comment-knowledgebase/linux/webserver/apache/mod_security-1 I've attached an example ruleset configuration file that has quite a few rules for commonly exploited applications. Feel free to use them or modify as you like. 2007-08-14 01:21:39.0 2007-08-14 01:16:37.0 knowledgebase/linux/webserver/apache/mod_security 1 Mod_Security installation howto http://www.modsecurity.org Modsecurity is indeed a very useful software. It's a module for Apache to help you protect your site from attacks. From the web site description: {quote}What Is ModSecurity? ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. {quote} If you want to know more, understand how it can protect your server and also be aware the relevant caveats, see: http://www.modsecurity.org/projects/rules/index.html 1.1 Installation notes for RHEL4 It's not guaranteed that copy-pasting the commands below will work for you, but please do report any inaccuracies you may have found as per the e-mail address at the bottom of this page. {code:none} apt-get install httpd-devel apr-devel apr-util-devel pcre-devel wget http:\//www.modsecurity.org/download/modsecurity-apache_2.1.5.tar.gz tar zxvf modsecurity-apache_2.1.5.tar.gz cd modsec* cd apache2 sed -i Makefile -e 's|^top_dir.*|top_dir = /etc/httpd|g' make service httpd stop make install cd .. mkdir /etc/httpd/conf/modsecurity cp -R rules/* /etc/httpd/conf/modsecurity/ cat <<EOF>> /etc/httpd/conf.d/modsecurity.conf LoadModule unique_id_module modules/mod_unique_id.so LoadFile /usr/lib/libxml2.so LoadModule security2_module modules/mod_security2.so Include conf/modsecurity/*.conf EOF service httpd start {code} 1.1 Configuring and using mod_security The configuration is stored in: /etc/httpd/conf/modsecurity/ For example, in the file /etc/httpd/conf/modsecurity/modsecurity_crs_10_config.conf , we can see this line: SecDefaultAction "phase:2,log,pass,status:500" It sets the default action for rules that don't have one defined. So I suggest leaving it at the default "log only", but later change it to "log,deny,status:500" when you feel more confident that there are no rules with false positives. You can follow the logs either in the apache error_log or see more detailed output in this file: {code:none} tail -f /var/log/httpd/modsec_audit.log -n200 {code} Restart your apache server and after a few minutes, depending on how much access you get, you'll notice that it's working already, blocking many undesirable requests. Wait a couple more days and then change the default action to "deny", as explained above. Please keep an eye on possible but unlikely false positive rejects that modsecurity may cause for valid user requests. If a rule appears to be problematic, tweak it a bit or comment it out from your rule set and it should be enough. Remember that having an application firewall like modsecurity is not a substitute for having good network firewall rules setup and, most importantly, for having only good and secure code running on your server. See also this other very important bliki article: [knowledgebase/Security/Securing Your Server] 2008-01-25 07:32:45.0 2007-08-08 18:04:45.0 Tue Aug 14 01:15:21 EDT 2007