Mod_Security is free and open source web application firewall for Apache and Nginx. It is very useful for protecting your web server from various attacks by blocking most of the known exploits using regular expressions and rule sets. Mod_security can detect attacks by monitoring and analyzing the HTTP traffic in real time. In this blog tutorial we will guide you through the process of installing mod_security with the OWASP (Open Web Application Security Project) core rule set on a CentOS VPS from source. Log in to your your server as user ‘root’ and make sure that all packages are up to date:
yum -y update
Before we start the installation of mod_security, we need to install the following dependencies first
yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel git
Download the mod_security source code from their official website to your server
cd /opt/ wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
Extract the downloaded archive and change the current working directory to the newly extracted directory
tar xzfv modsecurity-2.9.1.tar.gz cd modsecurity-2.9.1
Now, lets configure, compile and install mod_security from the source code
./configure make make install
Copy the default mod_security configuration and the unicode.mapping file to the necessary Apache directory
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf cp unicode.mapping /etc/httpd/conf.d/
With this step, mod_security is installed on your server. Now we need to configure the Apache web server. Open the web server configuration file and add the following line
nano /etc/httpd/conf/httpd.conf LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.so
Save the changes and restart Apache
/etc/init.d/httpd restart
Download and configure OWASP (Open Web Application Security Project) core rule set for a base configuration
cd /etc/httpd git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git mv owasp-modsecurity-crs modsecurity-crs cd modsecurity-crs cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
Open the Apache configuration file again, and add the following lines at the end of the flie
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/base_rules/*.conf
Save the file and restart the web server again
/etc/init.d/httpd restart
That’s all. You have mod_security with the OWASP core rule set installed on your CentOS VPS. Of course you don’t have to do any of this if you use one of our Linux VPS hosting services, in which case you can simply ask our expert Linux admins to install Mod_security for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.
Thanks for sharing this. Hopefully you are able to take the time answering me two questions:
1. I read the mod_sec requries mod_unique_id to be loaded but cant find that in here – is my information obsolete with modsec 2.8+ or did yo miss something?
2. I have read in many guides (for information but with limited trust) that it is important to define own rule sets in /etc/httpd/modsecurity.d/ – Any recommendations / best practices on that by you?
Hi There
I am new to modsecurity and want to try in our organization, but came across few doubts. I will be glad if any body can clear them
1. OWASP modsecurity CRS : are these rules update daily (like snort rules, If so how to update). or how often they will update, In that case how to update them.
2. if i want to write my own custom rules how can i proceed :- where to create file and in which directory, Can i write all the rules in one file or a separate rule for each file
3. any recommended UI for modsecurity
Thanks in advance
—
Cheer’s
Nand
You can check the owasp modsecurity github repo for updates and install/update instructions.
https://github.com/SpiderLabs/owasp-modsecurity-crs
You can find more info about how to create custom rules at:
https://atomicorp.com/wiki/index.php/Mod_security#Creating_custom_rules
i did all steps
got error when restart apache
Starting httpd (via systemctl): Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
[FAILED]
php56 with centos 7
when i remove 2 include lines it works
any idea ?
Could you please be more specific and tell us what lines are we talking about?