Apache mod-security installation on Debian 6.0 (squeeze)

Monday, January 2, 2012 posted by Till

Install the apache mod-security 2 module with apt from the Debian repositories

apt-get install libapache-mod-security

Create the folder for the mod-security configuration files

mkdir /etc/apache2/mod-security
chmod 600 /etc/apache2/mod-security

Download and unpack the mod-security rules

cd /tmp
wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz
tar fvx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/mod-security/
ln -s /var/log/apache2 /etc/apache2/logs

Configure apache to load the activated mod-security rules

vi /etc/apache2/conf.d/mod-security.conf

Include /etc/apache2/mod-security/*.conf

To enable mod-security, edit the file

vi /etc/apache2/mod-security/modsecurity_crs_10_config.conf

and remove the # in front of the line:

SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

Then reload apache.

/etc/init.d/apache2 force-reload

Mod security will now start to block hack attempts to your websites and log the actions in the file /var/log/apache2/modsec_audit.log.

tail /var/log/apache2/modsec_audit.log

You will see very likely some falsely blocked URL's. To whitelist them, you can add the ID's of the rules that should not be used in the whitelist file.

Example:

vi /etc/apache2/mod-security/modsecurity_crs_99_whitelist.conf

SecRuleRemoveById 960015
SecRuleRemoveById 960016

Be Sociable, Share!



8 Responses to “Apache mod-security installation on Debian 6.0 (squeeze)”

  1. great ! It helped me so much with Apache, thank you !

  2. tn pas cher says:

    I did it, but the problem is not resolved, is’s due to the version of the apache?

    • Javier says:

      TN, is your issue related to %{unique_id} ¿? i must update to mod-secure 2.7.0 in able to use {unique_id} on a redirect inside the secrule

  3. 10x says:

    Thanks a lot dude.
    Very usefull.
    Keep up.

  4. ahoff says:

    Great work!
    Thank’s a lot

  5. Dennis says:

    I am not sure what’s with the downloading modsecurity-core-rules_2.5-1.6.1 but the link provided in this article does not exist. Plus Debian Squeeze runs chrooted and there is a dependency called mod-security-common that is automatically loaded / installed together with libapache-mod-security. The mod-security-common package places all the files you need (modsecurity-crs) into /usr/share/doc/mod-security-common. Now simply move them around, create symlinks, etc. There is no need to download them for two times, first together with apt-get install libapache-mod-security and then for the second time again from wget http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz (this link does not exist as mentioned earlier)

    The crucial part here is how to start this “thing” and the place where it says vi /etc/apache2/conf.d/mod-security.conf (the “mod-security.conf” file has to be created manually if not done via vim) in order to put in there Include /etc/apache2/mod-security/*.conf is the most important to understand.

    I thought I would clarify a few things as the article is real good.

    • Till says:

      The download link in the guide works for me and I used it a few days ago on a server successfully. Maybe the server was offline at the time you tried it.

  6. ruud says:

    There are more rulesets, eg OWASP ModSecurity Core Rule Set (see http://spiderlabs.github.io/owasp-modsecurity-crs/).

    Is there a reason why you use the rather old (2008) http://www.modsecurity.org/download/modsecurity-core-rules_2.5-1.6.1.tar.gz ruleset.

Leave a Reply