How do I install ModSecurity – an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella – shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:
# yum install mod_security
Sample output:

Loaded plugins: downloadonly, fastestmirror, priorities, protectbase
Loading mirror speeds from cached hostfile
 * epel:
 * base:
 * updates:
 * addons:
 * extras:
0 packages excluded due to repository protections
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                  Arch                               Version                                   Repository                        Size
 mod_security                             x86_64                             2.5.9-1.el5                               epel                             935 k

Transaction Summary
Install      1 Package(s)         
Update       0 Package(s)         
Remove       0 Package(s)         

Total download size: 935 k
Is this ok [y/N]: y
Downloading Packages:
mod_security-2.5.9-1.el5.x86_64.rpm                                                                                                    | 935 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : mod_security                                      [1/1] 

Installed: mod_security.x86_64 0:2.5.9-1.el5

mod_security configuration files

  1. /etc/httpd/conf.d/mod_security.conf – main configuration file for the mod_security Apache module.
  2. /etc/httpd/modsecurity.d/ – all other configuration files for the mod_security Apache.
  3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf – Configuration contained in this file should be customized for your specific requirements before deployment.
  4. /var/log/httpd/modsec_debug.log – Use debug messages for debugging mod_security rules and other problems.
  5. /var/log/httpd/modsec_audit.log – All requests that trigger a ModSecurity events (as detected) or a serer error are logged (“RelevantOnly”) are logged into this file.

Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
Make sure SecRuleEngine set to “On” to protect webserver for the attacks:

SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log
Sample output:

[Sat May 09 23:18:31 2009] [notice] caught SIGTERM, shutting down
[Sat May 09 23:18:33 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat May 09 23:18:34 2009] [notice] ModSecurity for Apache/2.5.9 ( configured.
[Sat May 09 23:18:34 2009] [notice] Original server signature: Apache/2.2.3 (CentOS)
[Sat May 09 23:18:34 2009] [notice] Digest: generating secret for digest authentication ...
[Sat May 09 23:18:34 2009] [notice] Digest: done
[Sat May 09 23:18:35 2009] [notice] Apache/2.2.0 (Fedora) configured -- resuming normal operations

Refer mod_security documentations to understand security policies.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 17 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
17 comments… add one
  • n3os May 13, 2009 @ 2:26

    now i found the article about CentOS Install mod_security, thx !!!

  • bitt Jun 9, 2009 @ 21:41

    thx for this, very helpful.

  • Zigzacom Jul 11, 2009 @ 4:03

    With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for, (a dependency), but one of the CentOS repos only has “lua-5.0”, and I had set CentOS repos to a higher priority than the EPEL repo.
    I did an “rpm -ivh“, then “yum install mod_security” and all was OK.

    “yum-priorities” is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right.

  • pgl Jan 26, 2010 @ 16:40

    @Zigzacom: thanks for that!

  • Bob Feb 1, 2010 @ 7:26

    Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation is substantially different than installing by compiling from the source. I’m not an advanced Admin and wonder if I have missed something. I also don’t see in error_log that mod_sec was installed.

  • 🐧 nixCraft Feb 1, 2010 @ 10:49


    See /etc/httpd/conf.d/mod_security.conf

  • math Mar 9, 2010 @ 11:45

    thank you very much for tutorial
    but after install mod_security – all Jquery stop to load!!
    I think that mod_security conflict with jquery files loaded from local server
    plesae how to fix this issue?
    best regards

  • mct Mar 10, 2010 @ 22:00

    thx. hooked me up.

  • Djemo Oct 21, 2010 @ 14:17

    I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_security from source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems.

    On CentOS setting from source, when I restart apache I get
    ModSecurity for Apache/2.5.12 ( configured, and httpd starts.
    As soon as I add:
    Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if it’s not running already) and it takes 100% CPU.

    The “modsecurity_crs_10_config.conf” is original, and I setup everything like FreeBSD which works.

