≡ Menu

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:
# yum install mod_security
Sample output:

Loaded plugins: downloadonly, fastestmirror, priorities, protectbase
Loading mirror speeds from cached hostfile
 * epel: www.gtlib.gatech.edu
 * base: mirror.skiplink.com
 * updates: centos.aol.com
 * addons: mirror.cs.vt.edu
 * extras: mirror.trouble-free.net
0 packages excluded due to repository protections
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
 Package                                  Arch                               Version                                   Repository                        Size
 mod_security                             x86_64                             2.5.9-1.el5                               epel                             935 k
Transaction Summary
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 935 k
Is this ok [y/N]: y
Downloading Packages:
mod_security-2.5.9-1.el5.x86_64.rpm                                                                                                    | 935 kB     00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : mod_security                                      [1/1]
Installed: mod_security.x86_64 0:2.5.9-1.el5

mod_security configuration files

  1. /etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module.
  2. /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache.
  3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment.
  4. /var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems.
  5. /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file.

Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
Make sure SecRuleEngine set to "On" to protect webserver for the attacks:

SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log
Sample output:

[Sat May 09 23:18:31 2009] [notice] caught SIGTERM, shutting down
[Sat May 09 23:18:33 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 09 23:18:34 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Sat May 09 23:18:34 2009] [notice] Original server signature: Apache/2.2.3 (CentOS)
[Sat May 09 23:18:34 2009] [notice] Digest: generating secret for digest authentication ...
[Sat May 09 23:18:34 2009] [notice] Digest: done
[Sat May 09 23:18:35 2009] [notice] Apache/2.2.0 (Fedora) configured -- resuming normal operations

Refer mod_security documentations to understand security policies.

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

{ 15 comments… add one }

  • n3os May 13, 2009, 2:26 am

    now i found the article about CentOS Install mod_security, thx !!!

  • bitt June 9, 2009, 9:41 pm

    thx for this, very helpful.

  • Zigzacom July 11, 2009, 4:03 am

    With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), but one of the CentOS repos only has “lua-5.0”, and I had set CentOS repos to a higher priority than the EPEL repo.
    I did an “rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm“, then “yum install mod_security” and all was OK.

    “yum-priorities” is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right.

  • pgl January 26, 2010, 4:40 pm

    @Zigzacom: thanks for that!

  • Bob February 1, 2010, 7:26 am

    Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. I’m not an advanced Admin and wonder if I have missed something. I also don’t see in error_log that mod_sec was installed.

  • nixCraft February 1, 2010, 10:49 am


    See /etc/httpd/conf.d/mod_security.conf

  • math March 9, 2010, 11:45 am

    thank you very much for tutorial
    but after install mod_security – all Jquery stop to load!!
    I think that mod_security conflict with jquery files loaded from local server
    plesae how to fix this issue?
    best regards

  • mct March 10, 2010, 10:00 pm

    thx. hooked me up.

  • Djemo October 21, 2010, 2:17 pm

    I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_security from source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems.

    On CentOS setting from source, when I restart apache I get
    ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured, and httpd starts.
    As soon as I add:
    Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if it’s not running already) and it takes 100% CPU.

    The “modsecurity_crs_10_config.conf” is original, and I setup everything like FreeBSD which works.

    Here are the steps I created and use
    to setup mod_security and they are based on requirements from mod_security site:


    0. Make sure mod_unique_id is loaded/included in httpd
    compile httpd with enable-unique-id

    or load module for rpm based httpd

    LoadModule unique_id_module modules/mod_unique_id.so

    1. Download APR form Apache.org

    ./configure –prefix=/usr/local/apr
    make install

    2. Download PCRE from pcre.org

    ./configure –prefix=/usr/local/pcre
    make install

    3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it

    4. Download Lua libs from from http://luabinaries.sourceforge.net/
    mkdir lualibs
    cd lualibs
    wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_lib.tar.gz/download for 32bit
    wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_64_lib.tar.gz/download for 64 bit
    cp * liblua* /usr/local/lib64
    cp include/* /usr/include

    5. make sure you have curl -v 7.15.1+

    6. Download modsecurity from modsecurity.org (make sure you have httpd-devel package if httpd is from RPM or not compiled with-apxs from source)

    ./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config –with-

    pcre=/usr/local/pcre/bin/pcre-config (HTTPD from source)

    ./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/usr/local/pcre/bin/pcre-

    config (HTTPD from RPM for CentOS 5)

    make install


    7. Edit httpd.conf file to include the following:
    LoadFile /usr/lib64/libxml2.so
    LoadFile /usr/lib64/liblua5.1.so
    LoadModule security2_module modules/mod_security2.so


    8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs.

    –Applying Atomic Mod Security Rules

    9. mkdir rules
    cd rules
    wget http://downloads.prometheus-group.com/delayed/rules/modsec-201002051427.tar.gz
    tar -zxvf modsec-201002051427.tar.gz
    cd ..
    mv rules /etc/httpd/conf

    10. Create following directories:
    mkdir /var/asl
    mkdir /var/asl/tmp
    mkdir /var/asl/data
    mkdir /var/asl/data/msa
    mkdir /var/asl/data/audit
    mkdir /var/asl/data/suspicious
    mkdir /etc/asl
    touch /etc/asl/whitelist

    11. Add this on httpd.conf

    Include conf/modsecurity_crs_10_config.conf
    Include conf/rules/*asl*.conf

    12. Create conf/modsecurity_crs_10_config.conf file:

    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 2621440
    SecServerSignature Apache
    SecComponentSignature 200911012341
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus “^(?:5|4(?!04))”
    SecAuditLogType Concurrent
    SecAuditLog logs/audit_log
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator “&”
    SecCookieFormat 0
    SecRequestBodyInMemoryLimit 131072
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial

    13. Restart httpd server

    — Testing Mod_security and Atomic rules

    14. Test with webserver scanning tool like Nikto
    Check the httpd audit log and error logs does evrything work.

    I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem.


    • Djemo November 22, 2010, 8:00 pm

      i finally figure out my problem setting up mod_security with compiled httpd

      skip step 2. and on step 6 use pcre from httpd source:

      ./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/path/to/apache-src/srclib/pcre

      httpd doesn’t get stuck ant it works.

  • Bri July 6, 2011, 5:32 pm

    Installing lua from here fixes this if your running Centos 5.5


  • aim target October 25, 2011, 4:30 am

    Is there any full guide for installation and configuration on redhat server itself on this mod_ security itself?


  • Ray January 6, 2014, 2:44 am

    This mostly worked on CentOS 5.8, except for the configuration files.

    This file: vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

    Does not exist. The /etc/httpd/modsecurity.d/ folder is empty. I ran a search for the modsecurity config files to see if maybe they are somewhere else, but they do not exist anywhere on the server.

    • Ray January 6, 2014, 2:48 am

      I did find the main conf file at:


      The others do not exist atm. I can probably find some copies on-line that will work.

  • Hrobky May 29, 2014, 8:26 am

    There are two separated projects: ModSecurity and Core Rule Set.

    /etc/httpd/conf.d/mod_security.conf is the base config file for MS,
    /etc/httpd/modsecurity.d/ is where CRS should be extracted to.

    Then in the apache config file you have to
    include conf.d/mod_security.conf
    include modsecurity.d/modsecurity_crs_10_setup.conf
    include modsecurity.d/activated_rules/*.conf

    CRS config/installation files are well commented.

Leave a Comment