Mod_Security is a Web Application Firewall that execute as a Module on your Web Server and provides protection against various attacks to our web applications. It monitors HTTP traffic and performs real time analysis. It’s a product developed by Breach Security and is available a free software under the GNU License. It is Available for Apache, Nginx and IIS.
Mod_Security can be deployed and integrated in our current Web Servers infrastructure, meaning that we do not have to modify our internal Network, we don’t add any point of failure, we can benefit from load balancing and scalability and we would not have any issues with compress or encrypted Data. Mod_Security is a valuable security tool and have proven to be effective. If we want to protect our web applications this is a tool the deserves your attention.
1. Enable EPEL Repository
Firstly add the EPEL rpm repository in your system using following command.
# rpm –ivh http://fedora.mirror.uber.com.au/epel/6/i386/epel-release-6-7.noarch.rpm
Step 2: Install Mod_Security and Predefined Rules
Let’s install mod_security Apache modules with predefined rules of mod_security.
# yum install mod_security mod_security_crs
Step 3: Activate the Module
Edit ModSecurity configuration file /etc/httpd/conf.d/mod_security.conf and look for the SecRuleEngine Directive on the File and configured with the Desired Value.
On – Rules are activated
Off – Rules are Deactivated
DetectionOnly – Only Intercepts and logs Transactions
Since we want to Intercept and Block Attacks we configure it with On.
Step 4: Restart Apache and Check
Now we restart the apache web services
# service httpd restart
To confirm that our web application firewall is working we should see something like this in our Apache error logs.
# tail /var/log/httpd/error_log [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: APR compiled version=”1.3.9″; loaded version=”1.3.9″ [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: PCRE compiled version=”7.8 “; loaded version=”7.8 2008-09-05″ [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LUA compiled version=”Lua 5.1″ [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LIBXML compiled version=”2.7.6″
Important files to Remember
Mod Security Config File – /etc/httpd/conf.d/mod_security.conf
Debug Log – /var/log/httpd/modsec_debug.log
Audit log – /var/log/httpd/modsec_audit.log
Rules – /etc/httpd/modsecurity.d/activated_rules