Comments on: Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine http://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/ Every answer asks a more beautiful question. Fri, 10 Feb 2012 19:55:56 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Brihttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-60518 Bri Wed, 06 Jul 2011 17:32:37 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-60518 Installing lua from here fixes this if your running Centos 5.5 http://pkgs.org/download/centos-5-rhel-5/atomic-x86_64/lua-5.1.4-1.el5.art.x86_64.rpm.html Installing lua from here fixes this if your running Centos 5.5

http://pkgs.org/download/centos-5-rhel-5/atomic-x86_64/lua-5.1.4-1.el5.art.x86_64.rpm.html

]]> By: Djemohttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-51052 Djemo Mon, 22 Nov 2010 20:00:08 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-51052 i finally figure out my problem setting up mod_security with compiled httpd skip step 2. and on step 6 use pcre from httpd source: ./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config --with-pcre=/path/to/apache-src/srclib/pcre httpd doesn't get stuck ant it works. i finally figure out my problem setting up mod_security with compiled httpd

skip step 2. and on step 6 use pcre from httpd source:

./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/path/to/apache-src/srclib/pcre

httpd doesn’t get stuck ant it works.

]]> By: Djemohttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-50261 Djemo Thu, 21 Oct 2010 14:17:05 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-50261 I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_security from source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems. On CentOS setting from source, when I restart apache I get ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured, and httpd starts. As soon as I add: Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if it's not running already) and it takes 100% CPU. The "modsecurity_crs_10_config.conf" is original, and I setup everything like FreeBSD which works. Here are the steps I created and use to setup mod_security and they are based on requirements from mod_security site: --Installation 0. Make sure mod_unique_id is loaded/included in httpd compile httpd with enable-unique-id or load module for rpm based httpd LoadModule unique_id_module modules/mod_unique_id.so 1. Download APR form Apache.org ./configure --prefix=/usr/local/apr make make install 2. Download PCRE from pcre.org ./configure --prefix=/usr/local/pcre make make install 3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it 4. Download Lua libs from from http://luabinaries.sourceforge.net/ mkdir lualibs cd lualibs wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_lib.tar.gz/download for 32bit wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_64_lib.tar.gz/download for 64 bit cp * liblua* /usr/local/lib64 cp include/* /usr/include 5. make sure you have curl -v 7.15.1+ 6. Download modsecurity from modsecurity.org (make sure you have httpd-devel package if httpd is from RPM or not compiled with-apxs from source) ./configure --with-apxs=/usr/local/apache2/bin/apxs --with-apr=/usr/local/apr/bin/apr-1-config --with-apu=/usr/local/apache2/bin/apu-1-config --with- pcre=/usr/local/pcre/bin/pcre-config (HTTPD from source) ./configure --with-apxs=/usr/sbin/apxs --with-apr=/usr/local/apr/bin/apr-1-config --with-apu=/usr/bin/apu-1-config --with-pcre=/usr/local/pcre/bin/pcre- config (HTTPD from RPM for CentOS 5) make make install --Configuration 7. Edit httpd.conf file to include the following: LoadFile /usr/lib64/libxml2.so LoadFile /usr/lib64/liblua5.1.so LoadModule security2_module modules/mod_security2.so --Testing 8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs. --Applying Atomic Mod Security Rules 9. mkdir rules cd rules wget http://downloads.prometheus-group.com/delayed/rules/modsec-201002051427.tar.gz tar -zxvf modsec-201002051427.tar.gz cd .. mv rules /etc/httpd/conf 10. Create following directories: mkdir /var/asl mkdir /var/asl/tmp mkdir /var/asl/data mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspicious mkdir /etc/asl touch /etc/asl/whitelist 11. Add this on httpd.conf Include conf/modsecurity_crs_10_config.conf Include conf/rules/*asl*.conf 12. Create conf/modsecurity_crs_10_config.conf file: SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecComponentSignature 200911012341 SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogType Concurrent SecAuditLog logs/audit_log SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial 13. Restart httpd server -- Testing Mod_security and Atomic rules 14. Test with webserver scanning tool like Nikto Check the httpd audit log and error logs does evrything work. --End I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem. Thanks I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_security from source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems.

On CentOS setting from source, when I restart apache I get
ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured, and httpd starts.
As soon as I add:
Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if it’s not running already) and it takes 100% CPU.

The “modsecurity_crs_10_config.conf” is original, and I setup everything like FreeBSD which works.

