Thursday, April 15, 2010

mod_security setup on Centos 5.4

Enable the EPEL repository.


rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm


Install via yum.


yum install mod_security


This will load your basic mod_security configuration including the core rules.

Next I had to set SecDataDir in the config. This was not initially set and errors in the following form appeared in the log file.


ModSecurity: Unable to retrieve collection (name "", key ""). Use SecDataDir to define data directory first.


Fixed this up by creating SecDataDir and creating a directory for this purpose, making sure to give apache permission to use it.


vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
( Added SecDataDir /usr/local/apache/modsec_data )
mkdir /usr/local/apache
mkdir /usr/local/apache/modsec_data
chown apache:apache /usr/local/apache/modsec_data
chown apache:apache /usr/local/apache


After a restart modsecurity successfully began applying rules, but rather than blocking problem requests (my intention) it merely logged warnings. I changed the SecDefaultAction in vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf from


SecDefaultAction "phase:2,pass"


to


SecDefaultAction "phase:2,deny,log,status:403"





vim /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf