This article is a short walk-through demonstrating the process of installing and configuring mod_security on Apache. In this tutorial, we’ll be using CentOS 7. We’re starting with a pre-configured and running web server running httpd listening on port 80 and 443. There’s no other services such as Varnishor Nginx running.
Install mod_security:
yum install mod_security
Restart apache to enable the mod_security module:
systemctl restart httpd
Monitor the logs:
tail -f /var/log/httpd/modsec_audit.log
It’s important to know how to (and actually do) monitor the logs. An unconfigured apache server running mod_security will almost certainly start blocking valid requests. Therefore, when that happens you need to know how to respond and add exceptions for false-positives. The remainder of this article explains this.
To test that the mod_security module is working, we can add a custom rule that’s easy to trigger. Add the following rule to your “/etc/httpd/conf.d/mod_security.conf” file under the line “SecRuleEngine On”:
SecRule ARGS "XXX" "t:normalisePathWin,id:98765,severity:4,msg:'AGIX ALERT!'"
Restart apache again and monitor the logs for the line like:
Message: Warning. Pattern match "XXX" at ARGS:x. [file "/etc/httpd/conf.d/mod_security.conf"] [line "9"] [id "98765"] [msg "AGIX ALERT!"] [severity "WARNING"]
You can trigger the above by visiting the web server as demonstrated here. Notice the “XXX” in the above and following examples. That is what mod_security is looking for in this example:
http://<example-site>/?x=XXX
Now we can be sure mod_security is working. Now let’s add an exception to that new rule. yes, this is pointless as we’d simply remove the rule but this method can also be used to create exceptions to built-in rules. Add the following line right below the one we added earlier in the “/etc/httpd/conf.d/mod_security.conf” file:
SecRuleRemoveById 98765
Restart apache to have the changes take effect. Now monitor your logs and you will not see any further entries for the rule with ID 98765.
