How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?
ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:
# yum install mod_security
Sample output:
Loaded plugins: downloadonly, fastestmirror, priorities, protectbase Loading mirror speeds from cached hostfile * epel: www.gtlib.gatech.edu * base: mirror.skiplink.com * updates: centos.aol.com * addons: mirror.cs.vt.edu * extras: mirror.trouble-free.net 0 packages excluded due to repository protections Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================== Installing: mod_security x86_64 2.5.9-1.el5 epel 935 k Transaction Summary ============================================================================================================================================================== Install 1 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 935 k Is this ok [y/N]: y Downloading Packages: mod_security-2.5.9-1.el5.x86_64.rpm | 935 kB 00:00 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : mod_security [1/1] Installed: mod_security.x86_64 0:2.5.9-1.el5 Complete!
mod_security configuration files
- /etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module.
- /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache.
- /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment.
- /var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems.
- /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file.
Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
Make sure SecRuleEngine set to "On" to protect webserver for the attacks:
SecRuleEngine On
Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log
Sample output:
[Sat May 09 23:18:31 2009] [notice] caught SIGTERM, shutting down [Sat May 09 23:18:33 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Sat May 09 23:18:34 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured. [Sat May 09 23:18:34 2009] [notice] Original server signature: Apache/2.2.3 (CentOS) [Sat May 09 23:18:34 2009] [notice] Digest: generating secret for digest authentication ... [Sat May 09 23:18:34 2009] [notice] Digest: done [Sat May 09 23:18:35 2009] [notice] Apache/2.2.0 (Fedora) configured -- resuming normal operations
Refer mod_security documentations to understand security policies.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- My 10 UNIX Command Line Mistakes
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
- Email FAQ to a friend
- Download PDF version
- Printable version
- Comment RSS feed
- Last Updated: 05/9/09
{ 8 comments… read them below or add one }
now i found the article about CentOS Install mod_security, thx !!!
thx for this, very helpful.
With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), but one of the CentOS repos only has “lua-5.0″, and I had set CentOS repos to a higher priority than the EPEL repo.
I did an “rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm“, then “yum install mod_security” and all was OK.
“yum-priorities” is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right.
@Zigzacom: thanks for that!
Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. I’m not an advanced Admin and wonder if I have missed something. I also don’t see in error_log that mod_sec was installed.
@Bob,
See /etc/httpd/conf.d/mod_security.conf
thank you very much for tutorial
but after install mod_security – all Jquery stop to load!!
I think that mod_security conflict with jquery files loaded from local server
plesae how to fix this issue?
best regards
thx. hooked me up.