How to install mod_security in Directadmin

[root@linux etc]# httpd -v
Server version: Apache/2.4.34 (Unix)
Server built:   Sep  5 2018 03:04:41

httpd/apache version 2.4.34 and modesecurity version should be 2.6.5

What version of mod_security do you try to install there?

Try Mod Security Version 2.6.5 for Apache 2.4.x

2. Take the source files

Take the source files from http://www.modsecurity.org/download.html. Or just execute the command below:
$ wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

3. Install Dependencies Libraries

Before keep going we need to install some dependencies.
For Ubuntu:
# apt-get install apache2-dev
# apt-get install liblua5.1-0-dev
# apt-get install libxml2-dev
For Centos:
# yum install httpd-devel
# yum install libxml2-devel
# yum install lua-static
For compiling the module apxs is required.
Find apxs location we need to use it later:
$ which apxs
/usr/sbin/apxs

4. Extract and Install

Extract the archive with you have already downloaded:
$ tar -xvf modsecurity-2.9.1.tar.gz
$ cd modsecurity-2.9.1
Configure and change the path of apxs with the correct one:
$ ./configure --with-apxs=/usr/sbin/apxs
Make and install:
$ make
$ sudo make install
After the installation the module file should be in one of these locations:
  • /usr/local/modsecurity/lib/mod_security2.so
  • /usr/lib/apache2/modules/mod_security2.so
  • /usr/local/apache2/modules/mod_security2.so
Check if the file mod_security2.so is present inside the Apache modules folder, if not, copy the file inside the folder.
Edit the main Apache httpd config file (usually httpd.conf or apache2.conf)
cd /etc/httpd/conf
vi httpd.conf

Include /etc/httpd/conf/extra/00_modsecurity.conf

vi /etc/httpd/conf/extra/00_modsecurity.conf

 LoadModule security2_module /usr/local/modsecurity/lib/mod_security2.so
 <IfModule mod_security2.c>
 Include /etc/httpd/conf/extra/modsecurity.d/modsecurity.conf

Include /etc/httpd/conf/extra/modsecurity.d/00_asl_0_global.conf
#Include /etc/httpd/conf/extra/modsecurity.d/00_asl_rbl.conf
Include /etc/httpd/conf/extra/modsecurity.d/00_asl_whitelist.conf
Include /etc/httpd/conf/extra/modsecurity.d/00_asl_z_antievasion.conf
Include /etc/httpd/conf/extra/modsecurity.d/00_asl_zz_strict.conf
Include /etc/httpd/conf/extra/modsecurity.d/01_asl_content.conf
Include /etc/httpd/conf/extra/modsecurity.d/05_asl_exclude.conf
Include /etc/httpd/conf/extra/modsecurity.d/05_asl_scanner.conf
Include /etc/httpd/conf/extra/modsecurity.d/09_asl_rules_antievasion.conf
Include /etc/httpd/conf/extra/modsecurity.d/10_asl_antimalware.conf
Include /etc/httpd/conf/extra/modsecurity.d/10_asl_antimalware_output.conf
Include /etc/httpd/conf/extra/modsecurity.d/10_asl_rules.conf
Include /etc/httpd/conf/extra/modsecurity.d/11_asl_data_loss.conf
Include /etc/httpd/conf/extra/modsecurity.d/20_asl_useragents.conf
Include /etc/httpd/conf/extra/modsecurity.d/30_asl_antimalware.conf
#Include /etc/httpd/conf/extra/modsecurity.d/30_asl_antispam.conf
#Include /etc/httpd/conf/extra/modsecurity.d/30_asl_antispam_referrer.conf
Include /etc/httpd/conf/extra/modsecurity.d/40_asl_apache2-rules.conf
Include /etc/httpd/conf/extra/modsecurity.d/50_asl_rootkits.conf
Include /etc/httpd/conf/extra/modsecurity.d/60_asl_recons.conf
Include /etc/httpd/conf/extra/modsecurity.d/61_asl_recons_dlp.conf
Include /etc/httpd/conf/extra/modsecurity.d/98_asl_jitp.conf
Include /etc/httpd/conf/extra/modsecurity.d/99_asl_exclude.conf
Include /etc/httpd/conf/extra/modsecurity.d/99_asl_jitp.conf
Include /etc/httpd/conf/extra/modsecurity.d/99_asl_redactor.conf
#Include /etc/httpd/conf/extra/modsecurity.d/domain-spam-whitelist.conf
Include /etc/httpd/conf/extra/modsecurity.d/trusted-domains.conf

