How to install mod_security for Apache Published: Jan 22, 2004
  • Rating

    4/5

This guide will show you how to install and configure mod_security, the intrusion detection and prevention engine for Apache web server with modsecurity.

What is mod_security or modsecurity?
ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

Rfx Networks Recommended:
"mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far iv seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache. I highly encourage you read the reference document on the modsecurity.org site (under documentation) to better understand each directive and the role it plays in protecting your server and sites."

Requirements:
Apache Web Server 1.3x or 2.x

Note: We have confirmed this security addon works with Cpanel based servers.

UPDATE: Sept. 15, 2004:
Changed # Prevent path traversal (..) attacks rules to fix a typo in tutorial.

How to install?
1.
Login to your server through SSH and su to the root user.

2. First your going to start out by grabbing the latest version of mod_security
wget http://www.modsecurity.org/download/mod_security-1.7.4.tar.gz

3. Next we untar the archive and cd into the directory:
tar zxvf mod_security-1.7.4.tar.gz
cd mod_security-1.7.4/

4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/

5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c

6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup

7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
pico /usr/local/apache/conf/httpd.conf

8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for

<IfModule mod_dir.c> (altho any of the IfModules would work fine)

9. Now add this

<IfModule mod_security.c>
    # Turn the filtering engine On or Off
    SecFilterEngine On

    # Change Server: string
    SecServerSignature " "

    # Make sure that URL encoding is valid
    SecFilterCheckURLEncoding On

    # This setting should be set to On only if the Web site is
    # using the Unicode encoding. Otherwise it may interfere with
    # the normal Web site operation.
    SecFilterCheckUnicodeEncoding Off

    # Only allow bytes from this range
    SecFilterForceByteRange 1 255

    # The audit engine works independently and
    # can be turned On of Off on the per-server or
    # on the per-directory basis. "On" will log everything,
    # "DynamicOrRelevant" will log dynamic requests or violations,
    # and "RelevantOnly" will only log policy violations
    SecAuditEngine RelevantOnly

    # The name of the audit log file
    SecAuditLog /var/log/httpd/audit_log

    # Should mod_security inspect POST payloads
    SecFilterScanPOST On

    # Action to take by default
    SecFilterDefaultAction "deny,log,status:500"

    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    # Prevent path traversal (..) attacks
    SecFilter "\.\./"

    # Weaker XSS protection but allows common HTML tags
    SecFilter "<[[:space:]]*script"

    # Prevent XSS atacks (HTML/Javascript injection)
    SecFilter "<(.|n)+>"

    # Very crude filters to prevent SQL injection attacks
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"

    # Protecting from XSS attacks through the PHP session cookie
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>

10. Save the file Ctrl + X then Y

11. Restart Apache

/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start

You've successfully installed mod_security

  • Rating

    4/5

Related Articles

Comments (21)

  • Gravatar - max crandale
    max crandale 10:05, February 3, 2004
    it will be the most popular thing on linux server i guess....

    a ensim how to do is welcome for that
  • Gravatar - Sebas
    Sebas 23:22, February 8, 2004
    Its works fine, by.... in the cpanel system the option "apache status" in the WHM dont work before this install
  • Gravatar - Thomas
    Thomas 19:48, February 27, 2004
    Hi,

    I have followed the steps but when starting apache i am getting this error:

    mod_security: Failed to open the audit log file.

    PLease advise.
    T
  • Gravatar - Enigmatic
    Enigmatic 05:33, March 5, 2004
    Unfortunetelly, mod_security breaks some applications as well as functionality of Front Page...
  • Gravatar - delara
    delara 00:42, April 29, 2004
    Should we replace:

    <IfModule mod_dir.c>
    DirectoryIndex index.html index.wml index.cgi index.shtml index.jsp index.js index.jp index.php4 ind$
    </IfModule>

    with:

    <IfModule mod_dir.c> BLAH BLAH </IfModule>
  • Gravatar - jane doe
    jane doe 06:29, July 30, 2004
    confirmed<br />
    some application are breaks<br />
    <br />
    Internal Server Error<br />
    The server encountered an internal error or misconfiguration and was unable to complete your request.
  • Gravatar - Steve
    Steve 13:47, September 16, 2004
    delara - no do not replace that line.
  • Gravatar - Diep
    Diep 09:08, October 5, 2004
    thank you so much .I also find this problem
  • Gravatar - mike
    mike 10:21, February 19, 2005
    Im getting a problem:<br />
    <br />
    mod_security: Failed to open the audit log file: /var/log/httpd/audit_log<br />
    <br />
    What actions should I take?
  • Gravatar - Brandon
    Brandon 20:12, April 24, 2005
    Mike,<br />
    <br />
    try:<br />
    mkdir /var/log/httpd<br />
    touch /var/log/httpd/audit_log<br />
    <br />
    -bb<br />
    http://www.nexgenis.com
  • Gravatar - vikykhung
    vikykhung 20:04, April 28, 2005
    Error 500 Interanl . .. . . sau khi restart Httpd.<br />
    <br />
    How I fix this problems.
  • Gravatar - Mike
    Mike 21:09, January 24, 2006
    I noticed that the version is wrong above. Here is the new download link:<br />
    <br />
    http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
  • Gravatar - Mike
    Mike 05:54, May 19, 2006
    http://www.modsecurity.org/download/modsecurity-apache-1.9.4.tar.gz <br />
    <br />
    now
  • Gravatar - M.AC
    M.AC 04:10, May 27, 2006
    thanks,<br />
    <br />
    I have followed the steps with the new version but<br />
    how I know it is working or not ?
  • Gravatar - Ahmet AKBULUT
    Ahmet AKBULUT 11:19, July 19, 2006
    <IfModule mod_security.c><br />
    # Turn the filtering engine On or Off<br />
    SecFilterEngine On<br />
    <br />
    # Change Server: string<br />
    SecServerSignature " "<br />
    <br />
    # Make sure that URL encoding is valid<br />
    SecFilterCheckURLEncoding On<br />
    <br />
    # This setting should be set to On only if the Web site is<br />
    # using the Unicode encoding. Otherwise it may interfere with<br />
    # the normal Web site operation.<br />
    SecFilterCheckUnicodeEncoding Off<br />
    <br />
    # Only allow bytes from this range<br />
    SecFilterForceByteRange 1 255<br />
    <br />
    # The audit engine works independently and<br />
    # can be turned On of Off on the per-server or<br />
    # on the per-directory basis. "On" will log everything,<br />
    # "DynamicOrRelevant" will log dynamic requests or violations,<br />
    # and "RelevantOnly" will only log policy violations<br />
    SecAuditEngine RelevantOnly<br />
    <br />
    # The name of the audit log file<br />
    SecAuditLog /var/log/httpd/audit_log<br />
    <br />
    # Should mod_security inspect POST payloads<br />
    SecFilterScanPOST On<br />
    <br />
    # Action to take by default<br />
    SecFilterDefaultAction "deny,log,status:500"<br />
    <br />
    # Require HTTP_USER_AGENT and HTTP_HOST in all requests<br />
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"<br />
    <br />
    # Prevent path traversal (..) attacks<br />
    SecFilter "../"<br />
    <br />
    # Weaker XSS protection but allows common HTML tags<br />
    SecFilter "<[[:space:]]*script"<br />
    <br />
    # Prevent XSS atacks (HTML/Javascript injection)<br />
    SecFilter "<(.|n)+>"<br />
    <br />
    # Very crude filters to prevent SQL injection attacks<br />
    SecFilter "delete[[:space:]]+from"<br />
    SecFilter "insert[[:space:]]+into"<br />
    SecFilter "select.+from"<br />
    <br />
    # Protecting from XSS attacks through the PHP session cookie<br />
    SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"<br />
    SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"<br />
    </IfModule><br />
    <br />
    <br />
    added my apache.conf<br />
    im using debian 3.1<br />
    but all web pages don't show images why?
  • Gravatar - Saviola
    Saviola 20:25, May 6, 2007
    I using mod_security with version 1.9.4 for apache 1.3.37 .<br />
    After I configed for mod_security , all website on my server go to down with error code 500 :<br />
    <br />
    User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; 240x320)<br />
    mod_security-message: Access denied with code 500. Pattern match "../" at REQUEST_URI [severity "EMERGENCY"]<br />
    mod_security-action: 500<br />
    <br />
    HTTP/1.1 500 Internal Server Error<br />
    Connection: close<br />
    Transfer-Encoding: chunked<br />
    Content-Type: text/html; charset=iso-8859-1<br />
    --8e5db40a--<br />
    <br />
    I installed mod_security with default config .<br />
    OS RHEL 4 , Apache 1.3.37 , php 4.3.3 and mysql 4.1
  • Gravatar - red root
    red root 20:59, May 15, 2007
    hey <br />
    there were aproplrm with me <br />
    there were .htaccess file make my mod_security on automatic when it upload in my serever<br />
    this file include this command <br />
    <IfModule mod_security.c><br />
    # Turn off mod_security filtering.<br />
    SecFilterEngine off<br />
    <br />
    # The below probably isn't needed...<br />
    SecFilterScanPOST off<br />
    </IfModule><br />
    and we add in mod_security rulles <br />
    <br />
    # Turn the filtering engine On or Off<br />
    SecFilterEngine On<br />
    <br />
    # Change Server: string<br />
    SecServerSignature " "<br />
    <br />
    # Make sure that URL encoding is valid<br />
    SecFilterCheckURLEncoding On<br />
    <br />
    and when we add this no thing happened<br />
    <br />
    we wait your response for that proplem <br />
    thanx
  • Gravatar - Luke
    Luke 12:36, June 6, 2007
    If you images do not display propperly, its becuase you have somthing leading back directorys. <br />
    <br />
    ie: img src="../filename.jpg"<br />
    <br />
    Just comment out the line <br />
    <br />
    SecFilter "../" <br />
    to<br />
    #SecFilter "../"
  • Gravatar - bman
    bman 16:36, February 3, 2008
    but the client can disable it by adding a .htaccess file and inside it he puts<br />
    <IfModule mod_security.c><br />
    SecFilterEngine Off<br />
    SecFilterScanPOST Off<br />
    </IfModule><br />
    <br />
    is there a way to stop this with out disabling .htaccess ?
  • Gravatar - derak
    derak 15:46, March 2, 2008
    This faq doesn't work for mod_security version 2.
  • Gravatar - Babu Ramasamy
    Babu Ramasamy 18:07, March 8, 2010
    Hi,<br />
    I did the mod_security settings given and it works as i wanted and thanks. But however with a browser settings Show friendly HTTP error messages unchecked some informations like Server name, ports number are revealed. Whereas with HTTP err mesages checked i get HTTP error 406 mesage displayed. So help me how do i give a common error message (may be userfriendly) in both the cases.<br />
    Regards,<br />
    Babu

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2017 WebHostGear.com