Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

by on May 9, 2009 · 15 comments· LAST UPDATED May 9, 2009

in , ,

How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:
# yum install mod_security
Sample output:

Loaded plugins: downloadonly, fastestmirror, priorities, protectbase
Loading mirror speeds from cached hostfile
 * epel: www.gtlib.gatech.edu
 * base: mirror.skiplink.com
 * updates: centos.aol.com
 * addons: mirror.cs.vt.edu
 * extras: mirror.trouble-free.net
0 packages excluded due to repository protections
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================================================================
 Package                                  Arch                               Version                                   Repository                        Size
==============================================================================================================================================================
Installing:
 mod_security                             x86_64                             2.5.9-1.el5                               epel                             935 k
Transaction Summary
==============================================================================================================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 935 k
Is this ok [y/N]: y
Downloading Packages:
mod_security-2.5.9-1.el5.x86_64.rpm                                                                                                    | 935 kB     00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : mod_security                                      [1/1]
Installed: mod_security.x86_64 0:2.5.9-1.el5
Complete!

mod_security configuration files

  1. /etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module.
  2. /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache.
  3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment.
  4. /var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems.
  5. /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file.

Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
Make sure SecRuleEngine set to "On" to protect webserver for the attacks:

SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log
Sample output:

[Sat May 09 23:18:31 2009] [notice] caught SIGTERM, shutting down
[Sat May 09 23:18:33 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 09 23:18:34 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Sat May 09 23:18:34 2009] [notice] Original server signature: Apache/2.2.3 (CentOS)
[Sat May 09 23:18:34 2009] [notice] Digest: generating secret for digest authentication ...
[Sat May 09 23:18:34 2009] [notice] Digest: done
[Sat May 09 23:18:35 2009] [notice] Apache/2.2.0 (Fedora) configured -- resuming normal operations

Refer mod_security documentations to understand security policies.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 15 comments… read them below or add one }

1 n3os May 13, 2009 at 2:26 am

now i found the article about CentOS Install mod_security, thx !!!

Reply

2 bitt June 9, 2009 at 9:41 pm

thx for this, very helpful.

Reply

3 Zigzacom July 11, 2009 at 4:03 am

With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), but one of the CentOS repos only has “lua-5.0″, and I had set CentOS repos to a higher priority than the EPEL repo.
I did an “rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm“, then “yum install mod_security” and all was OK.

“yum-priorities” is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right.

Reply

4 pgl January 26, 2010 at 4:40 pm

@Zigzacom: thanks for that!

Reply

5 Bob February 1, 2010 at 7:26 am

Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. I’m not an advanced Admin and wonder if I have missed something. I also don’t see in error_log that mod_sec was installed.

Reply

6 nixCraft February 1, 2010 at 10:49 am

@Bob,

See /etc/httpd/conf.d/mod_security.conf

Reply

7 math March 9, 2010 at 11:45 am

thank you very much for tutorial
but after install mod_security – all Jquery stop to load!!
I think that mod_security conflict with jquery files loaded from local server
plesae how to fix this issue?
best regards

Reply

8 mct March 10, 2010 at 10:00 pm

thx. hooked me up.

Reply

9 Djemo October 21, 2010 at 2:17 pm

I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_security from source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems.

On CentOS setting from source, when I restart apache I get
ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured, and httpd starts.
As soon as I add:
Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if it’s not running already) and it takes 100% CPU.

The “modsecurity_crs_10_config.conf” is original, and I setup everything like FreeBSD which works.

Here are the steps I created and use
to setup mod_security and they are based on requirements from mod_security site:

–Installation

0. Make sure mod_unique_id is loaded/included in httpd
compile httpd with enable-unique-id

or load module for rpm based httpd

LoadModule unique_id_module modules/mod_unique_id.so

1. Download APR form Apache.org

./configure –prefix=/usr/local/apr
make
make install

2. Download PCRE from pcre.org

./configure –prefix=/usr/local/pcre
make
make install

3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it

4. Download Lua libs from from http://luabinaries.sourceforge.net/
mkdir lualibs
cd lualibs
wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_lib.tar.gz/download for 32bit
wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_64_lib.tar.gz/download for 64 bit
cp * liblua* /usr/local/lib64
cp include/* /usr/include

5. make sure you have curl -v 7.15.1+

6. Download modsecurity from modsecurity.org (make sure you have httpd-devel package if httpd is from RPM or not compiled with-apxs from source)

./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config –with-

pcre=/usr/local/pcre/bin/pcre-config (HTTPD from source)

./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/usr/local/pcre/bin/pcre-

config (HTTPD from RPM for CentOS 5)

make
make install

–Configuration

7. Edit httpd.conf file to include the following:
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua5.1.so
LoadModule security2_module modules/mod_security2.so

–Testing

8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs.

–Applying Atomic Mod Security Rules

9. mkdir rules
cd rules
wget http://downloads.prometheus-group.com/delayed/rules/modsec-201002051427.tar.gz
tar -zxvf modsec-201002051427.tar.gz
cd ..
mv rules /etc/httpd/conf

10. Create following directories:
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
mkdir /etc/asl
touch /etc/asl/whitelist

11. Add this on httpd.conf

Include conf/modsecurity_crs_10_config.conf
Include conf/rules/*asl*.conf

12. Create conf/modsecurity_crs_10_config.conf file:

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecComponentSignature 200911012341
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecAuditLogType Concurrent
SecAuditLog logs/audit_log
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

13. Restart httpd server

– Testing Mod_security and Atomic rules

14. Test with webserver scanning tool like Nikto
Check the httpd audit log and error logs does evrything work.

–End
I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem.

Thanks

Reply

10 Djemo November 22, 2010 at 8:00 pm

i finally figure out my problem setting up mod_security with compiled httpd

skip step 2. and on step 6 use pcre from httpd source:

./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/path/to/apache-src/srclib/pcre

httpd doesn’t get stuck ant it works.

Reply

11 Bri July 6, 2011 at 5:32 pm
12 aim target October 25, 2011 at 4:30 am

Is there any full guide for installation and configuration on redhat server itself on this mod_ security itself?

-aim-

Reply

13 Ray January 6, 2014 at 2:44 am

This mostly worked on CentOS 5.8, except for the configuration files.

This file: vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

Does not exist. The /etc/httpd/modsecurity.d/ folder is empty. I ran a search for the modsecurity config files to see if maybe they are somewhere else, but they do not exist anywhere on the server.

Reply

14 Ray January 6, 2014 at 2:48 am

I did find the main conf file at:

/etc/httpd/conf.d/mod_security.conf

The others do not exist atm. I can probably find some copies on-line that will work.

Reply

15 Hrobky May 29, 2014 at 8:26 am

There are two separated projects: ModSecurity and Core Rule Set.

/etc/httpd/conf.d/mod_security.conf is the base config file for MS,
/etc/httpd/modsecurity.d/ is where CRS should be extracted to.

Then in the apache config file you have to
include conf.d/mod_security.conf
include modsecurity.d/modsecurity_crs_10_setup.conf
include modsecurity.d/activated_rules/*.conf

CRS config/installation files are well commented.

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous Faq:

Next Faq: