Support #561
Updated by Daniel Curtis about 9 years ago
{{>toc}}
This is a simple guide for installing and configuring mod_security for Apache 2.4 on FreeBSD 9.2.
* Update the system and ports tree:
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install portmaster:
<pre>
cd /usr/ports/ports-mgmt/portmaster
make install clean
</pre>
* Install git:
<pre>
portmaster devel/git
</pre>
---
h1. Install mod_security
* Install mod_security
<pre>
portmaster www/mod_security
</pre>
h2. Configure mod_security
* ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it
<pre>
mkdir -p /usr/local/etc/modsecurity && cd /usr/local/etc/modsecurity
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs
</pre>
* Copy the default ModSecurity config file:
<pre>
cp /usr/local/etc/modsecurity.conf-example /usr/local/etc/modsecurity.conf
</pre>
* And fetch a necessary file which is currently not included in the port:
<pre>
cd /usr/local/etc
fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping
</pre>
* Copy the default ModSecurity CRS config file:
<pre>
cd /usr/local/etc/modsecurity
cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
</pre>
* Now create an Apache configuration snippet that loads the ModSecurity module and includes the configurations and CRS:
<pre>
vi /usr/local/etc/apache24/modules.d/020_mod_security.conf
</pre>
#* And add/modify the following
<pre>
LoadModule security2_module libexec/apache24/mod_security2.so
<IfModule security2_module>
# Include ModSecurity configuration
Include /usr/local/etc/modsecurity.conf
# Include OWASP Core Rule Set (CRS) configuration and base rules
Include /usr/local/etc/modsecurity/modsecurity_crs_10_setup.conf
Include /usr/local/etc/modsecurity/crs/base_rules/*.conf
# Add custom configuration and CRS exceptions here. Example:
# SecRuleRemoveById 960015
</IfModule>
</pre>
* When the configuration is all set, simply restart Apache:
<pre>
service apache24 restart
</pre>
#* Confirm that ModSecurity is loaded by checking Apache's log file:
<pre>
tail /var/log/httpd-error.log
</pre>
#* _Example output_:
<pre>
ModSecurity for Apache/2.7.7 (http://www.modsecurity.org/) configured.
ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15"
ModSecurity: LIBXML compiled version="2.8.0"
</pre>
* Also check with the apachectl command:
<pre>
apachectl -M
</pre>
#* _ #*_ Truncated output:_
<pre>
Loaded Modules:
...
security2_module (shared)
</pre>
h3. Enable blocking mode
* Blocking mode can be enabled by editing @modsecurity.conf@ and changing the following line:
<pre>
SecRuleEngine On
</pre>
#* And restart apache to apply it:
<pre>
service apache24 restart
</pre>
h3. Update Core Rule Set
* Keep the CRS updated from time to time:
<pre>
cd /usr/local/etc/modsecurity/crs
git pull
</pre>