installing mod_security on CentOS 5

Filed In: code, sysadmin

Installation of mod_security from source is very easy, but did not quite go according to the published documentation on CentOS 5. Following is a brief detail on steps required.

First install the required devel packages with yum or apt, e.g.

# yum install httpd-devel
# yum install pcre-devel

The installation instructions mention installing lua, but this is not needed unless you are using custom rules written in lua. Which we will not, so skip that.

Then fetch, un-tar and build the source packages:

# cd /usr/local/src/
# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.6.tar.gz
# wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
# tar -xvzf modsecurity-apache_2.5.6.tar.gz
# cd /usr/local/src/modsecurity-apache_2.5.6/apache2
# ./configure --with-apxs=/usr/sbin/apxs
# make
  ...
# make test
  ...
# make install
  ...

Now create a simple security.conf file that apache will load automatically during startup, at /etc/httpd/conf.d/security.conf, containing:

# mod_security module installed manually
# http://www.modsecurity.org/documentation/modsecurity-apache/2.5.6/html-multipage/installation.html
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
Include conf.d/modsecurity/*conf

This will in turn load all the *conf files in the modsecurity/ directory. So we can fetch and install at the “Core Rules” there.

# cd /etc/httpd/conf.d
# mkdir modsecurity/
# mv /usr/local/src/modsecurity-core-rules_2.5-1.6.1.tar.gz modsecurity/
# cd modsecurity/
# tar -xvzf modsecurity-core-rules_2.5-1.6.1.tar.gz

Now to modify the config rule file to taste – we found it was necessary to modify the following directives in modsecurity_crs_10_config.conf

change following rules to do Detection only, and configure new tmp and data dirs

SecRuleEngine DetectionOnly
SecDataDir /var/log/httpd/modsec
SecUploadDir /var/tmp/modsec
SecTmpDir /var/tmp/modsec

also add SecResponseBodyLimitAction, because modsec throws a 500 error on any response over SecResponseBodyLimit, so if you have any hefty page sizes there will be a problem:

SecResponseBodyLimitAction ProcessPartial

and change this, to reduce the size of the audit log a little.

SecAuditLogParts "ABIKZ"

Now test and reload httpd:

# /usr/sbin/apachectl configtest
Syntax OK
# /usr/sbin/apachectl graceful

make sure Apache is happy, and look in error_log for what should be a bunch of warnings from all the nefarious traffic coming in.

# tail -f /var/log/httpd/error_log

As recommended in the mod_security docs, monitor and analyze the audit log (/var/log/httpd/modsec_audit.log) and debug log to make sure nothing legitimate is being caught. In many cases there will be false positives. Comment out the offending SecRules in the config files, or otherwise adjust as needed.

No Comments
Tags: , ,

Write a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">

chirp.syxyz.net

Essentials

A service of Onset Corps LLC, and your humble author and fellow journeyer Samuel Beam.

Wherein, we specialize in over-involved explanations of all types, especially as concerning the efficacious use of tools and processes to maintain simplicity in an irreducibly complex world.

Meta

Pages

Categories

© Onset Industries LLC 2008-2012
Design: TAKTEEKMEDIA

Free DNS - afraid.org
fancy clipart - nerfect.com
RSS Feed | CSS and XHTML