Using Mod_Security to Protect Your Server

Installation 

You can get the mod_security packages using apt:

  apt-get install libapache2-mod-securit y
  a2enmod mod-security
  /etc/init.d/apache2 force-reload

The file /etc/httpd/conf.d/mod_security.conf should now exist.

Basic configuration

mod_security.conf contains an example mod_security configuration. The example configuration has a lot of stuff in it that we may not need, so I recommend trimming the file down a bit and starting with the basics:

contains an example configuration. The example configuration has a lot of stuff in it that we may not need, so Irecommend trimming the file down a bit and starting with the basics:

  <IfModule mod_security.c>
      # Turn the filtering engine On or Off
      SecFilterEngine On 

      # Make sure that URL encoding is valid
      SecFilterCheckURLEncoding On

      # Unicode encoding check
      SecFilterCheckUnicodeEncoding Off

      # Only allow bytes from this range
      SecFilterForceByteRange 0 255

      # Only log actionable requests
      SecAuditEngine RelevantOnly 

      # The name of the audit log file
      SecAuditLog /var/log/apache2/audit_log 

      # Debug level set to a minimum
      SecFilterDebugLog /var/log/apache2
/modsec_debug_log
      SecFilterDebugLevel 0

      # Should mod_security inspect POST payloads
      SecFilterScanPOST On

      # By default log and deny suspicious requests
      # with HTTP status 500
      SecFilterDefaultAction "deny,log,status:500" 

      # Add custom secfilter rules here

  </IfModule>

From here, we can look at what actions we can configure.