ll modsecurity.d
drwxr-xr-x 2 root root 4096 Apr 18 21:11 activated_rules
-rw-r--r-- 1 root root 13544 Sep 13 2012 modsecurity_crs_10_config.conf


Everything is set, Lets configure ModSec!!!

Configuring ModSecurity

Now there are some Options for ModSec that every beginner should know.

Main configuration directives   Directive Description

SecRuleEngine Controls the operation of the rule engine [Off On DetectOnly]

SecDataDir Sets the folder for persistent storage

SecRequestBodyAccess Controls request body buffering

SecRequestBodyInMemoryLimit Sets the size of the per-request memory buffer

SecRequestBodyLimit Sets the maximum request body size ModSecurity will accept

SecRequestBodyNoFilesLimit Sets the maximum request body size, excluding uploaded files

SecResponseBodyAccess Controls response body buffering

SecResponseBodyLimit Specifies the response body buffering limit

SecTmpDir Sets the folder for temporary files

Lets just turn on modsec and see what happens, but we will enable it in Detection mode only, this way we will be able to see if the rules are working without them actually blocking anything. Comment out the line

vim /etc/httpd/conf.d/mod_security.conf
---> SecRuleEngine

Add the following line

SecRuleEngine DetectionOnly


By default all the active rules are present in the following directory

[APACHE Configuration Dir]/modsecurity.d/activated_rules/

After making the changes as indicated above, restart your apache server. Tail your apache error log file and watch for any ModSec triggered errors. We will get into more detail on ModSec in the next tutorial.

Author: siBzz