Install ModSecurity and Get it Running in Linux CentOS/RHEL with Apache

Posted on by Seemab Saleem

If you’re hosting your own servers then securing your servers against attackers must be a high priority.

ModSecurity is an open source Web Application Firewall that execute as a Module on your Web Server and it detects and prevents attacks against web applications. It monitors HTTP traffic and performs real time analysis.

To install ModSecurity in a Linux server with CentOS, Follow these steps as the root user.

Install the EPEL Repository

Add the EPEL rpm repository in your system using following command.

rpm –ivh http://fedora.mirror.uber.com.au/epel/6/i386/epel-release-6-7.noarch.rpm

Install ModSecurity and Predefined Rules

Now install mod_security apache modules with predefined rules of mod_security.

yum install mod_security mod_security_crs

Activate the Module

We need to edit ModSecurity configuration file/etc/httpd/conf.d/mod_security.conf and locate for the SecRuleEngine Directive in the File and make sure SecRuleEngine set to “On” to protect webserver for the attacks:

SecRuleEngine on

Restart Apache and Check

Turn on other required options and policies as per your requirements. Finally, restart httpd:

service httpd restart

To confirm that our web application firewall is working we can see something like this in our Apache error logs.

# tail /var/log/httpd/error_log
[notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured.
[notice] ModSecurity: APR compiled version=”1.3.9″; loaded version=”1.3.9″
[notice] ModSecurity: PCRE compiled version=”7.8 “; loaded version=”7.8 2008-09-05″
[notice] ModSecurity: LUA compiled version=”Lua 5.1″
[notice] ModSecurity: LIBXML compiled version=”2.7.6

mod_security configuration files

/etc/httpd/conf.d/mod_security.conf – main configuration file for the mod_security Apache module.

/etc/httpd/modsecurity.d/ – all other configuration files for the mod_security Apache.

/var/log/httpd/modsec_debug.log – Use debug messages for debugging mod_security rules and other problems.

/var/log/httpd/modsec_audit.log – All requests that trigger a ModSecurity events or a serer error are logged are logged into this file.

Previously we have cover the post on how to Configure Mod_Security on Linux,you can check the step by step instructions.