ModSecurity - Centos 5.X

ModSecurity is an open source web application firewall (WAF) engine for Apache that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. With over 10,000 deployments world-wide, ModSecurity is the most widely deployed WAF in existence

Apache Installation

# yum install httpd-devel mod_ssl libxml2 libxml2-devel curl-devel pcre-devel gcc-c++
# /etc/init.d/https stop OR service httpd stop

ModSecurity Installation

# wget http://www.modsecurity.org/download/modsecurity-apache_2.5.10.tar.gz
# tar -xzvf modsecurity-apache_2.5.10.tar.gz
# cd modsecurity-apache_2.5.10
# cd apache2
# ./configure
# make
# make install
# mkdir /etc/httpd/conf/modsecurity
# cp ../modsecurity.conf-minimal /etc/httpd/conf/modsecurity/

Settings

# vi /etc/httpd/conf/httpd.conf

# ModSecurity
LoadFile /usr/lib/libxml2.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so
Include conf/modsecurity/modsecurity.conf-minimal

# service httpd start
# ls /var/log/httpd

Access Error Log

Access_log  error_log  modsec_audit.log  modsec_debug.log

# tail /var/log/httpd/error_log

[Sat Oct 31 20:22:35 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Oct 31 20:22:36 2009] [notice] ModSecurity for Apache/2.5.10 (http://www.modsecurity.org/) configured.
[Sat Oct 31 20:22:36 2009] [notice] Digest: generating secret for digest authentication …
[Sat Oct 31 20:22:36 2009] [notice] Digest: done
[Sat Oct 31 20:22:37 2009] [notice] Apache/2.2.3 (CentOS) configured — resuming normal operations