Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

Tutorials BASH Shell Troubleshooting Nginx Networking MySQL Google Cloud Platform Amazon Cloud Computing Rackspace Cloud Computing Linux CentOS Debian / Ubuntu Ubuntu Linux Suse RedHat and Friends Slackware Linux UNIX AIX Mac OS X FreeBSD FreeBSD Jails (VPS) Openbsd Solaris See all tutorial topics Blog About Contact us Forum Linux Scripting Guide RSS/FEED

Linux FAQ / Howtos

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine
by Nix Craft on May 9, 2009 14 comments LAST UPDATED May 9, 2009 in Apache, CentOS, Networking How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server? ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:
# yum install mod_security

Sample output:
Loaded plugins: downloadonly, fastestmirror, priorities, protectbase Loading mirror speeds from cached hostfile * epel: www.gtlib.gatech.edu * base: mirror.skiplink.com * updates: centos.aol.com * addons: mirror.cs.vt.edu * extras: mirror.trouble-free.net 0 packages excluded due to repository protections Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated --> Finished Dependency Resolution

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

Dependencies Resolved ================================================================================================================== Package Arch Version ================================================================================================================== Installing: mod_security x86_64 2.5.9-1.el5 Transaction Summary ================================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 935 k Is this ok [y/N]: y Downloading Packages: mod_security-2.5.9-1.el5.x86_64.rpm Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : mod_security [1/1] Installed: mod_security.x86_64 0:2.5.9-1.el5 Complete!

mod_security configuration files

1. /etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module. 2. /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache. 3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment. 4. /var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems. 5. /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file. Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

Make sure SecRuleEngine set to "On" to protect webserver for the attacks:
SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart

Make sure everything is working:

# tail -f /var/log/httpd/error_log

Sample output:
[Sat [Sat [Sat [Sat [Sat [Sat [Sat May May May May May May May 09 09 09 09 09 09 09 23:18:31 23:18:33 23:18:34 23:18:34 23:18:34 23:18:34 23:18:35 2009] 2009] 2009] 2009] 2009] 2009] 2009] [notice] [notice] [notice] [notice] [notice] [notice] [notice] caught SIGTERM, shutting down suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured. Original server signature: Apache/2.2.3 (CentOS) Digest: generating secret for digest authentication ... Digest: done Apache/2.2.0 (Fedora) configured -- resuming normal operations

Refer mod_security documentations to understand security policies.

5 6 4

StumbleUpon

Featured Articles: 30 Cool Open Source Software I Discovered in 2013 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X Top 30 Nmap Command Examples For Sys/Network Admins 25 PHP Security Best Practices For Sys Admins 20 Linux System Monitoring Tools Every SysAdmin Should Know 20 Linux Server Hardening Security Tips Linux: 20 Iptables Examples For New SysAdmins

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

Top 20 OpenSSH Server Best Security Practices Top 20 Nginx WebServer Best Security Practices 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors 15 Greatest Open Source Terminal Applications Of 2012 My 10 UNIX Command Line Mistakes Top 10 Open Source Web-Based Project Management Software Top 5 Email Client For Linux, Mac OS X, and Windows Users The Novice Guide To Buying A Linux Laptop { 14 comments read them below or add one } 1 n3os May 13, 2009 at 2:26 am now i found the article about CentOS Install mod_security, thx !!! Reply 2 bitt June 9, 2009 at 9:41 pm thx for this, very helpful. Reply 3 Zigzacom July 11, 2009 at 4:03 am With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), but one of the CentOS repos only has lua-5.0, and I had set CentOS repos to a higher priority than the EPEL repo. I did an rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm, then yum install mod_security and all was OK. yum-priorities is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right. Reply 4 pgl January 26, 2010 at 4:40 pm @Zigzacom: thanks for that! Reply 5 Bob February 1, 2010 at 7:26 am Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. Im not an advanced Admin and wonder if I have missed something. I also dont see in error_log that mod_sec was installed. Reply 6 nixCraft February 1, 2010 at 10:49 am @Bob, See /etc/httpd/conf.d/mod_security.conf Reply 7 math March 9, 2010 at 11:45 am thank you very much for tutorial but after install mod_security all Jquery stop to load!! I think that mod_security conflict with jquery files loaded from local server plesae how to fix this issue? best regards Reply 8 mct March 10, 2010 at 10:00 pm thx. hooked me up.

