Red Hat _ CentOS Install Mod_security Apache Intrusion Detection and Prevention Engine

8/13/2019 Red Hat _ CentOS Install Mod_security Apache Intrusion Detection and Prevention Engine

1/9

TutorialsBASH ShellTroubleshooting Nginx NetworkingMySQLGoogle Cloud PlatformAmazon Cloud ComputingRackspace Cloud ComputingLinux

CentOSDebian / UbuntuUbuntu LinuxSuseRedHat and FriendsSlackware Linux

UNIXAIXMac OS XFreeBSDFreeBSD Jails (VPS)Openbsd Solaris

See all tutorial topicsBlogAboutContact usForumLinux Scripting GuideRSS/FEED

Linux FAQ / Howtos

Red Hat / CentOS Install mod_security Apache IntrusionDetection And Prevention Engine by Nix Craft on May 9, 2009 14 comments LAST UPDATED May 9, 2009

in Apache, CentOS, Networking

How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applicationsfrom attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo isturned on, type the following command to install ModSecurity:# yum i nst al l mod_securi t ySample output:

Loaded pl ugi ns: downl oadonl y, f ast est mi rr or, pr i or i t i es, protectbaseLoadi ng mi r r or speeds f r omcached hostf i l e * epel : www. gtl i b. gat ech. edu * base: mi rr or. ski pl i nk. com * updat es: cent os. aol . com * addons: mi r ror. cs. vt. edu * ext ras: mi r ror. t roubl e- f ree. net0 packages excl uded due t o reposi t ory prot ecti onsSet t i ng up I nst al l ProcessPar si ng package i nst al l argument sResol vi ng Dependenci es- - > Runni ng t r ansacti on check- - - > Package mod_secur i t y. x86_64 0: 2. 5. 9- 1. el 5 set t o be updat ed- - > Fi ni shed Dependency Resol uti on

Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

1


2/9

Dependenci es Resol ved========================================================================================================== Package Ar ch Vers i on==========================================================================================================I ns t al l i ng: mod_s ecur i t y x86_64 2. 5. 9- 1. el 5

Tr ansact i on Summar y==========================================================================================================I nst al l 1 Package(s)Updat e 0 Package( s)Remove 0 Package( s)

Tot al downl oad si ze: 935 k

I s t hi s ok [ y/ N] : yDownl oadi ng Packages:mod_securi t y- 2. 5. 9- 1. el 5. x86_64. r pmRunni ng r pm_c heck_debugRunni ng Tr ansact i on TestFi ni shed Tr ansacti on Test

Tr ansact i on Test SucceededRunni ng Transact i on I nst al l i ng : mod_securi t y [ 1/ 1]I nst al l ed: mod_securi t y. x86_64 0: 2. 5. 9- 1. el 5Compl et e!

mod_security configuration files

/etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module.1. /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache.2. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment.

3.

/var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems.4. /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file.

5.

Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:# vi / et c/ ht t pd/ modsecuri t y. d/ modsecur i t y_cr s_10_conf i g. conf Make sure SecRuleEngine set to "On" to protect webserver for the attacks:

SecRul eEngi ne On

Turn on other required options and policies as per your requirements. Finally, restart httpd:# servi ce ht t pd restar tMake sure everything is working:# t ai l - f / var / l og/ ht t pd/ er r or _ l ogSample output:

[ Sat May 09 23: 18: 31 2009] [ not i ce] caught SI GTERM, shutt i ng down[ Sat May 09 23: 18: 33 2009] [ not i ce] suEXEC mechani sm enabl ed ( wr apper : / usr / sbi n/ suexec)[ Sat May 09 23: 18: 34 2009] [ not i ce] ModSecur i t y f or Apache/ 2. 5. 9 ( ht t p: / / www. modsecur i t y. org/ ) conf i gured.[ Sat May 09 23: 18: 34 2009] [ not i ce] Or i gi nal ser ver si gnat ur e: Apache/ 2. 2. 3 ( Cent OS)[ Sat May 09 23: 18: 34 2009] [ noti ce] Di gest : gener ati ng secr et f or di gest aut hent i cati on . . .[ Sat May 09 23: 18: 34 2009] [ not i ce] Di gest : done[ Sat May 09 23: 18: 35 2009] [ not i ce] Apache/ 2. 2. 0 ( Fedora) conf i gur ed - - r esumi ng normal operat i ons

Refer mod_security documentations to understand security policies.

