Home

How to install Mod Security 2 Ubuntu Intrepid 8.10

Sun, 11/16/2008 - 12:20pm — Vinno


Mod Security 2
A quick description about Mod Security.
“ModSecurity is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.”

My guide for installing Mod Security 2 will be based on Ubuntu 8.10 Intrepid with Apache 2, you can use it as a reference for other linux distributions. NOTE: Please read this page as a reference before continuing on. It may help, some references might relate to Ubuntu Linux.

Get the required development files:

sudo apt-get install apache2-prefork-dev libxml++2.6-dev liblua5.1-0 liblua5.1-0-dev

Next, you will need to download mod security 2 from http://modsecurity.org:(to save your time registering, just type in "wget http://vinno.net/sitefiles/modsecurity-apache_2.5.7.tar.gz"

Uncompress it somewhere in your home directory. (e.g tar -xvvzf modsecurity-apache_2.5.7.tar.gz)

Now go into the mod security directory and there should be a apache2 directory inside, move into that directory.
Now time to configure:

./configure --with-apxs=/usr/bin/apxs2

Make install by:

sudo make install

Now you need to load mod security 2 module up by creating a load file in Apache 2:

sudo nano /etc/apache2/mods-available/mod-security2.load

Paste this in:

LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

To Enable the module in Apache 2:

sudo ln -s /etc/apache2/mods-available/mod-security2.load /etc/apache2/mods-enabled

Also you must enable unique id module which is already packed with apache2:

sudo ln -s /etc/apache2/mods-available/unique_id.load /etc/apache2/mods-enabled

Now to tell apache where to find the mod security rules and what files to load:

sudo nano /etc/apache2/conf.d/modsecurity2.conf

Paste this in:

<ifmodule mod_security2.c>
Include /etc/modsecurity/*.conf
</ifmodule>

Now lets create a mod security directory where we can place our rule files and logs:

sudo mkdir /etc/modsecurity
sudo mkdir /etc/modsecurity/logs
sudo touch /etc/modsecurity/logs/modsec_audit.log
sudo touch /etc/modsecurity/logs/modsec_debug.log

Now we are going to gather the mod security 2 rules files, which came with the package mod security 2 you downloaded early on. There should be a directory called rules.
Go into that directory then we going to copy the rule config files over to /etc/modsecurity/:

sudo cp *.conf /etc/modsecurity/

You must edit one of the rule config files called “modsecurity_crs_10_config.conf”:

sudo nano /etc/modsecurity/modsecurity_crs_10_config.conf

2 Changes need to be made:

SecDebugLog logs/modsec_debug.log

to 

SecDebugLog /etc/modsecurity/logs/modsec_debug.log
SecAuditLog logs/modsec_audit.log

to 

SecAuditLog /etc/modsecurity/logs/modsec_audit.log

Now your done, time to restart apache2:

sudo /etc/init.d/apache2 restart

To find out if you have mod security 2 running successfully:

cat /var/log/apache2/error.log | grep ModSecurity

Should return something like:

[Sun Nov 16 22:24:51 2008] [notice] ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/) configured

---Extras--- Once you got it up and running

  • You can add more config file rules by copying the files in optional_rules directory over to your /etc/modsecurity/ directory.
  • Also, change some actions for mod security by editing the /etc/modsecurity2/modsecurity_crs_10_config.conf file, by looking for lines like these below and uncommenting the # and changing 'pass' to 'deny'
    #SecRule REQUEST_HEADERS:Content-Type "text/xml" \
#"phase:1,pass,nolog,ctl:requestBodyProcessor=XML"
    #SecRule RESPONSE_STATUS "!^(?:30[12]|[45]\d\d)$" "phase:3,pass,nolog,initcol:resource=%{REQUEST_FILENAME}
    #SecDefaultAction "phase:2,log,pass,status:500"

---Extras part 2---
www.gotroot.com has rules you can use too, http://downloads.prometheus-group.com/delayed/rules/modsec-2.5-free-late...