Tuesday, June 15, 2010

Red Hat / CentOS Install mod_security

SkyHi @ Tuesday, June 15, 2010

Simply type the following command as root user:

# rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

List new repo:

# yum repolist

Sample output:

Loading "skip-broken" plugin
Loading "fastestmirror" plugin
repo id repo name status
addons CentOS-5 - Addons enabled
base CentOS-5 - Base enabled
<span style="color: rgb(255, 0, 0);">epel Extra Packages for Enterprise Linux 5 - enabled</span>
extras CentOS-5 - Extras enabled
updates CentOS-5 - Updates enabled

Once installed use yum command to list, view and install the packages:

# yum search package-name

# yum install package-name

See how to use yum command for installing and searching packages using various repos.

How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:

# yum install mod_security

Sample output:

Loaded plugins: downloadonly, fastestmirror, priorities, protectbase<br />Loading mirror speeds from cached hostfile<br /> * epel: www.gtlib.gatech.edu<br /> * base: mirror.skiplink.com<br /> * updates: centos.aol.com<br /> * addons: mirror.cs.vt.edu<br /> * extras: mirror.trouble-free.net<br />0 packages excluded due to repository protections<br />Setting up Install Process<br />Parsing package install arguments<br />Resolving Dependencies<br />--> Running transaction check<br />---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated<br />--> Finished Dependency Resolution<br /><br />Dependencies Resolved<br /><br />==============================================================================================================================================================<br /> Package                                  Arch                               Version                                   Repository                        Size<br />==============================================================================================================================================================<br />Installing:<br /> mod_security                             x86_64                             2.5.9-1.el5                               epel                             935 k<br /><br />Transaction Summary<br />==============================================================================================================================================================<br />Install      1 Package(s)<br />Update       0 Package(s)<br />Remove       0 Package(s)         <br /><br />Total download size: 935 k<br />Is this ok [y/N]: y<br />Downloading Packages:<br />mod_security-2.5.9-1.el5.x86_64.rpm                                                                                                    | 935 kB     00:00<br />Running rpm_check_debug<br />Running Transaction Test<br />Finished Transaction Test<br />Transaction Test Succeeded<br />Running Transaction<br />  Installing     : mod_security                                      [1/1] <br /><br />Installed: mod_security.x86_64 0:2.5.9-1.el5<br />Complete!

mod_security configuration files

  1. /etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module.
  2. /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache.
  3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment.
  4. /var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems.
  5. /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file.

Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:

# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf

Make sure SecRuleEngine set to "On" to protect webserver for the attacks:

SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:

# service httpd restart

Make sure everything is working:

# tail -f /var/log/httpd/error_log

Sample output:

[Sat May 09 23:18:31 2009] [notice] caught SIGTERM, shutting down<br />[Sat May 09 23:18:33 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)<br />[Sat May 09 23:18:34 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.<br />[Sat May 09 23:18:34 2009] [notice] Original server signature: Apache/2.2.3 (CentOS)<br />[Sat May 09 23:18:34 2009] [notice] Digest: generating secret for digest authentication ...<br />[Sat May 09 23:18:34 2009] [notice] Digest: done<br />[Sat May 09 23:18:35 2009] [notice] Apache/2.2.0 (Fedora) configured -- resuming normal operations

Refer mod_security documentations to understand security policies.