5

6

4

Featured Articles:

30 Cool Open Source Software I Discovered in 2013 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS XTop 30 Nmap Command Examples For Sys/Network Admins25 PHP Security Best Practices For Sys Admins20 Linux System Monitoring Tools Every SysAdmin Should Know20 Linux Server Hardening Security TipsLinux: 20 Iptables Examples For New SysAdmins


2


3/9

Top 20 OpenSSH Server Best Security PracticesTop 20 Nginx WebServer Best Security Practices20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors15 Greatest Open Source Terminal Applications Of 2012My 10 UNIX Command Line MistakesTop 10 Open Source Web-Based Project Management SoftwareTop 5 Email Client For Linux, Mac OS X, and Windows UsersThe Novice Guide To Buying A Linux Laptop

{ 14 comments read them below or add one }

1 n3os May 13, 2009 at 2:26 am

now i found the article about CentOS Install mod_security, thx !!!

Reply

2 bitt June 9, 2009 at 9:41 pm

thx for this, very helpful.

Reply

3 Zigzacom July 11, 2009 at 4:03 am

With CentOS 5.3 it was a bit of an adventure, as mod_security from EPEL was looking for liblua-5.1.so, (a dependency), butone of the CentOS repos only has lua-5.0, and I had set CentOS repos to a higher pr iority than the EPEL repo.I did an rpm -ivh http://mirrors.kernel.org/fedora-epel/5Server/x86_64/lua-5.1.2-1.el5.x86_64.rpm , then yum installmod_security and all was OK.

yum-priorities is a bit tricky with EPEL enabled. Disable the EPEL repo after you are done with installing mod_security or at least make sure you have the priorities set right.

Reply

4 pgl January 26, 2010 at 4:40 pm

@Zigzacom: thanks for that!Reply

5 Bob February 1, 2010 at 7:26 am

Thank you for the RPM but I noticed that no entry was made to httpd.conf (LoadModule), and that the installation issubstantially different than installing by compiling from the source. Im not an advanced Admin and wonder if I have missed something. I also dont see in error_log that mod_sec was installed.

Reply

6 nixCraft February 1, 2010 at 10:49 am

@Bob,See /etc/httpd/conf.d/mod_security.conf

Reply

7 math March 9, 2010 at 11:45 am

thank you very much for tutorial but after install mod_security all Jquery stop to load!!I think that mod_security conflict with jquery files loaded from local server plesae how to fix this issue? best regards

Reply8 mct March 10, 2010 at 10:00 pm

thx. hooked me up.


3


4/9

Reply

9 Djemo October 21, 2010 at 2:17 pm

I have a trouble setting mod_security from source with httpd from source on CentOS 5.5. I was able to setup mod_securityfrom source and httpd from rpm without problems and on FreeBSD 8.1 both from source (not ports) without problems.

On CentOS setting from source, when I restart apache I getModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured, and httpd starts.As soon as I add:Include conf/modsecurity_crs_10_config.conf in httpd.conf and restart httpd, is stuck on restarting (or starting if its notrunning already) and it takes 100% CPU.

The modsecurity_crs_10_config.conf is original, and I setup everything like FreeBSD which works.

Here are the steps I created and useto setup mod_security and they are based on requirements from mod_security site:

Installation

0. Make sure mod_unique_id is loaded/included in httpd compile httpd with enable-unique-id

or load module for rpm based httpd

LoadModule unique_id_module modules/mod_unique_id.so

1. Download APR form Apache.org

./configure prefix=/usr/local/apr makemake install

2. Download PCRE from pcre.org

./configure prefix=/usr/local/pcremake

make install3. make sure you have libxml2 installed on computer (On CENTOS5 comes by default) otherwise install it

4. Download Lua libs from from http://luabinaries.sourceforge.net/mkdir lualibscd lualibswget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_lib.tar.gz/download for 32bitwget http://sourceforge.net/projects/luabinaries/files/5.1.4/Linux%20Libraries/lua5_1_4_Linux26_64_lib.tar.gz/download for 64 bitcp * liblua* /usr/local/lib64cp include/* /usr/include

5. make sure you have curl -v 7.15.1+

6. Download modsecurity from modsecurity.org (make sure you have httpd-devel package if httpd is from RPM or notcompiled with-apxs from source)

./configure with-apxs=/usr/local/apache2/bin/apxs with-apr=/usr/local/apr/bin/apr-1-config with-apu=/usr/local/apache2/bin/apu-1-config with-

pcre=/usr/local/pcre/bin/pcre-config (HTTPD from source)

./configure with-apxs=/usr/sbin/apxs with-apr=/usr/local/apr/bin/apr-1-config with-apu=/usr/bin/apu-1-config with- pcre=/usr/local/pcre/bin/pcre-

config (HTTPD from RPM for CentOS 5)

makemake install

Configuration


4


5/9

7. Edit httpd.conf file to include the following:LoadFile /usr/lib64/libxml2.soLoadFile /usr/lib64/liblua5.1.soLoadModule security2_module modules/mod_security2.so

Testing

8. Check is modsecurity installed by stoping and starting httpd and checking httpd error logs.

Applying Atomic Mod Security Rules

9. mkdir rulescd ruleswget http://downloads.prometheus-group.com/delayed/rules/modsec-201002051427.tar.gztar -zxvf modsec-201002051427.tar.gzcd ..mv rules /etc/httpd/conf

