mod_security

Mod_Security installation howto

http://www.modsecurity.org

Modsecurity is indeed a very useful software. It's a module for Apache to help you protect your site from attacks. From the web site description:

What Is ModSecurity?

ModSecurity is an embeddable web application firewall. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure.

If you want to know more, understand how it can protect your server and also be aware the relevant caveats, see:

http://www.modsecurity.org/projects/rules/index.html

Installation notes for RHEL4

It's not guaranteed that copy-pasting the commands below will work for you, but please do report any inaccuracies you may have found as per the e-mail address at the bottom of this page.

apt-get install httpd-devel apr-devel apr-util-devel pcre-devel
wget http://www.modsecurity.org/download/modsecurity-apache_2.1.5.tar.gz
tar zxvf modsecurity-apache_2.1.5.tar.gz
cd modsec*
cd apache2
 sed -i Makefile -e 's|^top_dir.*|top_dir = /etc/httpd|g'
make
service httpd stop
make install
cd ..
mkdir /etc/httpd/conf/modsecurity
cp -R rules/* /etc/httpd/conf/modsecurity/
cat <<EOF>> /etc/httpd/conf.d/modsecurity.conf
LoadModule unique_id_module modules/mod_unique_id.so
LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/*.conf
EOF
service httpd start

Configuring and using mod_security

The configuration is stored in:

/etc/httpd/conf/modsecurity/

For example, in the file /etc/httpd/conf/modsecurity/modsecurity_crs_10_config.conf , we can see this line:

SecDefaultAction "phase:2,log,pass,status:500"

It sets the default action for rules that don't have one defined. So I suggest leaving it at the default "log only", but later change it to "log,deny,status:500" when you feel more confident that there are no rules with false positives.

You can follow the logs either in the apache error_log or see more detailed output in this file:

tail -f /var/log/httpd/modsec_audit.log -n200

Restart your apache server and after a few minutes, depending on how much access you get, you'll notice that it's working already, blocking many undesirable requests.

Wait a couple more days and then change the default action to "deny", as explained above.

Please keep an eye on possible but unlikely false positive rejects that modsecurity may cause for valid user requests. If a rule appears to be problematic, tweak it a bit or comment it out from your rule set and it should be enough.

Remember that having an application firewall like modsecurity is not a substitute for having good network firewall rules setup and, most importantly, for having only good and secure code running on your server.

See also this other very important bliki article: Securing Your Server