Archive for the ‘Modsecurity’ Category

How to install mod_security from source

Tuesday, December 15th, 2009

Ref :http://www.modsecurity.org/documentation/modsecurity-apache/2.5.11/html-multipage/installation.html

Mod security works with apache. So You will have to define where is your Apache location (if you installed Apache from source)
Here I have installed Apache in /usr/local/apache Directory
Note:
Make sure you have mod_unique_id installed :

run the bellow command to make sure mod_unique_id is installed .

bin/apachectl -l | grep  mod_unique_id.c

if this module is not installed then you will have to recompile your Apache with –-enable-unique-id
Example:

./configure  --prefix=/usr/local/apache --with-included-apr --with-php --with-mysql --with-susexec --disable-info --with-mpm=prefork --enable-so --enable-cgi --enable-rewrite --enable-ssl --enable-mime-magic --enable-unique-id

To install Mod_Security you need bellow rpms :

yum install pcre-devel
yum install apr-devel

Download modsecurity from :http://www.modsecurity.org/download/index.html

Configuring and installing Mod_Security

 
a)Download and upload modsecurity-apache_2.5.12.tar.gz in /tmp directory
 
b) tar -xvzf modsecurity-apache_2.5.12.tar.gz
 
c) cd modsecurity-apache_2.5.11
 
d) cd apache2
 
e) ./configure --with-apxs=/usr/local/apache/bin/apxs --with-pcre=/usr/bin/pcre-config --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config
 
f)make
 
g)make intall

Configure Mod security with Apache:

a)Make a directory named modsecurity    under /usr/local/apache/conf/ and copy all the modsecurity rules there
note:
modsecurity rules will be found in modsecurity source directory "/tmp/modsecurity-apache_2.5.11/rules"  
(b) Insert the bellow lines  line in httpd.conf file(/usr/local/apache/conf/) 
    Include conf/modsecurity/*.conf
 
C)Also insert bellow lines in httpd.conf(/usr/local/apache/conf) 
 
   LoadFile /usr/lib/libxml2.so
   LoadFile /usr/lib/liblua-5.1.so  (optionals)    
          Note: This library is optional and only needed if you will be using         the new Lua engine.In that case you will have to  use      -–with-lua=PATH prefix with mod security installation. Ref : </span>http://www.modsecurity.org/documentation/modsecurity-apache   /2.5.11/html-multipage/installation.html    
   LoadModule security2_module modules/mod_security2.so 
           Note: This line should be automatically inserted while installation of mod security.If not then insert by your self.

Now Stop and restart apache service. and check apache error_log for this kind of entry :

[Tue Dec 15 12:14:10 2009] [notice] ModSecurity for Apache/2.5.11 (http://www.modsecurity.org/) configured.
[Tue Dec 15 12:14:10 2009] [notice] Original server signature: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5

Enabling mod_security:

By default , Mod_security rules is enabled, but you can check it from here :
modsecurity_crs_10_config.conf  ( location:/usr/local/apache/conf/modsecurity/)
Make sure bellow line is set to ON as bellow
 SecRuleEngine On,

Adding rules to mod_security :

Copy all the rules from base_rules directory to modsecurity directory 
 cp /tmp/modsecurity-apache_2.5.12/rules/base_rules/* /usr/local/apache/conf/modsecurity/

Note : To test your rules you can set SecRuleEngine DetectionOnly in modsecurity_crs_10_config.conf file ( location:/usr/local/apache/conf/modsecurity/) It will show you how all those rules are performing.

Now Stop and restart apache again, and look at error_log, access_log for modsecurity activity

Prefix for modsecurity installation

-–with-apxs=FILE FILE is the path to apxs; defaults to “apxs”.
-–with-pcre=PATH Path to pcre prefix or config script
-–with-apr=PATH Path to apr prefix or config script
-–with-apu=PATH Path to apu prefix or config script
-–with-libxml=PATH Path to libxml2 prefix or config script
-–with-lua=PATH Path to lua prefix or config script (optional)
-–with-curl=PATH Path to curl prefix or config script (optional)

Extra Notes :
1. Please create a directory “mkdir /usr/local/apache/conf/modsecurity/data”
and add bellow lines in modsecurity_crs_10_config.conf

  SecDataDir /usr/local/apache/conf/modsecurity/data

If this lines is missing you might see this kind of error :
[Thu Dec 10 10:10:54 2009] [error] [client xx.xx.xx.xx] ModSecurity: Unable to retrieve collection (name “ip”, key “xx.xx.xx.xx”). Use SecDataDir to define data directory first. [hostname “xx.xx.xx.xxx”] [uri “/”] [unique_id “SyC7Hn8AAAEAABLHj9gAAAAL”]