Secure your Cebian /Ubuntu server with Mod_Security

HowTo install mod-security2 on Debian  can be  

ModSecurity is an open source intrusion detection and prevention engine for web applications. It operates embedded into the web server,
acting as a powerful umbrella – shielding applications from attacks. ModSecurity supports both branches of the Apache web server.

1. Install required packages

apt-get install libxml2-dev liblua5.1-0 lua5.1 apache2-dev build-essential

2. Fetch the latest mod-security (2.5.11)

cd /tmp

3. Extract mod-security

tar zxvf modsecurity-apache_2.5.11.tar.gz

4. Enter mod-security directory

cd modsecurity-apache_2.5.11/apache2/

5. Build mod-security

./configure && make && make install

If all is well mod-security should now be in /usr/lib/apache2/modules/ and called
6. Create the mod-security load file for apache to load it

vi /etc/apache2/mods-available/mod-security2.load

and add the following lines:

LoadFile /usr/lib/
LoadFile /usr/lib/
LoadModule security2_module /usr/lib/apache2/modules/

and save it (ESC :wq)
7. Enable the module to load with apache (unique_id is required for mod-security, it should come standard with apache)

a2enmod mod-security2
a2enmod unique_id

8. Tell apache where to load the mod-security config

vi /etc/apache2/conf.d/mod-security2.conf

and add the following line:

Include /etc/modsecurity2/*.conf

and save it (ESC :wq)
9. Create the mod-security directories and logs

mkdir /etc/modsecurity2
mkdir /etc/modsecurity2/logs
touch /etc/modsecurity2/logs/modsec_audit.log
touch /etc/modsecurity2/logs/modsec_debug.log

10. Copy the core rules into the mod-security dirs

more info on the core rules can be found on

cp /tmp/modsecurity-apache_2.5.11/rules/*.conf /etc/modsecurity2

11. Update the rules so the log locations are correct

vi /etc/modsecurity2/modsecurity_crs_10_config.conf


SecDebugLog logs/modsec_debug.log

Replace with

SecDebugLog /etc/modsecurity2/logs/modsec_debug.log


SecAuditLog logs/modsec_audit.log

Replace with

SecAuditLog /etc/modsecurity2/logs/modsec_audit.log

and save it (ESC :wq)
12. Check apache config is ok

apache2ctl configtest

(should return Syntax OK)
13. Restart apache

/etc/init.d/apache2 restart

14. Check mod-security2 is running

cat /var/log/apache2/error.log | grep ModSecurity

[Thu Mar 27 14:56:58 2008] [notice] ModSecurity for Apache/2.5.4 ( configured.