skip navigation

www.Hilands.com


Content:: Installing Mod-Security :: www.hilands.com

Installing Mod-Security
Last Modified: 2013-09-16
Mod-Security is an apache modules which is a Web Application Firewall (WAF). We will be using this as an additional layer to security for our web server.

Table of Contents
Prerequisites
Apache - See our LAMP configurations
Installing the module
# apt-get install libapache-mod-security
You should now see mod_security2.so in /usr/lib/apache/modules # ls -l /usr/lib/apache2/modules/mod_security2.so
The module should already be enabled after running the apt-get install. However we can enable it with # a2enmod mod-security
If it is already enabled you will see the following message
Module mod-security already enabled
Configurations
By default mod-security isn't set to do anything. We can get the configurations one of two ways. The Debian way by installing mod-security-common with apt (recommended) or we can get the base rules from modsecurity.com and point our Apache instance to these configurations.

The Debian 6 (Squeeze) way
# apt-get install mod-security-common
To find out the version you have installed on Debian # ls -l /var/cache/apt/archives/libapache-mod-security* On Squeeze you will find 2.5.12
-rw-r--r-- 1 root root 122752 Apr  8 09:11 libapache-mod-security_2.5.12-1+squeeze2_amd64.deb
On Wheezy you will find 2.6.6
-rw-r--r-- 1 root root  18274 Apr  8 08:00 libapache-mod-security_2.6.6-6_all.deb
The Debian 7 (Wheezy) way
You will need to copy the sample configuration to a .conf file so it will be included in the module. # cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
nano /etc/modsecurity/modsecurity.conf By default these sample rules only detect issues and do not actually filter any data. To change this edit the modsecurity.conf file. # nano /etc/modsecurity/modsecurity.conf
#SecRuleEngine DetectionOnly
SecRuleEngine On
Create symbolic links to the base configuration files so the mod-security.conf file can find them. # ln -s /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/modsecurity_crs_10_setup.conf
# ln -s /usr/share/modsecurity-crs/base_rules/* ./
Included files can be found in the mod-security.conf # nano /etc/apache2/mods-available/mod-security.conf
Via the following configuration line
        Include "/etc/modsecurity/*.conf"
# /etc/init.d/apache restart
The Manual way
We will be doing our work in /etc/apache2/mod-security-rules
# mkdir /etc/apache2/mod-security-rules
# cd /etc/apache2/mod-security-rules/
There are a set of "Base Rules" maintained by modsecurity.com, you can find the latest version of the "Base Rules" at: http://www.modsecurity.org/download/direct.html
After finding the link we can grab the files with wget. # wget http://www.modsecurity.org/download/modsecurity-apache_2.5.12.tar.gz * Note the download may take a little while as it redirects to sourceforge and the download page has a timer attached to it.

After you have successfully downloaded the "Base Rules" extract them while in the /etc/apache/mod-security-rules/ directory.
# tar -xzf modsecurity-apache_2.5.12.tar.gz
We will want to copy the set of base rules and the primary configuration file. # cp -R modsecurity-apache_2.5.12/rules/base_rules ./
# cp -R modsecurity-apache_2.5.12/rules/modsecurity_crs_10_config.conf ./

We now need to tell apache to use these configuration files. # nano /etc/apache2/conf.d/mod-security-rules
<IfModule security2_module>
        Include mod-security-rules/*.conf
        Include mod-security-rules/base_rules/*.conf
</IfModule>
Test Example
We will set up a horrible include file that allows us to view the /etc/passwd file. # nano /var/www/include.php
<?php $i = $_GET['i']; include ($i); ?>
View it in a website
http://localhost/include.php?i=/etc/passwd

You should see a copy of the passwd file displayed in the website.
Restart the Apache server to activate the Mod Security module
# /etc/init.d/apache2 restart
Go back to the website mentioned above and you should now see that access is forbidden.
References