ModSecurity2 is a Web Application Firewall, integrated into Apache as a module. You can use it at the final web server by adding the module (especially if you have a HTTPS web server, so your IDS/IPS cannot analyze these flows), or by adding an Apache based reverse proxy in front of your web server(s).
This will show you how to install ModSecutity on your favorite Linux, Debian Sarge or Ubuntu Edgy Eft.

Your fisrt need to download the source tarball at the Breach web site.

Check that you have removed any previous installed version ( apt-get remove libapache2-mod-security mod-security-common for Ubuntu), and install the required development files:

apt-get install apache2-prefork-dev  libxml++2.6-dev

(the default Apache version is the mpm-prefork, but you may check if your are using the prefork or the threaded version with the command dpkg –get-selections | grep apache2 ).

In the directory where you have (already) detared the ModSecurity package, go to the apache2 directory, and in the Makefile file, look for the line containing top_dir and replace it with:

top_dir      = /usr/share/apache2/

Then, execute the make command.

Once the compilation ends, install the module (as root): sudo make install

You must now configure Apache for loading the module:
Create the following file: /etc/apache2/mods-available/mod-security2.load

and fill it with these lines:

LoadFile /usr/lib/
LoadModule security2_module /usr/lib/apache2/modules/

Enable the module with this command:

ln -s /etc/apache2/mods-available/mod-security2.load /etc/apache2/mods-enabled

(or use a2enmod). Also enable mod_unique_id, which is required by mod_security but not enabled by default in Debian and Ubuntu :

ln -s /etc/apache2/mods-available/unique_id.load /etc/apache2/mods-enabled

Then tell Apache to load the module config (rules) by creating this file: /etc/apache2/conf.d/modsecurity2.conf
and write in it:

<ifmodule mod_security2.c>
Include modsecurity/*.conf

The you should create the /etc/apache2/modsecurity directory and copy the ModSecurity Core Rule Set files provided in the rules directory of the tarball in this directory.

Restart Apache:

/etc/init.d/apache2 restart

And check that ModSecurity is working by issuing a web request that should be forbidden:

curl -i http://localhost/ -A Nessus

You should receive a 404 error, while removing the User-Agent (”-A Nessus”) should give your home page.

Now, you’re ready to dive in the rules !

March 19, 2007, 2:39 pm lock

Add your own comment or set a trackback

Currently 6 comments

  1. Comment by Omid

    I created the /etc/apache2/modsecurity directory but I can’t find the file you refer to as “ModSecurity Core Rule Set files provided in the rules directory of the tarball in this directory” I couldn’t find the rules directory

  2. Comment by Mathieu Dessus

    Yes, packages should be the right way to install software in a Linux distrib, but this repository is not totally up to date today.

  3. Comment by tux821

    This is how it worked for my Debian Etch:

    Add source for Debian Etch in /var/apt/sources.list
    deb ./
    addidtions for Debian Etch:

    Add key for this source
    # gpg –keyserver –recv-keys C514AF8E4BA401C3
    # gpg –armor –export C514AF8E4BA401C3 | apt-key add -

    Update and install
    # apt-get update
    # apt-get install libapache2-mod-security2

    add directory for rules:
    # mkdir /etc/apache2/modsecurity

    copy the rules provided:
    # cp /usr/share/doc/libapache2-mod-security2/examples/rules/* /etc/apache2/modsecurity/

    configure for apache2, add file ‘/etc/apache2/conf.d/modsecurity.conf’

    # include the mod security configuration and rules.
    Include modsecurity/*.conf

    set log file references to /var/log/apache2/ in /etc/apache2/modsecurity/modsecurity_crs_10_config.conf
    SecAuditLog /var/log/apache2/modsec_audit.log
    SecDebugLog /var/log/apache2/modsec_debug.log

    Now restart apache:
    # /etc/init.d/apache2 restart

    Test if it works, like you mentioned above with:
    curl -i http://localhost/ -A Nessus

    Fine tuning:
    - tune main config file: modsecurity_crs_10_config.conf
    - read /usr/share/doc/libapache2-mod-security2/

  4. Comment by Alex

    Thanks, man! It’s working for Ubuntu 6.06 and Apache 2.0. I was so disappointed that the latest modsecurity didn’t make it into Ubuntu packaging due to licensing issues. This article brought me to the up-n-running point in no time.

  5. Comment by Mathieu Dessus

    What is your exact error message ?
    If it is something like “cannot open shared object file: No such file or directory”, make sure that the path to the module if correct. Otherwise.. let us know.

  6. Comment by atp1082

    the steps failed and caused apache2 to fail to boot.
    error locating file
    I followed the steps to the letter using apache2 and modsecurity 2.1.1

Add your own comment

To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image

Follow comments according to this article through a RSS 2.0 feed