CentOS 7 VPS, installation and configuration of mod_security (with OWASP ModSecurity CRS) on Apache.
mod_security addresses important security issues with web servers. Our instructions are for a basic Apache web server with minimal configuration. The objective is to get you up and running, and let you configure further.
We will also install mod_evasive. Both these modules are application layer firewalls, configurable to spot behavior patterns common with threats, such as DOS, DDOS, malware, etc.
The instructions are for a fresh installation, not an upgrade, and they were tested and saved to video on a VPS CentOS 7 64-bit minimal.
- Instructions were verified on InterServer’s OpenVZ VPS Hosting, with CentOS 7 64-bit (instructions are for minimal distribution, but should work for regular distribution as well).
- Putty or similar SSH client
- root login and password or an account capable of sudo
- Apache web server
- EPEL Repository (simple, one step instructions here)
- nano or similar text editor installed
Before we start
We will be making changes to restrict unauthorized access to your web server. This means you could accidentally lose partial or full access to the server. This should not be attempted on a live production server, without first trying it on a test server to make sure it works. We cannot help you if something goes wrong. Please be careful.
Will start with an update:
sudo yum update
sudo yum install mod_security
sudo yum install mod_evasive
You will find two new files under /etc/httpd/conf.d
The output should find both modules:
4 -rw-r--r-- 1 root root 3475 Jun 16 13:24 mod_evasive.conf 4 -rw-r--r-- 1 root root 2139 Jun 9 2014 mod_security.conf
Let's edit each file:
sudo nano mod_security.conf
Look for following line at the start of the file:
LoadModule security2_module modules/mod_security2.so
If the lines is not present, paste it in (copy here, line up your cursor and right click) at the very top of the file.
Will do the same exercise with mod_evasive:
sudo nano mod_evasive.conf
Look for following lines at the start of the file:
LoadModule evasive20_module modules/mod_evasive20.so
If the line is not present, paste it in (copy here, line up your cursor and right click) at the very top of the file.
sudo service httpd restart
mod_security will require a rule set, to start protecting us. Let's create a directory to pull the latest Core Rule Set from OWASP:
sudo mkdir crs
sudo wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
tar xzf master
We want to move the directory SpiderLabs-owasp-modsecurity-crs-something to owasp-modsecurity-crs:
sudo mv SpiderLabs-owasp-modsecurity-crs-* owasp-modsecurity-crs
Let's move into that directory, and set the configuration file:
Let's copy the example configuration file, to a working configuration:
sudo cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
Finally, we will tell Apache to use these rules:
sudo nano httpd.conf
First will check if the module code is present. I did a search (Ctrl-W) for security2. Since I didn't find anything, I am adding these lines at the end of the file:
sudo service httpd restart
mod_security is now installed and configured minimally.
mod_evasive does not require any additional changes. You can tweak the configuration file and make appropriate changes as needed:
sudo nano /etc/httpd/conf.d/mod_evasive.conf
From here, you can enable items, but removing the
# in front. Also, change some of the settings.
There is very little web documentation for modevasive, however, the modevasive.conf file contains enough information to explain each setting. Just read it carefully.
mod_security can be used to protect very simple to complex applications. We cannot cover everything in one article, however, we encourage you to visit OWASP ModSecurity Core Rule Set (CRS).
Because each directive you issue has memory and cpu overhead, you should carefully consider your application's needs and your threat profile. OWASP addresses best practices in their guide OWASP Best Practices: Use of Web Application Firewalls
If you want to test, OWASP offers an excellent guide you can download from their site.
This website is supported by our affiliation with web hosting companies. We encourage you to visit our friends at Interserver. They really do offer $6 per month VPS Hosting. Linux, windows and cpanel available, have super fast service, and they care about their customers