Home

How to install Mod Security 2

Thu, 01/17/2008 - 4:13am — Vinno


Mod Security 2
A quick description about Mod Security.
“ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.”

My guide for installing Mod Security 2 will be based on Ubuntu 7.10 Gutsy with Apache 2, you can use it as a reference for other linux distributions. NOTE: Please read this page as a reference before continuing on. It may help, some references might relate to Ubuntu Linux.

First find out what version of apache your using, e.g the prefork or threaded. (default apache2 package from Ubuntu contains prefork)

Get the required development files:

sudo apt-get install apache2-prefork-dev libxml++2.6-dev liblua5.1-0 liblua5.1-0-dev libcurl3-dev

Next, you will need to download mod security 2 from http://modsecurity.org:
Uncompress it somewhere in your home directory. Now go into the mod security directory and there should be a apache2 directory inside, move into that directory and edit a file called “Makefile”.

Edit "Makefile":

top_dir = /usr/local/apache2

to 

top_dir = /usr/share/apache2/

Now time to make:

make

Make install by:

sudo make install

Now you need to load mod security 2 module up by creating a load file in Apache 2:

sudo nano /etc/apache2/mods-available/mod-security2.load

Paste this in:

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

To Enable the module in Apache 2:

sudo ln -s /etc/apache2/mods-available/mod-security2.load /etc/apache2/mods-enabled

Also you must enable unique id module which is already packed with apache2:

sudo ln -s /etc/apache2/mods-available/unique_id.load /etc/apache2/mods-enabled

Now to tell apache where to find the mod security rules and what files to load:

sudo nano /etc/apache2/conf.d/modsecurity2.conf

Paste this in:

<ifmodule mod_security2.c>
Include /etc/modsecurity/*.conf
</ifmodule>

Now lets create a mod security directory where we can place our rule files and logs:

sudo mkdir /etc/modsecurity
sudo mkdir /etc/modsecurity/logs
sudo touch /etc/modsecurity/logs/modsec_audit.log
sudo touch /etc/modsecurity/logs/modsec_debug.log

Now we are going to gather the mod security 2 rules files, which came with the package mod security 2 you downloaded early on. There should be a directory called rules.
Go into that directory then we going to copy the rule config files over to /etc/modsecurity/:

sudo cp *.conf /etc/modsecurity/

You must edit one of the rule config files called “modsecurity_crs_10_config.conf”:

sudo nano /etc/modsecurity/modsecurity_crs_10_config.conf

2 Changes need to be made:

SecDebugLog logs/modsec_debug.log

to 

SecDebugLog /etc/modsecurity/logs/modsec_debug.log
SecAuditLog logs/modsec_audit.log

to 

SecAuditLog /etc/modsecurity/logs/modsec_audit.log

Now your done, time to restart apache2:

sudo /etc/init.d/apache2 restart

To find out if you have mod security 2 running successfully:

cat /var/log/apache2/error.log | grep “ModSecurity for”

Should return something like: 

“[Wed Jan 16 21:28:48 2008] [notice] ModSecurity for Apache/2.5.0-rc1 (http://www.modsecurity.org/) configured.”

---Extras--- Once you got it up and running

  • You can add more config file rules by copying the files in optional_rules directory over to your /etc/modsecurity/ directory.
  • Also, change some actions for mod security by editing the /etc/modsecurity2/modsecurity_crs_10_config.conf file, by looking for lines like these below and uncommenting the # and changing 'pass' to 'deny'
    #SecRule REQUEST_HEADERS:Content-Type "text/xml" \
#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
    #SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}
    #SecDefaultAction "phase:2,log,pass,status:500"

hope this helps :)

Comments

Fri, 01/25/2008 - 2:17pm — Doug (not verified)

Great straight forward guide for Ubuntu 7.10

After much fumbling around with several guides including ModSecurity's own guide, this one got the job done. Thanks a lot.
Thu, 01/31/2008 - 10:18am — Axe (not verified)

Great

No hiccup here and there. Great article. Thanks.
Thu, 01/31/2008 - 1:52pm — shaifful (not verified)

Wow great tips.

I've tried goggling the net and finally find yours.. Nice job
Thu, 03/06/2008 - 8:41am — ZP (not verified)

Many Thanks

Install went without a single hiccup. Thanks for the great article!
Fri, 04/04/2008 - 4:15am — Stephen Craig Evans (not verified)

slight difference in steps for ModSecurity 2.5.1

Great stuff, Vinno. Thanks. I just installed ModSecurity-Apache 2.5.1 on Kubuntu 7.10; the steps are slightly different and I would like to share them here since your instructions are the best I've found: - first, a minor correction: your pre-install recommendation package is 'build-essential', not 'build-essentials' - you have to run './configure' (as regular user) before 'make' in order to build the Makefile. I got a warning message during 'configure': " checking for libcurl config script... no configure: *** curl library not found. configure: NOTE: curl library is only required for building mlogc " mlogc is the ModSecurity console which I might use later so I decided to solve the curl library issue. I waded through 'sudo apt-get install ' and installed 'libcurl3', 'curl', and 'libcurl3-dev' before the message disappeared; it's quite possible that only libcurl3-dev is needed. - the 'Edit Makefile' step for 'top_dir' was not necessary and 'top_dir' is not in the Makefile that is produced by 'configure'. My system has the path '/usr/share/apache2/' as in your instruction and the build worked without a hitch. After doing 'make' and building it, the rest of your instructions are exactly spot on. Thanks again.
Sun, 04/06/2008 - 12:38pm — Vinno

Thanks for the correction.

Stephen Craig, I fixed up build-essential mistake and also added the curl package, I think maybe the modsecurity rc version I installed was bit different to the current version you just installed. When I get time, I will re-run over the new version, im sure your info will be helpful to the others. Thanks :) --- Vinno. Contact Me
Tue, 06/03/2008 - 8:40am — idomagic (not verified)

Installing modsecurity-apache_2.5.4 on 8.04 Hardy (xubuntu)

Great guide, thanks! Just wanted to mention that Stephens method also goes for 8.04, might make it a tad easier to find the solution for googler's like myself. That is, instead of the step with editing the makefile, do ./configure, rest of the guide works perfectly.
Fri, 07/18/2008 - 1:04pm — Gunfus (not verified)

Installing modsecurity-apache on 8.04 Hardy (server)

I found this guide doing the last search before I adventured to installing it myself. So great help.. and thanks to 'idomagic' for adding the 8.04 keyword.. I am still doing the install process, but so far I found that for ubuntu-server you will need to call 'sudo apt-get install build-essentials' and then do the './configure' otherwise you will be missing a bunch of stuff :)
Sun, 07/27/2008 - 1:57am — Julio (not verified)

Woah, it worked. Thanks for

Woah, it worked. Thanks for the help!

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • You may post PHP code. You should include <?php ?> tags.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
  _   _  _      ___    _ 
 / | | || |    / _ \  / |
 | | | || |_  | (_) | | |
 | | |__   _|  \__, | | |
 |_|    |_|      /_/  |_|
Enter the code depicted in ASCII art style.