How to install ModSecurity on Apache for CentOS 7

ModSecurity Introduction

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. you can consider it as an enabler, there are no hard rules telling you what to do, instead, it is up to you to choose your own path through the available features. The freedom to choose what to do is an essential part of ModSecurity’s identity and goes very well with its open source nature. With full access to the source code, your freedom to choose extends to the ability to customize and extend the tool itself to make it fit your needs.

Install ModSecurity

 

yum install mod_security

Verify if the ModSecurity module was loaded with your Apache:

apachectl -M | grep --color sec

You should see a module named “security2_module (shared)” which indicates that the module was loaded.

The installation includes a recommended configuration file which has to be renamed with the command below:

mv /etc/modsecurity/modsecurity.conf{-recommended,}

Restart Apache:

systemctl restart apache2 systemctl restart httpd

Configuring ModSecurity

If you want to add rules or edit some existing rules you should open the “modsecurity.conf” and make changes. Here we are going to point to some common rules and configurations:

vi /etc/modsecurity/modsecurity.conf

Find the following line:

SecRuleEngine DetectionOnly

And change it like below:

SecRuleEngine On

Another directive to modify is “SecResponseBodyAccess” This configures whether response bodies are buffered. This is only necessary if data leakage detection and protection is required. Therefore, leaving it On will use up servers resources and also increase the log file size.

Find the following line:

SecResponseBodyAccess On

And turn it off like below:

SecResponseBodyAccess Off

We also can limit the maximum data that can be posted to your web application:

SecRequestBodyLimit
SecRequestBodyNoFilesLimit

The “SecRequestBodyLimit” specifies the maximum post data size. If anything larger is sent by a client the server will respond with a “413 Request Entity Too Large” error. If your web application doesn’t have any file uploads this value can be greatly reduced.

The default value of the configuration file is:

SecRequestBodyLimit 13107200

Rule-Set Recommendation

You can also use free ModSecurity  rules provided by Cybersecurity companies like Comodo.

 

Related posts

Leave a Comment