Enable mod_security module to configure a Web Application Firewall (WAF) for enhanced security.
mod_securityInstall mod_security to add firewall capabilities to Apache.
# Install mod_security from EPEL
[root@www ~]# dnf -y install mod_security
After installation, default configuration files are placed under the specified directory. You can modify these settings and add your own rules.
# Check the default mod_security configuration
[root@www ~]# cat /etc/httpd/conf.d/mod_security.conf
<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
...
</IfModule>
To set the module in detection mode only, modify the SecRuleEngine parameter to DetectionOnly.
Custom rules in mod_security follow the format: SecRule VARIABLES OPERATOR [ACTIONS]. Refer to the official ModSecurity documentation for detailed guidance.
For example, add specific rules to a configuration file and verify their functionality.
# Edit local rules file
[root@www ~]# vi /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf
# Add custom rules
SecDefaultAction "phase:2,deny,log,status:406"
SecRule REQUEST_URI "etc/passwd" "id:'500001'"
SecRule REQUEST_URI "\.\./" "id:'500002'"
SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"
SecRule ARGS "[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+[Ff][Rr][Oo][Mm]" "id:'500004'"
# Restart httpd to apply changes
[root@www ~]# systemctl restart httpd
Access URLs containing the words set in your rules to verify that mod_security is functioning correctly.
Examine the mod_security logs to understand its actions and triggered rules.
# View mod_security audit logs
[root@www ~]# cat /var/log/httpd/modsec_audit.log
...
General rules provided by the official repository can be easily applied. However, customization may be required to avoid blocking legitimate requests.
# Install general rules from CRS
[root@www ~]# dnf -y install mod_security_crs
# Verify rules placement
[root@www ~]# ll /usr/share/mod_modsecurity_crs/rules
...
The OWASP ModSecurity CRS provides a set of generic attack detection rules that offer protection against a wide range of attack categories. Follow these steps to download and configure the latest set:
Install Git on CentOS if it's not already installed:
sudo yum install git
Clone the OWASP CRS repository:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
This command downloads a copy of the CRS as a subdirectory in your current working location.
Navigate to the downloaded directory:
cd owasp-modsecurity-crs
Move the crs-setup.conf file:
sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
Move the rules/ directory:
sudo mv rules/ /etc/modsecurity
In case of an error while moving the directory:
sudo mkdir /etc/modsecurity/rules
cd rules
sudo cp *.* /etc/modsecurity/rules
Check and update your mod_security.conf file:
sudo vim /etc/httpd/conf.d/mod_security.conf
Ensure these lines are included and uncommented:
IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf
Add them if they're not present, but avoid duplication to prevent disabling Apache.
Restart Apache to apply the new rules:
sudo systemctl restart httpd.service
mod_security enhances the security of your web applications by acting as a Web Application Firewall, allowing you to define custom rules and utilize predefined rule sets.