ModSecurity is a module for Apache to act as a web application firewall, which bring another security layer to your website. Nowadays, it is very important to have this protection so your website will be protected from Internet threats. Based on my experience as system administrator, our intrusion detection system averagely detected 10 – 15 internet threats per server per day. These include brute-force attack, blind SQL injection, XSS attack and many more.
Apache is the most popular web server in the world. For those who use Apache, I strongly advise you to have ModSecurity enabled in your production web server. You will never know when your website being target, or why it being target. Protection is the best cure!
I will use standard CentOS 6 distribution with Apache installed using yum run as DSO. Variables as below:
OS: CentOS 6 64bit
Apache directory: /etc/httpd
Apache configuration: /etc/httpd/conf/httpd.conf
ModSecurity configuration: /etc/httpd/conf.d/modsecurity.conf
1. Install Apache via yum and make sure it running properly:
$ yum install -y httpd* $ chkconfig httpd on $ service httpd start
2. Install all the needed packages via yum:
$ yum install pcre* libxml2* libcurl* lua* libtool openssl -y
3. Download mod_security source file at http://www.modsecurity.org/download/. In this case I will download modsecurity-apache_2.6.2.tar.gz :
$ cd /usr/local/src $ tar -xzf modsecurity-apache_2.6.2.tar.gz
4. Extract the downloaded files, navigate to the folder, configure and install:
$ cd modsecurity-apache* $ ./configure $ make $ make install
5. Copy the ModSecurity configuration file into Apache configuration directory:
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
6. Activate the mod_security and unique_id modules in Apache configuration file. Open /etc/httpd/conf/httpd.conf via text editor and add following line:
LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so
7. Now we need to turn on the protection in ModSecurity configuration file. Open /etc/httpd/conf.d/modsecurity.conf via text editor and change following line:
8. Restart Apache so mod_security can be loaded into Apache environment:
$ service httpd restart
Done! Your website now has been protected with Apache ModSecurity. You can tweak the rules inside modsecurity.conf files to suit your website requirement. You can check what is happening by reviewing the log file located under /var/log/modsec_audit.log.