    Here are the steps I created and use
    to setup mod_security and they are based on requirements from mod_security site:


    0. Make sure mod_unique_id is loaded/included in httpd
    compile httpd with enable-unique-id

    or load module for rpm based httpd

    LoadModule unique_id_module modules/

    1. Download APR form

    ./configure –prefix=/usr/local/apr
    make install

    2. Download PCRE from

    ./configure –prefix=/usr/local/pcre
    make install

    3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it

    4. Download Lua libs from from
    mkdir lualibs
    cd lualibs
    wget for 32bit
    wget for 64 bit
    cp * liblua* /usr/local/lib64
    cp include/* /usr/include

    5. make sure you have curl -v 7.15.1+

    6. Download modsecurity from (make sure you have httpd-devel package if httpd is from RPM or not compiled with-apxs from source)

    ./configure –with-apxs=/usr/local/apache2/bin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/local/apache2/bin/apu-1-config –with-

    pcre=/usr/local/pcre/bin/pcre-config (HTTPD from source)

    ./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/usr/local/pcre/bin/pcre-

    config (HTTPD from RPM for CentOS 5)

    make install


    7. Edit httpd.conf file to include the following:
    LoadFile /usr/lib64/
    LoadFile /usr/lib64/
    LoadModule security2_module modules/


    8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs.

    –Applying Atomic Mod Security Rules

    9. mkdir rules
    cd rules
    tar -zxvf modsec-201002051427.tar.gz
    cd ..
    mv rules /etc/httpd/conf

    10. Create following directories:
    mkdir /var/asl
    mkdir /var/asl/tmp
    mkdir /var/asl/data
    mkdir /var/asl/data/msa
    mkdir /var/asl/data/audit
    mkdir /var/asl/data/suspicious
    mkdir /etc/asl
    touch /etc/asl/whitelist

    11. Add this on httpd.conf

    Include conf/modsecurity_crs_10_config.conf
    Include conf/rules/*asl*.conf

    12. Create conf/modsecurity_crs_10_config.conf file:

    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On
    SecResponseBodyMimeType (null) text/html text/plain text/xml
    SecResponseBodyLimit 2621440
    SecServerSignature Apache
    SecComponentSignature 200911012341
    SecUploadDir /var/asl/data/suspicious
    SecUploadKeepFiles Off
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus “^(?:5|4(?!04))”
    SecAuditLogType Concurrent
    SecAuditLog logs/audit_log
    SecAuditLogParts ABIFHZ
    SecArgumentSeparator “&”
    SecCookieFormat 0
    SecRequestBodyInMemoryLimit 131072
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit
    SecResponseBodyLimitAction ProcessPartial

    13. Restart httpd server

    — Testing Mod_security and Atomic rules

    14. Test with webserver scanning tool like Nikto
    Check the httpd audit log and error logs does evrything work.

    I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem.


    • Djemo Nov 22, 2010 @ 20:00

      i finally figure out my problem setting up mod_security with compiled httpd

      skip step 2. and on step 6 use pcre from httpd source:

      ./configure –with-apxs=/usr/sbin/apxs –with-apr=/usr/local/apr/bin/apr-1-config –with-apu=/usr/bin/apu-1-config –with-pcre=/path/to/apache-src/srclib/pcre

      httpd doesn’t get stuck ant it works.

  • Bri Jul 6, 2011 @ 17:32

    Installing lua from here fixes this if your running Centos 5.5

  • aim target Oct 25, 2011 @ 4:30

    Is there any full guide for installation and configuration on redhat server itself on this mod_ security itself?


  • Ray Jan 6, 2014 @ 2:44

    This mostly worked on CentOS 5.8, except for the configuration files.

    This file: vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

    Does not exist. The /etc/httpd/modsecurity.d/ folder is empty. I ran a search for the modsecurity config files to see if maybe they are somewhere else, but they do not exist anywhere on the server.

    • Ray Jan 6, 2014 @ 2:48

      I did find the main conf file at:


      The others do not exist atm. I can probably find some copies on-line that will work.

  • Hrobky May 29, 2014 @ 8:26

    There are two separated projects: ModSecurity and Core Rule Set.

    /etc/httpd/conf.d/mod_security.conf is the base config file for MS,
    /etc/httpd/modsecurity.d/ is where CRS should be extracted to.

    Then in the apache config file you have to
    include conf.d/mod_security.conf
    include modsecurity.d/modsecurity_crs_10_setup.conf
    include modsecurity.d/activated_rules/*.conf

    CRS config/installation files are well commented.

  • S0AndS0 Jan 18, 2016 @ 2:14

    Link to mod_security documentation has changed slightly, there’s now a `.html` sufix

    Might be worth changing such that your guide here isn’t causing readerx to bombard thier servers with requests to pages that have been moved.

    • 🐧 Vivek Gite Jan 18, 2016 @ 8:12

      Thanks for the feedback. As per your request, the link has been updated.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum