What is mod_security?
As an example, lets say “super haxor,” starts up their kiddie “Auto Haxs 4000” script and begins to pummel your web server with every known vulnerability for every known web application – perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor’s requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.
In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.
mod_security adds another layer of protection to your web server and frees up your time usually spent surfing apache logs.
How do I install mod_security?
This guide covers installing mod_security on Ubuntu 11.10 for Apache 2. In this example, we are going to install from source.
Use the Source
Download the latest mod security tars from the mod_security site. modsecurity downloads. You will only need the current modsecurity-apache archive.
Now get the necessary packages for compiling mod_security on Ubuntu with this command:
$ sudo apt-get install automake g++ apache2-threaded-dev dpkg-dev libxml2 libxml2-dev
Now compile and install mod_security with the following commands:
$ cd <modsecurity download directory>/apache2
$ sudo make install
Apache Conf Files
Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.
Create a file called /etc/apache2/mods-available/security2.load with the following contents:
LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it. Be aware that some of the optional rules explained later on may require some of the .data files in addition to the .conf files.
$ sudo mkdir /etc/apache2/modsecurity_crs
$ sudo cp -R <mod_security download directory> /rules/*.conf /etc/apache2/modsecurity_crs/
You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:
After the settings were made I created the directories and set proper permissions with the following commands:
$ sudo mkdir /var/log/modsecurity
$ sudo mkdir /var/log/modsecurity/SecDataDir
$ sudo mkdir /var/log/modsecurity/SecTmpDir
$ sudo mkdir /var/log/modsecurity/SecUploadDir
$ sudo mkdir /var/log/modsecurity/SecAuditLog
$ sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir
$ sudo mkdir /var/log/modsecurity/SecDebugLog
$ sudo chown -R www-data:www-data /var/log/modsecurity
$ sudo chmod -R a-rwx /var/log/modsecurity/
$ sudo chmod -R u+rwx /var/log/modsecurity/
There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.
Enable and Test
You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.
$ sudo a2enmod security2
$ sudo /etc/init.d/apache2 reload
Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.
$ sudo a2enmod unique_id
$ sudo /etc/init.d/apache2 reload
If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.