Home

How to install Mod Security 2

Thu, 01/17/2008 - 4:13am — Vinno

This has been outdated. Check out Ubuntu mod security 2 with Ubuntu intrepid 8.10
This has been outdated. Check out Ubuntu mod security 2 with Ubuntu intrepid 8.10
This has been outdated. Check out Ubuntu mod security 2 with Ubuntu intrepid 8.10


Mod Security 2
A quick description about Mod Security.
“ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.”

My guide for installing Mod Security 2 will be based on Ubuntu 7.10 Gutsy with Apache 2, you can use it as a reference for other linux distributions. NOTE: Please read this page as a reference before continuing on. It may help, some references might relate to Ubuntu Linux.

First find out what version of apache your using, e.g the prefork or threaded. (default apache2 package from Ubuntu contains prefork)

Get the required development files:

sudo apt-get install apache2-prefork-dev libxml++2.6-dev liblua5.1-0 liblua5.1-0-dev libcurl3-dev

Next, you will need to download mod security 2 from http://modsecurity.org:
Uncompress it somewhere in your home directory. Now go into the mod security directory and there should be a apache2 directory inside, move into that directory and edit a file called “Makefile”.

Edit "Makefile":

top_dir = /usr/local/apache2

to 

top_dir = /usr/share/apache2/

Now time to make:

make

Make install by:

sudo make install

Now you need to load mod security 2 module up by creating a load file in Apache 2:

sudo nano /etc/apache2/mods-available/mod-security2.load

Paste this in:

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

To Enable the module in Apache 2:

sudo ln -s /etc/apache2/mods-available/mod-security2.load /etc/apache2/mods-enabled

Also you must enable unique id module which is already packed with apache2:

sudo ln -s /etc/apache2/mods-available/unique_id.load /etc/apache2/mods-enabled

Now to tell apache where to find the mod security rules and what files to load:

sudo nano /etc/apache2/conf.d/modsecurity2.conf

Paste this in:

<ifmodule mod_security2.c>
Include /etc/modsecurity/*.conf
</ifmodule>

Now lets create a mod security directory where we can place our rule files and logs:

sudo mkdir /etc/modsecurity
sudo mkdir /etc/modsecurity/logs
sudo touch /etc/modsecurity/logs/modsec_audit.log
sudo touch /etc/modsecurity/logs/modsec_debug.log

Now we are going to gather the mod security 2 rules files, which came with the package mod security 2 you downloaded early on. There should be a directory called rules.
Go into that directory then we going to copy the rule config files over to /etc/modsecurity/:

sudo cp *.conf /etc/modsecurity/

You must edit one of the rule config files called “modsecurity_crs_10_config.conf”:

sudo nano /etc/modsecurity/modsecurity_crs_10_config.conf

2 Changes need to be made:

SecDebugLog logs/modsec_debug.log

to 

SecDebugLog /etc/modsecurity/logs/modsec_debug.log
SecAuditLog logs/modsec_audit.log

to 

SecAuditLog /etc/modsecurity/logs/modsec_audit.log

Now your done, time to restart apache2:

sudo /etc/init.d/apache2 restart

To find out if you have mod security 2 running successfully:

cat /var/log/apache2/error.log | grep “ModSecurity for”

Should return something like: 

“[Wed Jan 16 21:28:48 2008] [notice] ModSecurity for Apache/2.5.0-rc1 (http://www.modsecurity.org/) configured.”

---Extras--- Once you got it up and running

  • You can add more config file rules by copying the files in optional_rules directory over to your /etc/modsecurity/ directory.
  • Also, change some actions for mod security by editing the /etc/modsecurity2/modsecurity_crs_10_config.conf file, by looking for lines like these below and uncommenting the # and changing 'pass' to 'deny'
    #SecRule REQUEST_HEADERS:Content-Type "text/xml" \
#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
    #SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}
    #SecDefaultAction "phase:2,log,pass,status:500"

hope this helps :)