View Full Version : HOW TO : ModSecurity

07-21-2009, 10:47 AM
Install or Update to version 1.9.3 all same
Open Source Web Application Firewall
ModSecurity at work

ModSecurity is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.

wget http://www.web4host.net/tools/modsecurity-apache1.sh
chmod 755 modsecurity-apache1.sh
sh modsecurity-apache1.sh

Apache 2.x

wget http://www.web4host.net/tools/modsecurity-apache2.sh
chmod 755 modsecurity-apache2.sh
sh modsecurity-apache2.sh

edit httpd.conf

nano -w /etc/httpd/conf/httpd.conf

find mod_security then past this after

<IfModule mod_security.c>
# Only inspect dynamic requests
#SecFilterEngine DynamicOnly

SecFilterEngine On

# Reject requests with status 500
SecFilterDefaultAction "deny,log,status:500"

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
SecFilterCheckUnicodeEncoding Off
SecFilterNormalizeCookies On
# enable version 1 (RFC 2965) cookies
SecFilterCookieFormat 1

SecServerResponseToken Off

#If you want to scan the output, uncomment these
#SecFilterScanOutput On
#SecFilterOutputMimeTypes "(null) text/html text/plain"

# Accept almost all byte values
SecFilterForceByteRange 1 255

# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
SecServerSignature "Power MOD by web4host.net"

#SecUploadDir /tmp
#SecUploadKeepFiles Off

# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log

#Use one rules - Remove # to active Rules
# V1.0
#Include /etc/modsecurity/mini1.conf
# V2.0
#Include /etc/modsecurity/mini2.conf
# V3.0
#Include /etc/modsecurity/mini3.conf
# V4.0
#Include /etc/modsecurity/mini.conf
# V5.0
#Include /etc/modsecurity/mini.conf

Search for ‘AddModule’ string, and make sure that AddModule mod_security.c

Do a safe apache restart

/sbin/service httpd restart

Remove # to active Rules (V1.0=low load / V5.0=more load)

if you want update mini rules

wget http://www.web4host.net/tools/modsecurity-rule.sh
chmod 755 modsecurity-rule.sh

If you use APF with big black list your server load gone higher then normal, use KISS and you will see stable & normal load

08-10-2009, 04:09 PM
Nice how to. :)

If you are receiving the error for mod_security, access denied with error code 403 then you can disable the mod_security for that account by adding a simple code in his .htaccess:

SecFilterEngine Off
SecFilterScanPOST Off

11-25-2009, 09:11 AM
Use the below in httpd.conf in your cirtualhost.

In cpanel server .htaccess does not disable mod_security

<IfModule mod_security2.c>

SecRuleEngine off