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

Reply 9 Djemo October 21, 2010 at 2:17 pm I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_security from source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems. On CentOS setting from source, when I restart apache I get ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured, and httpd starts. As soon as I add: Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if its not running already) and it takes 100% CPU. The modsecurity_crs_10_config.conf is original, and I setup everything like FreeBSD which works. Here are the steps I created and use to setup mod_security and they are based on requirements from mod_security site: Installation 0. Make sure mod_unique_id is loaded/included in httpd compile httpd with enable-unique-id or load module for rpm based httpd LoadModule unique_id_module modules/mod_unique_id.so 1. Download APR form Apache.org ./configure prefix=/usr/local/apr make make install 2. Download PCRE from pcre.org ./configure prefix=/usr/local/pcre make make install 3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it 4. Download Lua libs from from http://luabinaries.sourceforge.net/ mkdir lualibs cd lualibs wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_lib.tar.gz/download for 32bit wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_64_lib.tar.gz/download for 64 bit cp * liblua* /usr/local/lib64 cp include/* /usr/include 5. make sure you have curl -v 7.15.1+ 6. Download modsecurity from modsecurity.org (make sure you have httpd-devel package if httpd is from RPM or not compiled with-apxs from source) ./configure with-apxs=/usr/local/apache2/bin/apxs with-apr=/usr/local/apr/bin/apr-1-config with-apu=/usr/local/apache2 /bin/apu-1-config withpcre=/usr/local/pcre/bin/pcre-config (HTTPD from source) ./configure with-apxs=/usr/sbin/apxs with-apr=/usr/local/apr/bin/apr-1-config with-apu=/usr/bin/apu-1-config withpcre=/usr/local/pcre/bin/pcreconfig (HTTPD from RPM for CentOS 5) make make install Configuration

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

7. Edit httpd.conf file to include the following: LoadFile /usr/lib64/libxml2.so LoadFile /usr/lib64/liblua5.1.so LoadModule security2_module modules/mod_security2.so Testing 8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs. Applying Atomic Mod Security Rules 9. mkdir rules cd rules wget http://downloads.prometheus-group.com/delayed/rules/modsec-201002051427.tar.gz tar -zxvf modsec-201002051427.tar.gz cd .. mv rules /etc/httpd/conf 10. Create following directories: mkdir /var/asl mkdir /var/asl/tmp mkdir /var/asl/data mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspicious mkdir /etc/asl touch /etc/asl/whitelist 11. Add this on httpd.conf Include conf/modsecurity_crs_10_config.conf Include conf/rules/*asl*.conf 12. Create conf/modsecurity_crs_10_config.conf file: SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecComponentSignature 200911012341 SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^(?:5|4(?!04)) SecAuditLogType Concurrent SecAuditLog logs/audit_log SecAuditLogParts ABIFHZ SecArgumentSeparator & SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial 13. Restart httpd server Testing Mod_security and Atomic rules 14. Test with webserver scanning tool like Nikto Check the httpd audit log and error logs does evrything work. End I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem. Thanks Reply

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

10 Djemo November 22, 2010 at 8:00 pm i finally figure out my problem setting up mod_security with compiled httpd skip step 2. and on step 6 use pcre from httpd source: ./configure with-apxs=/usr/sbin/apxs with-apr=/usr/local/apr/bin/apr-1-config with-apu=/usr/bin/apu-1-config with-pcre=/path/to/apache-src/srclib/pcre httpd doesnt get stuck ant it works. Reply 11 Bri July 6, 2011 at 5:32 pm Installing lua from here fixes this if your running Centos 5.5 http://pkgs.org/download/centos-5-rhel-5/atomic-x86_64/lua-5.1.4-1.el5.art.x86_64.rpm.html Reply 12 aim target October 25, 2011 at 4:30 am Is there any full guide for installation and configuration on redhat server itself on this mod_ security itself? -aimReply 13 Ray January 6, 2014 at 2:44 am This mostly worked on CentOS 5.8, except for the configuration files. This file: vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf Does not exist. The /etc/httpd/modsecurity.d/ folder is empty. I ran a search for the modsecurity config files to see if maybe they are somewhere else, but they do not exist anywhere on the server. Reply 14 Ray January 6, 2014 at 2:48 am I did find the main conf file at: /etc/httpd/conf.d/mod_security.conf The others do not exist atm. I can probably find some copies on-line that will work. Reply Leave a Comment Name * E-mail *

Notify me of followup comments via e-mail

Tagged as: /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf, /var/log/httpd/modsec_audit.log, /var/log/httpd /modsec_debug.log, apache mod_security core rules, install the mod_security apache module, intrusion detection, mod_security rhel, red hat enterprise, rhel mod_security, web applications, web server

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

Previous Faq: FreeBSD Jail Allow Ping / tracerouter Commands Next Faq: Gracefully Restart Lighttpd Web Server

Related Faqs

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

FreeBSD Install mod_security For The Apache HTTPD Server

Display Apache Server Status with mod_status

Redhat / CentOS Linux Install JBoss Application Server

Star / Stop / Restart Apache 2 Web Server

How To Back Up a Web Server

yum Download All Source Packages (SRPM) From RedHat / CentOS WebSite

Monitor HTTP Packets ( packet sniffing )

Lighttpd: network.c:483: error: EC_KEY undeclared (first use in this function) Error and Solution

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

Troubleshooting: Apache Webserver Will Not Restart / Start

Red Hat / CentOS Linux: Explain Use of Network Interface virbr0

Latest posts from our blog

Download of The Day: FreeBSD 10 ISO DVD / CD Images 30 Cool Open Source Software I Discovered in 2013 Download Of The Day: Fedora Linux 20 (Heisenbug) CD / DVD ISO Valve SteamOS: A Linux-based Gaming Operating System Announced Download of the day: Half-Life 2 For Steam on Linux 2006-2014 nixCraft. All rights reserved. Privacy Policy - Terms of Service - Questions or Comments - We are proudly powered by Linux + Nginx + WordPress.