 </IfModule>

create directory /etc/asl inside that touch whitelist

*********************************************************************************

2. Take the source files

Take the source files from http://www.modsecurity.org/download.html. Or just execute the command below:
$ wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz

3. Install Dependencies Libraries

Before keep going we need to install some dependencies.
For Ubuntu:
# apt-get install apache2-dev
# apt-get install liblua5.1-0-dev
# apt-get install libxml2-dev
For Centos:
# yum install httpd-devel
# yum install libxml2-devel
# yum install lua-static
For compiling the module apxs is required.
Find apxs location we need to use it later:
$ which apxs
/usr/sbin/apxs

4. Extract and Install

Extract the archive with you have already downloaded:
$ tar -xvf modsecurity-2.9.1.tar.gz
$ cd modsecurity-2.9.1
Configure and change the path of apxs with the correct one:
$ ./configure --with-apxs=/usr/sbin/apxs
Make and install:
$ make
$ sudo make install
After the installation the module file should be in one of these locations:
  • /usr/local/modsecurity/lib/mod_security2.so
  • /usr/lib/apache2/modules/mod_security2.so
  • /usr/local/apache2/modules/mod_security2.so
Check if the file mod_security2.so is present inside the Apache modules folder, if not, copy the file inside the folder.
Edit the main Apache httpd config file (usually httpd.conf or apache2.conf)
On UNIX you must load libxml2 and lua5.1 before enabling ModSecurity with something like this:
#The libraries can be in different locations

#For Ubuntu:
LoadFile /usr/lib/x86_64-linux-gnu/libxml2.so
LoadFile /usr/lib/x86_64-linux-gnu/liblua5.1.so

#For Centos:
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
Load the ModSecurity module adding the following directive to httpd.conf or apache2.conf
# [IMPORTANT] Put this directive before the Include directives!
LoadModule security2_module modules/mod_security2.so

5. Configuration

We need to copy the default configuration file for the module inside apache conf folder.
Important
Change the apache folder accordingly
Go to the extracted source folder (in my case modsecurity-2.9.1) and follow these commands.
For Ubuntu:
$ cd modsecurity-2.9.1
$ cp modsecurity.conf-recommended /etc/apache2/conf-available/modsecurity.conf
$ cp unicode.mapping /etc/apache2/conf-enabled/
$ cd /etc/apache2/conf-enabled
$ ln -s /etc/apache2/conf-available/modsecurity.conf .
For Centos:
$ cd modsecurity-2.9.1
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
$ cp unicode.mapping /etc/httpd/conf.d/
In this case inside apache2.conf or httpd.conf there will be a directive like
# For Ubuntu:
IncludeOptional conf-enabled/*.conf

# For Centos:
Include conf.d/*.conf
Test the configuration with:
$ apachectl -t
Syntax OK

6. CRS Configuration

Note
OWASP ModSecurity Core Rule Set Project – OWASP -> (https://www.modsecurity.org/CRS/Documentation/quickstart.html)
Get the archive with all the rules from here: https://github.com/SpiderLabs/owasp-modsecurity-crs/releases
For this tutorial I will use the version 2.2.9 taken from here: https://github.com/SpiderLabs/owasp-modsecurity-crs/releases/tag/2.2.9
$ cd /usr/local/modsecurity/
$ wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz
$ tar -xvf 2.2.9.tar.gz
Rename the folder because too long…:
$ mv owasp-modsecurity-crs-2.2.9 crs
$ cd crs
$ mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
Copy inside the folder activated_rules all the rules that you find here:
Create a file modsecurity_crs_99_whitelist.conf inside the activated_rules folder and add the following whitelist directives at the end of the file:
Add the following directives to the main apache conf file and change the location with the right one:
# Apache 2.4
IncludeOptional /usr/local/modsecurity/crs/*.conf
IncludeOptional /usr/local/modsecurity/crs/activated_rules/*.conf

# Apache 2.2
Include /usr/local/modsecurity/crs/*.conf
Include /usr/local/modsecurity/crs/activated_rules/*.conf
Important
Put all the “Include“ directives after the LAST “LoadModule“ directive!

8. Activate ModSecurity

ModSecurity by default is DetectionOnly in order to stop bad things happening we need to change the SecRuleEngine directive and turn it On!
$ cd /etc/httpd/conf.d
$ sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" modsecurity.conf
Restart the apache server and we have done!

9. Read the log!

ModSecurity will write his log into the file defined from the following directive:
SecAuditLog logs/modsec_audit.log

Leave a Comment

Your email address will not be published. Required fields are marked *

To Resolve this issue at just 5$ from ServerExpert

https://serverexpert.io/

For Hosting please visit Hostingwebsite.io

You have Successfully Subscribed!

Open chat