What is mod_security or modsecurity? ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server, acting as a powerful umbrella - shielding applications from attacks. ModSecurity supports both branches of the Apache web server. Rfx Networks Recommended: "mod_security is great and I encourage it be used by everyone; it does have the potential to break some web applications but so far iv seen very few issues to say the least. Likewise it is easy to fix any applications that may break with the granular filter rules that can be setup to either deny or allow certain content. Overall mod_security is a needed addition to apache, providing a layer of security yet unseen for apache. I highly encourage you read the reference document on the modsecurity.org site (under documentation) to better understand each directive and the role it plays in protecting your server and sites." Requirements: Apache Web Server 1.3x or 2.x Note: We have confirmed this security addon works with Cpanel based servers. Changed # Prevent path traversal (..) attacks rules to fix a typo in tutorial. How to install? 1. Login to your server through SSH and su to the root user. 2. First your going to start out by grabbing the latest version of mod_security wget http://mp3ne.com/mod_security-1.7.4.tar.gz 3. Next we untar the archive and cd into the directory: tar zxvf mod_security-1.7.4.tar.gz cd mod_security-1.7.4/ 4. Now you need to determine which version of apache you use: APACHE 1.3.x users cd apache1/ APACHE 2.x users cd apache2/ 5.Lets Compile the module now: /usr/local/apache/bin/apxs -cia mod_security.c 6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong: cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup 7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have pico /usr/local/apache/conf/httpd.conf 8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for <IfModule mod_dir.c> (altho any of the IfModules would work fine) 9. Now add this <IfModule mod_security.c> # Turn the filtering engine On or Off SecFilterEngine On # Change Server: string SecServerSignature " " # Make sure that URL encoding is valid SecFilterCheckURLEncoding On # This setting should be set to On only if the Web site is # using the Unicode encoding. Otherwise it may interfere with # the normal Web site operation. SecFilterCheckUnicodeEncoding Off # Only allow bytes from this range SecFilterForceByteRange 1 255 # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis. "On" will log everything, # "DynamicOrRelevant" will log dynamic requests or violations, # and "RelevantOnly" will only log policy violations SecAuditEngine RelevantOnly # The name of the audit log file SecAuditLog /var/log/httpd/audit_log # Should mod_security inspect POST payloads SecFilterScanPOST On # Action to take by default SecFilterDefaultAction "deny,log,status:500" # Require HTTP_USER_AGENT and HTTP_HOST in all requests SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" # Prevent path traversal (..) attacks SecFilter "../" # Weaker XSS protection but allows common HTML tags SecFilter "<[[:space:]]*script" # Prevent XSS atacks (HTML/Javascript injection) SecFilter "<(.|n)+>" # Very crude filters to prevent SQL injection attacks SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" # Protecting from XSS attacks through the PHP session cookie SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" </IfModule> 10. Save the file Ctrl + X then Y 11. Restart Apache /etc/rc.d/init.d/httpd stop /etc/rc.d/init.d/httpd start You've successfully installed mod_security!