What is ModSecurity?
Quote: “ModSecurity is an open source intrusion detection and prevention engine for web applications. Operating as an Apache Web server module, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks.” (Source: http://modsecurity.org)
How to install ModSecurity?
In WHM on your server scroll down to the “Addon Modules” section and select the “modsecurity” addon. (Click on the screenshot for a larger image) If you manually want to compile and install ModSecurity please follow these instructions:
Login to your server via SSH and switch to the root user. Download and unzip ModSecurity:
“tar zxf mod_security-1.8.6.tar.gz”
As cPanel still uses Apache 1.3.x you need to go to the proper directory for your environment:
Now compile the new module for Apache:
“/etc/httpd/bin/apxs -cia mod_security.c”
Backup your httpd.conf file before continuing. After you have created your backup we will need to edit the httpd.conf file:
pico -w /etc/httpd/conf/httpd.conf
Scroll down and find the following line: “AddModule mod_security.c” – start modifying the config file below that line. This would be the place for your rules now. For a set of example rules you can visit http://modsecurity.org/documentation/quick-examples.html and http://eth0.us/?q=node/17. Please be aware that you can ‘damage’ your server if you do not exactly know what you are doing and what rules will do once you restart Apache.
Once you have added your rules you will need to restart Apache to have the changes take affect.
The quickest way to remove the module from your Apache is by marking out the new entries for it with a “#” in front of each line.
cPanel supplies a few sample rules with the installation done through WHM. Those rules apparently seem to work well with cPanel/WHM servers. Rules need to be added to “/usr/local/apache/conf/modsec.user.conf”. If you add rules to “modsec.conf” you will need to be aware that this file will be overwritten. The sample rules can be found at “/usr/local/apache/conf/modsec.user.conf.default”. If you want to work with these rules you will have to logon to your server via SSH and type the following from the command line:
“cp /usr/local/apache/conf/modsec.user.conf.default /usr/local/apache/conf/modsec.user.conf”
You will then need to restart Apache to have the rules take affect. You will be able to use the WHM build-in editor to modify the configuration.
If you want to create your own rules you will need to follow some basics. Please be aware that every rule consists of 5 parameters (Title, Description, Action, Focus, Rule). At this point we do not recommed to use rules outside of the ones that come with cPanel to avoid breaking your server. More documentation can be found at http://modsecurity.org. A complete set of rules can be found here: http://eth0.us/?q=node/17
Disclaimer: We cannot held be responsible for any problems on your server when using ModSecurity. Please consult with an experienced system administrator before making changes to your server’s configuration.