Mod_Security is a Web Application Firewall that executes as a Module on your Web Server and provides protection against various attacks to our web applications. It monitors HTTP traffic and performs real-time analysis. It’s a product developed by Breach Security and is available a free software under the GNU License. It is Available for Apache, Nginx and IIS.
Mod_Security can be deployed and integrated with our current Web Servers infrastructure, meaning that we do not have to modify our internal Network, we don’t add any point of failure, we can benefit from load balancing and scalability and we would not have any issues with compress or encrypted Data. Mod_Security is a valuable security tool and have proven to be effective. If we want to protect our web applications this is a tool the deserves your attention.
Step 1 – Enable EPEL Repository
Firstly add the EPEL rpm repository in your system using the following command.
### For RHEL/CentOS 7 rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm ### For RHEL/CentOS 6 rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Step 2 – Install Mod_Security and Predefined Rules
Let’s install mod_security Apache modules with predefined rules of mod_security.
yum install mod_security mod_security_crs
Step 3 – Activate mod_security Module
Edit ModSecurity configuration file /etc/httpd/conf.d/mod_security.conf and look for the SecRuleEngine Directive on the File and configured with the Desired Value.
On – Rules are activated
Off – Rules are Deactivated
DetectionOnly – Only Intercepts and logs Transactions
Since we want to Intercept and Block Attacks we configure it with On.
Step 4 – Restart Apache and Check
After completing all the configuration, restart Apache service on your system.
service httpd restart
To confirm that our web application firewall is working we should see something like this in our Apache error logs.
tail /var/log/httpd/error_log [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity for Apache/2.7.3 (http://www.modsecurity.org/) configured. [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: APR compiled version=”1.3.9″; loaded version=”1.3.9″ [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: PCRE compiled version=”7.8 “; loaded version=”7.8 2008-09-05″ [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LUA compiled version=”Lua 5.1″ [Sat Mar15 16 09:20:58 2014] [notice] ModSecurity: LIBXML compiled version=”2.7.6″
Important files to Remember
- Mod Security Config File – /etc/httpd/conf.d/mod_security.conf
- Debug Log – /var/log/httpd/modsec_debug.log
- Audit log – /var/log/httpd/modsec_audit.log
- Rules – /etc/httpd/modsecurity.d/activated_rules