How to Install the Mod Security Apache Module on CentOS / RedHat (RHEL)

ModSecurity is an incredibly powerful open-source web application firewall (WAF). It acts as a shield, protecting your web applications from a multitude of attacks, including SQL injection, cross-site scripting (XSS), and many more. One of the most common and effective ways to deploy ModSecurity is by integrating it as a module within your Apache web server. This integration allows ModSecurity to examine HTTP traffic in real-time, identifying and blocking malicious requests before they can reach your application. This tutorial provides a straightforward guide on how to install the How to Install the Mod Security Apache Module on CentOS / RedHat (RHEL) on a CentOS, RedHat (RHEL) or similar system like Alma Linux running Apache.

Prerequisites

Before diving into the installation process, ensure you have the following in place:

• A CentOS/RHEL/Alma Linux server with root or sudo privileges.
• Apache web server installed and running.
• A stable internet connection to download necessary packages.

Step 1: Install Required Dependencies

The first step involves installing the necessary dependencies for ModSecurity. This typically includes the ModSecurity module itself and any associated libraries. Open your terminal and execute the following command:

$ sudo yum install -y mod_security

This command utilizes the yum package manager, the standard tool for managing software packages on CentOS and RHEL systems. The -y flag automatically confirms the installation, skipping the prompt for confirmation. mod_security is the name of the package containing the ModSecurity Apache module.

Step 2: Enable the ModSecurity Apache Module

Once the package is installed, you need to enable the ModSecurity module within Apache. This is usually achieved by creating a symbolic link in the Apache modules configuration directory. Run the following command:

$ sudo ln -s /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.modules.d/00-mod_security.conf

This command creates a symbolic link from /etc/httpd/conf.d/mod_security.conf to /etc/httpd/conf.modules.d/00-mod_security.conf. This link tells Apache to load the ModSecurity configuration file when the server starts. The 00- prefix ensures that ModSecurity is loaded early in the module loading sequence.

Step 3: Configure Apache to Use the ModSecurity Apache Module

After enabling the module, you’ll likely want to configure it according to your specific security needs. The primary configuration file for ModSecurity is located at /etc/httpd/conf.d/mod_security.conf. You can modify this file to adjust the module’s behavior, enable or disable specific rules, and define custom rules.

You can make any changes you want to the module’s configuration in this file. For example, you might want to change the SecRuleEngine setting to DetectionOnly to initially monitor traffic without blocking anything, or you might want to include specific rule sets.

Step 4: Restart Apache

Finally, after making any changes to the ModSecurity configuration, you must restart the Apache web server for the changes to take effect. Execute the following command:

$ sudo systemctl restart httpd

This command restarts the httpd service, which is the Apache web server process. The restart ensures that Apache reloads its configuration files, including the newly enabled and configured ModSecurity module.

Now, the How to Install the Mod Security Apache Module on CentOS / RedHat (RHEL) should be installed and configured on your CentOS server. You can verify the installation by checking the Apache error log (usually located at /var/log/httpd/error_log) for any ModSecurity-related messages. You can also use the command httpd -M to list all loaded Apache modules and confirm that mod_security2.c is present.

You can also check the default rules that come with the module in the directory /usr/share/modsecurity-crs/ and configure it to your liking. The Core Rule Set (CRS) provides a comprehensive set of pre-written rules to protect against common web application attacks.

Alternative Solutions for Installing and Using ModSecurity

While the yum installation method is common and generally reliable, there are alternative approaches you can take to install and utilize ModSecurity. Here are two different methods:

1. Building ModSecurity from Source

This method provides the greatest control over the installation process and allows you to use the latest version of ModSecurity, which might not yet be available in the official repositories. However, it is also the most complex and time-consuming approach.

Explanation:

Building from source involves downloading the ModSecurity source code, compiling it, and then manually installing the resulting module. This approach allows you to customize the build process and ensure compatibility with your specific system configuration.

Steps:

1. Install Development Tools and Dependencies:

   You’ll need a compiler (like GCC), build tools (like make), and various libraries.

   sudo yum install -y gcc make autoconf automake libtool httpd-devel pcre-devel libxml2-devel curl-devel

2. Download the ModSecurity Source Code:

   Download the latest version from the official ModSecurity GitHub repository (e.g., using wget). Replace v3.0.8 with the actual latest version.

   wget https://github.com/SpiderLabs/ModSecurity/archive/v3.0.8.tar.gz
   tar -xvzf v3.0.8.tar.gz
   cd ModSecurity-3.0.8

3. Configure, Build, and Install:

   Use ./configure, make, and make install to build and install the module.

   ./configure --with-apxs=/usr/bin/apxs
   make
   sudo make install

   The --with-apxs option tells the configure script where to find the Apache Extension Tool (apxs), which is used to compile Apache modules.

4. Configure Apache:

   Manually create the necessary configuration files in /etc/httpd/conf.d/ and /etc/httpd/conf.modules.d/ (similar to the yum method, but you’ll have to create the files yourself). You may need to adjust module loading order in /etc/httpd/conf.modules.d/.

5. Restart Apache:

   Restart the Apache web server.

   sudo systemctl restart httpd

Code Example (Example configuration snippet for /etc/httpd/conf.d/mod_security.conf):

<IfModule security2_module>
    SecRuleEngine On
    SecAuditLog /var/log/httpd/modsec_audit.log
    IncludeOptional /etc/httpd/modsecurity.d/*.conf
</IfModule>

This configuration snippet enables the ModSecurity engine, sets the audit log file, and includes any additional configuration files located in the /etc/httpd/modsecurity.d/ directory.

2. Using a Docker Container with ModSecurity

This approach involves running Apache and ModSecurity within a Docker container. This provides a consistent and isolated environment for your web server and WAF, simplifying deployment and management. This is especially useful for How to Install the Mod Security Apache Module on CentOS / RedHat (RHEL) on various systems.

Explanation:

Docker containers encapsulate all the necessary components for an application to run, including the operating system, libraries, and dependencies. By using a Docker container, you can ensure that ModSecurity and Apache are running in a consistent environment, regardless of the underlying host system.

Steps:

1. Install Docker:

   Follow the official Docker documentation to install Docker on your CentOS/RHEL system.

2. Find a Suitable Docker Image:

   Search Docker Hub for pre-built images containing Apache and ModSecurity. Popular options include images based on Alpine Linux or CentOS.

3. Configure the Docker Container:

   Create a docker-compose.yml file to define the container’s configuration, including port mappings, volume mounts, and environment variables.

4. Start the Container:

   Use docker-compose up -d to start the container in detached mode.

Code Example (docker-compose.yml):

version: "3.9"
services:
  apache:
    image: owasp/modsecurity-crs:apache
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./data/apache/conf:/usr/local/apache2/conf
      - ./data/modsecurity/modsecurity.conf:/usr/local/apache2/conf/modsecurity.conf
    restart: always

This docker-compose.yml file defines a service named "apache" using the owasp/modsecurity-crs:apache image. It maps ports 80 and 443 to the host system, mounts volumes for Apache and ModSecurity configuration files, and sets the restart policy to "always".

These are two alternative methods to achieve the same goal of protecting your web applications with ModSecurity. The choice of method depends on your specific needs and technical expertise. For simple setups, the yum method is often sufficient. For more complex deployments or when you need greater control, building from source or using a Docker container might be more appropriate. Understanding How to Install the Mod Security Apache Module on CentOS / RedHat (RHEL) helps to secure web applications from attacks.