note: This article is intended for a technical audience -- you should use extreme caution when modifying a production system, as your data will be nearly impossible to recover if you use this command incorrectly -- caveat emptor.
There's a lot of posts about how to setup the mod_security module for Apache, but few on how to configure it -- hopefully people find this post useful in doing just that.
Before we start, i'm assuming you've actually installed mod_security 2.1.3 or 2.5.x here already (Red Hat/CentOS packages are here, Ubuntu / Debian ones are here, an OpenSuSE howto is here).
I'm also assuming you've made a copy of the core rules that come supplied with the package and put them in the /etc/modsecurity directory.
note: If your distribution of choice doesn't ship the core rules with the packages, you can download those from here.
Now, to make a decent configuration.
First, move (don't copy, or the default configuration may override any environment-specific changes you make) the /etc/modsecurity/modsecurity_crs_10_config.conf file to /etc/apache2/conf.d/mod_security.
Open the newly copied /etc/apache/conf.d/mod_securityfile and edit the following parameters:
- SecResponseBodyLimit -- Because the default configuration doesn't check binary files, you may wish to reduce this to 256K, so change this value to 262144.
- SecAuditLog -- The default configuration saves the logfiles relative to the configuration file directory, under most modern Linux/BSD distributions, the apache or www-user account already has rights to the /var/log/apache2 directory, so you can safely change this to /var/log/apache2/modsec_audit.log
- SecDebugLog -- Using the same rationale, you can change this to /var/log/apache2/modsec_debug.log
At this point, you should save your file and restart your Apache 2.x server in order to ensure your configuration works. If you run:
cat /var/log/apache2/error.log | grep “ModSecurity”
You should see the string:
“[Fri Jun 13 23:23:23 2008] [notice] ModSecurity for Apache/2.5.5 (http://www.modsecurity.org/) configured.”
Which means we can proceed to add our rules to the configuration. To do this, open your configuration file again and add the following line to the bottom:
This will add the core rules to your configuration. Once again, you can restart your server and the changes will take effect.