Apache Security – ModSecurity

Posted on Posted in linux, seguridad, web

Welcome to another Sysadmin & DBA Tips, in this post I’ll explain how install and configure Mod_Security, an open source web application firewall, that protect your personal/business Web Applications.


With over 70% of all attacks now carried out over the web application level, organisations need every help they can get in making their systems secure. Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.


Before install modsecurity requires the following additional components:
• apxs
• libxml2
• mod_unique_id

The apxs binary is provided by the Apache tools or by default, if you have installed from source.

The libxml2 library can be installed with the server package manager (aptitude, yum ,etc) .

The mod_unique_id must be installed from the Apache source package:

/usr/local/etc2/apache22/bin/apxs -cia /usr/local/etc/httpd-2.2.21/modules/metadata/mod_unique_id.c


Mod_security need Core Rules to provide generic protection from unknown vulnerabilities often found in web applications, which are in most cases custom coded.

In order to provide generic web applications protection, the Core Rules use the following techniques:

  • HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
  • Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
  • Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
  • HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
  • Common Web Attacks Protection – detecting common web application security attack.
  • Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
  • Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
  • Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
  • Trojan Protection – Detecting access to Trojans horses.
  • Identification of Application Defects – alerts on application misconfigurations.
  • Error Detection and Hiding – Disguising error messages sent by the server.


Download and install the latest stable versión (at this moment 2.7.3):

wget http://www.modsecurity.org/tarball/2.7.3/modsecurity-apache_2.7.3.tar.gz
tar -xvzf modsecurity-apache_2.7.3.tar.gz
cd modsecurity-apache_2.7.3
./configure --prefix=/usr/local/etc2/modsecurity --with-apxs=/usr/local/etc2/apache22/bin/apxs
make install

Integrating ModSecurity with Apache

Copy the security2_module that reside in the $MODSECURITY_PATH/lib to the $APACHE_PATH/modules.

cp -pr /usr/local/etc2/modsecurity/lib/security2_module /usr/local/etc2/apache22/modules

The next step is load it in the Apache configuration file adding a line to let the web server know about the new module:

LoadModule security2_module modules/mod_security2.so

Core Rules

Download the Core Rules download from here.


Is the moment to load the mod_security configuration and rules.

Copy the default configuration file, that is provided by the package to your apache configuration directory:

cd modsecurity-apache_2.7.3
cp -pr modsecurity.conf-recommended /usr/local/etc2/apache22/conf/mod_security/modsecurity.conf

Copy the rules that previously we download to your apache configuration directory:

  • Copy the modsecurity_crs_10_setup.conf.example file to modsecurity_crs_10_setup.conf and customize the settings for your local environment.
cp -pr modsecurity_crs_10_setup.conf.example /usr/local/etc2/apache22/conf/mod_security/modsecurity_crs_10_setup.conf
  • Enable the CRS rules files you want to use by creating symlinks under the “activated_rules” directory location.
mkdir /usr/local/etc2/apache22/conf/mod_security/crs
mkdir /usr/local/etc2/apache22/conf/mod_security/crs/activated_rules
cp -pr base_rules optional_rules slr_rules /usr/local/etc2/apache22/conf/mod_security/crs/
cd /usr/local/etc2/apache22/conf/mod_security/crs
for f in `ls base_rules/` ; do ln -s /usr/local/etc2/apache22/conf/mod_security/crs/base_rules/$f activated_rules/$f ; done
for f in `ls optional_rules/` ; do ln -s /usr/local/etc2/apache22/conf/mod_security/crs/optional_rules/$f activated_rules/$f ; done
  • Include this rules in the modsecurity.conf configuration file
Include conf.d/mod_security/modsecurity_crs_10_config.conf
Include conf.d/mod_security/crs/activated_rules/*.conf
  • And include this configuration file in the apache2.conf main configuration file:
<IfModule security2_module>
Include conf/modsecurity.conf
  • Restart web server, and check if all is fine

Mod_security write the log in the file that we specify in the modsecurity.conf

SecAuditLog /var/log/apache2/modsec_audit.log 

By default the module is activated in DetectionOnly for checking that normal operations not are blocked for any core rules. If you’re sure that no rule can cause problems, change the SecRuleEngine from DetectionOnly to On and reload your apache configuration:

SecRuleEngine On
#SecRuleEngine DetectionOnly

Additional configurations

Additional configurations are allowed, in my case I configurate:

  • Protection for slow HTTP Dos attacks here
  • Detecting Malice with ModSecurity: Open Proxy Abuse here
  • Event Browsing, web-application which runs within a servlet container and is able to receive audit-event data from the ModSecurity module. here

Leave a Reply

Your email address will not be published. Required fields are marked *