Hardening Apache with mod_security on CentOS 7

CentOS 7 VPS, installation and configuration of mod_security (with OWASP ModSecurity CRS) on Apache.

mod_security addresses important security issues with web servers. Our instructions are for a basic Apache web server with minimal configuration. The objective is to get you up and running, and let you configure further.

We will also install mod_evasive. Both these modules are application layer firewalls, configurable to spot behavior patterns common with threats, such as DOS, DDOS, malware, etc.

The instructions are for a fresh installation, not an upgrade, and they were tested and saved to video on a VPS CentOS 7 64-bit minimal.

Requirements:

Before we start

We will be making changes to restrict unauthorized access to your web server. This means you could accidentally lose partial or full access to the server. This should not be attempted on a live production server, without first trying it on a test server to make sure it works. We cannot help you if something goes wrong. Please be careful.

Installing mod_security

  • Will start with an update: sudo yum update

  • sudo yum install mod_security

Installing mod_evasive

  • sudo yum install mod_evasive

Configure

You will find two new files under /etc/httpd/conf.d

  • cd /etc/httpd/conf.d
  • ls -ls

The output should find both modules:

  • 4 -rw-r--r-- 1 root root 3475 Jun 16 13:24 mod_evasive.conf 4 -rw-r--r-- 1 root root 2139 Jun 9 2014 mod_security.conf

Let's edit each file:

  • sudo nano mod_security.conf

Look for following line at the start of the file:

  • LoadModule security2_module modules/mod_security2.so

If the lines is not present, paste it in (copy here, line up your cursor and right click) at the very top of the file.

Will do the same exercise with mod_evasive:

  • sudo nano mod_evasive.conf

Look for following lines at the start of the file:

  • LoadModule evasive20_module modules/mod_evasive20.so

If the line is not present, paste it in (copy here, line up your cursor and right click) at the very top of the file.

Restart Apache:

sudo service httpd restart

Configuring mod-security

mod_security will require a rule set, to start protecting us. Let's create a directory to pull the latest Core Rule Set from OWASP:

  • cd /etc/httpd
  • sudo mkdir crs
  • cd crs
  • sudo wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
  • tar xzf master

We want to move the directory SpiderLabs-owasp-modsecurity-crs-something to owasp-modsecurity-crs:

  • sudo mv SpiderLabs-owasp-modsecurity-crs-* owasp-modsecurity-crs

Let's move into that directory, and set the configuration file:

  • cd owasp-modsecurity-crs

Let's copy the example configuration file, to a working configuration:

  • sudo cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

Finally, we will tell Apache to use these rules:

  • cd /etc/httpd/conf/
  • sudo nano httpd.conf

First will check if the module code is present. I did a search (Ctrl-W) for security2. Since I didn't find anything, I am adding these lines at the end of the file:

<IfModule security2_module> Include crs/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf Include crs/owasp-modsecurity-crs/base_rules/*.conf </IfModule>

Restart Apache:

sudo service httpd restart

mod_security is now installed and configured minimally.

mod_evasive does not require any additional changes. You can tweak the configuration file and make appropriate changes as needed:

  • sudo nano /etc/httpd/conf.d/mod_evasive.conf

From here, you can enable items, but removing the # in front. Also, change some of the settings.

There is very little web documentation for modevasive, however, the modevasive.conf file contains enough information to explain each setting. Just read it carefully.

Advanced mod_security

mod_security can be used to protect very simple to complex applications. We cannot cover everything in one article, however, we encourage you to visit OWASP ModSecurity Core Rule Set (CRS).

Because each directive you issue has memory and cpu overhead, you should carefully consider your application's needs and your threat profile. OWASP addresses best practices in their guide OWASP Best Practices: Use of Web Application Firewalls

If you want to test, OWASP offers an excellent guide you can download from their site.


This website is supported by our affiliation with web hosting companies. We encourage you to visit our friends at Interserver. They really do offer $6 per month VPS Hosting. Linux, windows and cpanel available, have super fast service, and they care about their customers

See more articles in: Videos, Security, CentOS, Linux, modsecurity

comments powered by Disqus