Here are the steps I created and use
to setup mod_security and they are based on requirements from mod_security site:

–Installation

0. Make sure mod_unique_id is loaded/included in httpd
compile httpd with enable-unique-id

or load module for rpm based httpd

LoadModule unique_id_module modules/mod_unique_id.so

1. Download APR form Apache.org

./configure –prefix=/usr/local/apr
make
make install

2. Download PCRE from pcre.org

./configure –prefix=/usr/local/pcre
make
make install

3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it

4. Download Lua libs from from http://luabinaries.sourceforge.net/
mkdir lualibs
cd lualibs
wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_lib.tar.gz/download for 32bit
wget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_64_lib.tar.gz/download for 64 bit
cp * liblua* /usr/local/lib64
cp include/* /usr/include

5. make sure you have curl -v 7.15.1+

6. Download modsecurity from modsecurity.org (make sure you have httpd-devel package if httpd is from RPM or not compiled with-apxs from source)

./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config –with-

pcre=/usr/local/pcre/bin/pcre-config (HTTPD from source)

./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/usr/local/pcre/bin/pcre-

config (HTTPD from RPM for CentOS 5)

make
make install

–Configuration

7. Edit httpd.conf file to include the following:
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua5.1.so
LoadModule security2_module modules/mod_security2.so

–Testing

8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs.

–Applying Atomic Mod Security Rules

9. mkdir rules
cd rules
wget http://downloads.prometheus-group.com/delayed/rules/modsec-201002051427.tar.gz
tar -zxvf modsec-201002051427.tar.gz
cd ..
mv rules /etc/httpd/conf

10. Create following directories:
mkdir /var/asl
mkdir /var/asl/tmp
mkdir /var/asl/data
mkdir /var/asl/data/msa
mkdir /var/asl/data/audit
mkdir /var/asl/data/suspicious
mkdir /etc/asl
touch /etc/asl/whitelist

11. Add this on httpd.conf

Include conf/modsecurity_crs_10_config.conf
Include conf/rules/*asl*.conf

12. Create conf/modsecurity_crs_10_config.conf file:

SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecServerSignature Apache
SecComponentSignature 200911012341
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus “^(?:5|4(?!04))”
SecAuditLogType Concurrent
SecAuditLog logs/audit_log
SecAuditLogParts ABIFHZ
SecArgumentSeparator “&”
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

13. Restart httpd server

– Testing Mod_security and Atomic rules

14. Test with webserver scanning tool like Nikto
Check the httpd audit log and error logs does evrything work.

–End
I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem.

Thanks

]]> By: mcthttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-46338 mct Wed, 10 Mar 2010 22:00:14 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-46338 thx. hooked me up. thx. hooked me up.

]]> By: mathhttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-46300 math Tue, 09 Mar 2010 11:45:52 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-46300 thank you very much for tutorial but after install mod_security - all Jquery stop to load!! I think that mod_security conflict with jquery files loaded from local server plesae how to fix this issue? best regards thank you very much for tutorial
but after install mod_security – all Jquery stop to load!!
I think that mod_security conflict with jquery files loaded from local server
plesae how to fix this issue?
best regards

]]> By: Vivek Gitehttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-45782 Vivek Gite Mon, 01 Feb 2010 10:49:06 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-45782 @Bob, See /etc/httpd/conf.d/mod_security.conf @Bob,

See /etc/httpd/conf.d/mod_security.conf

]]> By: Bobhttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-45780 Bob Mon, 01 Feb 2010 07:26:11 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-45780 Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. I'm not an advanced Admin and wonder if I have missed something. I also don't see in error_log that mod_sec was installed. Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. I’m not an advanced Admin and wonder if I have missed something. I also don’t see in error_log that mod_sec was installed.

]]> By: pglhttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-45690 pgl Tue, 26 Jan 2010 16:40:39 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-45690 @Zigzacom: thanks for that! @Zigzacom: thanks for that!

]]> By: Zigzacomhttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-42475 Zigzacom Sat, 11 Jul 2009 04:03:24 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-42475 With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), but one of the CentOS repos only has "lua-5.0", and I had set CentOS repos to a higher priority than the EPEL repo. I did an "rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm", then "yum install mod_security" and all was OK. "yum-priorities" is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right. With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), but one of the CentOS repos only has “lua-5.0″, and I had set CentOS repos to a higher priority than the EPEL repo.
I did an “rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm“, then “yum install mod_security” and all was OK.

“yum-priorities” is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right.

]]> By: bitthttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-41981 bitt Tue, 09 Jun 2009 21:41:49 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-41981 thx for this, very helpful. thx for this, very helpful.

]]> By: n3oshttp://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/#comment-41583 n3os Wed, 13 May 2009 02:26:36 +0000 http://www.cyberciti.biz/faq/?p=3770#comment-41583 now i found the article about CentOS Install mod_security, thx !!! now i found the article about CentOS Install mod_security, thx !!!

]]>