Installation 'mod_security' For Apache

Mod_security essentially will mitigate malicious http attack strings, namely cross-site scripting exploits, before apache itself even processes the request. If configured correctly, this can prevent vulnerable scripts/web-apps hosted by apache from being exploited.

Installation:

Grab the source and unpack (check for newest version at http://www.modsecurity.org/download/).

wget http://www.modsecurity.org/download/modsecurity-apache_2.0.4.tar.gz
tar -zxvf modsecurity-apache_2.0.4.tar.gz

From here, you will need to descend into the correct apache version directory

Either apache1.x :

cd modsecurity-apache-1.9.2/apache1

Or apache2.x:

cd modsecurity-apache-1.9.2/apache2

Now you will need to use apxs to compile the module:

/etc/httpd/bin/apxs -cia mod_security.c

Since version 1.9.1, mod_sec should automatically install the module in the correct apache modules directory for apache and activate the module line in httpd.conf

Installation is done now we just need to add the rules.

mod_security rules:

The rules are the make or break of the installation. They can be customized to match and deny access to any string found in inbound http requests. If the rule set is too strong, functionality to legitimate web-applications will be lost. The following is a very effective, yet safe, rule set template for generic and the most common known XSS attacks.

Use this hosted config which is updated regularly with new exploit matches and safety edits:

wget http://skullboxx.net/misc/mod_security.conf

Save this file to:

on apache 1.3 (or cpanel machines):
/etc/httpd/conf/mod_security.conf

on apache 2.0 (or plesk machines):
/etc/httpd/conf.d/mod_security.conf

For apache 1.3, you will need to include the following line after the "LoadModule" section:
Include conf/mod_security.conf

For most apache 2 installations, an include line already exists to dynamically load all the .conf files in conf.d/ .

Restart apache and you're done.

To make sure that mod_security is working correctly you will need to check to see if /etc/httpd/logs/audit_log exists.