10. Create following directories:mkdir /var/aslmkdir /var/asl/tmpmkdir /var/asl/datamkdir /var/asl/data/msa

mkdir /var/asl/data/auditmkdir /var/asl/data/suspiciousmkdir /etc/asltouch /etc/asl/whitelist

11. Add this on httpd.conf

Include conf/modsecurity_crs_10_config.conf Include conf/rules/*asl*.conf

12. Create conf/modsecurity_crs_10_config.conf file:

SecRuleEngine OnSecRequestBodyAccess OnSecResponseBodyAccess OnSecResponseBodyMimeType (null) text/html text/plain text/xmlSecResponseBodyLimit 2621440SecServerSignature ApacheSecComponentSignature 200911012341SecUploadDir /var/asl/data/suspiciousSecUploadKeepFiles Off SecAuditEngine RelevantOnlySecAuditLogRelevantStatus ^(?:5|4(?!04))SecAuditLogType ConcurrentSecAuditLog logs/audit_logSecAuditLogParts ABIFHZSecArgumentSeparator &

SecCookieFormat 0SecRequestBodyInMemoryLimit 131072SecDataDir /var/asl/data/msaSecTmpDir /tmpSecAuditLogStorageDir /var/asl/data/auditSecResponseBodyLimitAction ProcessPartial

13. Restart httpd server

Testing Mod_security and Atomic rules

14. Test with webserver scanning tool like NiktoCheck the httpd audit log and error logs does evrything work.

End I am wondering did anyone have this problem, and how did they solve it. I tried on few machines, and with same problem.

Thanks

Reply


5


6/9

10 Djemo November 22, 2010 at 8:00 pm

i finally figure out my problem setting up mod_security with compiled httpd

skip step 2. and on step 6 use pcre from httpd source:

./configure with-apxs=/usr/sbin/apxs with-apr=/usr/local/apr/bin/apr-1-config with-apu=/usr/bin/apu-1-config with-pcre=/path/to/apache-src/srclib/pcre

httpd doesnt get stuck ant it works.

Reply

11 Bri July 6, 2011 at 5:32 pm

Installing lua from here fixes this if your running Centos 5.5

http://pkgs.org/download/centos-5-rhel-5/atomic-x86_64/lua-5.1.4-1.el5.art.x86_64.rpm.html

Reply

12 aim target October 25, 2011 at 4:30 am

Is there any full guide for installation and configuration on redhat server itself on this mod_ security itself?

-aim-

Reply

13 Ray January 6, 2014 at 2:44 am

This mostly worked on CentOS 5.8, except for the configuration files.

This file: vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

Does not exist. The /etc/httpd/modsecurity.d/ folder is empty. I ran a search for the modsecurity config files to see if maybethey are somewhere else, but they do not exist anywhere on the server.

Reply14 Ray January 6, 2014 at 2:48 am

I did find the main conf file at:

/etc/httpd/conf.d/mod_security.conf

The others do not exist atm. I can probably find some copies on-line that will work.

Reply

Leave a Comment

Name *E-mail *

Notify me of followup comments via e-mail

Tagged as: /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf , /var/log/httpd/modsec_audit.log, /var/log/httpd /modsec_debug.log, apache mod_security core rules, install the mod_security apache module, intrusion detection, mod_securityrhel, red hat enterprise, rhel mod_security, web applications, web server


6


7/9

Previous Faq: FreeBSD Jail Allow Ping / tracerouter Commands

Next Faq: Gracefully Restart Lighttpd Web Server

Related Faqs


7


8/9

FreeBSD Install mod_security For The Apache HTTPD Server

Display Apache Server Status with mod_status

Redhat / CentOS Linux Install JBoss Application Server

Star / Stop / Restart Apache 2 Web Server

How To Back Up a Web Server

yum Download All Source Packages (SRPM) From RedHat / CentOS WebSite

Monitor HTTP Packets ( packet sniffing )

Lighttpd: network.c:483: error: EC_KEY undeclared (first use in this function) Error and Solution


8


9/9

Troubleshooting: Apache Webserver Will Not Restart / Start

Red Hat / CentOS Linux: Explain Use of Network Interface virbr0

Latest posts from our blog

Download of The Day: FreeBSD 10 ISO DVD / CD Images30 Cool Open Source Software I Discovered in 2013Download Of The Day: Fedora Linux 20 (Heisenbug) CD / DVD ISOValve SteamOS: A Linux-based Gaming Operating System Announced Download of the day: Half-Life 2 For Steam on Linux

2006-2014 nixCraft. All rights reserved. Privacy Policy - Terms of Service - Questions or Comments - We are proudly powered byLinux + Nginx + WordPress.


Documents

Red Hat _ CentOS Install Mod_security Apache Intrusion Detection and Prevention Engine