You're only minutes away from protecting your web sites from all manner of attack and spam. To do this, you need to download one piece of software, mod_security, install it on your web server and then configure it. Its not difficult or time consuming at all, and if you follow these instructions you should be ready to go in minutes!
What you need to install this software
You either need to have root or administrative rights on your server to install mod_security, or you need to ask your administrator to do it for you. A lot of ISP's use mod_security these days, so it may already be installed on your server. If its not, you can use these instructions to set it up. It literally takes less than 30 seconds to install mod_security.
The first thing you need to do is download the software. You can download it from our archives:
Or from the official website (external link) (cache).
Follow the instructions on the Setting up mod_security page.
Where to get the rules?
ModSecurity is an Intrusion Prevention system, and uses rules, or signatures, to help protect your system from attack or spam. We publish the largest collection of rules and blacklists for mod_security on the Internet?. Mod_security works on any platform, including Solaris, Linux, BSD, MacOS and Windows based servers. Right now, mod_security only works with Apache 2.x or Apache 1.x, if you are running IIS or some other web server you're out of luck for now.
As we said before, to really use mod_security you need to feed it some signatures, just like an anti-virus product. And, you can download them all from our mod_security rules webpage.
How to configure, setup and install mod_security and our rules
For Apache 2.x
LoadModule security_module /usr/lib/httpd/modules/mod_security.so
Then, add the rules to your apache config file. To do this, we recommend you create an external configuration file to apache, via the "include" directive that will contain your mod_security rules, and seperately your mod_security configuration directives. To do that, look inside httpd.conf, or your equivalent, to see if you have this line:
This line, if you have it, tells apache to load all the .conf files in the conf.d directory. This lets you add many external configuration files to apache in this directory. If you do have it, create the file mod_security.conf in that directory, in this case, its a subdirectory off the directory the httpd.conf file in in. On Redhat 9, that directory is:
So the include directory would be:
This may be different for your distribution. In that directory, create the file "modsecurity.conf" and put your basic mod_security configuration settings inside that file. If you need some suggestions for that file, here is an example configuration for modsecurity 1.9.x:
< IfModule mod_security.c>
# Only inspect dynamic requests
# (YOU MUST TEST TO MAKE SURE IT WORKS AS EXPECTED)
# Reject requests with status 500
# Some sane defaults
# enable version 1 (RFC 2965) cookies
#If you want to scan the output, uncomment these
#SecFilterOutputMimeTypes "(null) text/html text/plain"
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
#fake server banner - NOYB used - no one needs to know what we are using
# Only record the interesting stuff
# You normally won't need debug logging
#And now, the rules
#Remove any of these Include lines you do not use or have rules for.
#First, add in your exclusion rules:
#These MUST come first!
#Application protection rules
#Comment spam rules
#Bad hosts, bad proxies and other bad players
#Bad clients, known bogus useragents and other signs of malware
#Known bad software, rootkits and other malware
#Signatures to prevent *****ing through your server
#only rule these rules if your server is NOT a *****
#Additional rules for Apache 2.x ONLY! Do not add this line if you use Apache 1.x
< /IfModule >
You'll notice these lines in the example above:
Those lines tell Apache to include the mod_security_rules.conf and blacklist.conf files. We recommend this so that you can overwrite these files with new rules, without effecting your mod_security settings. This way, you can setup a cronjob to download the rules from this website, allowing it to overwrite your old /etc/modsecurity/mod_security_rules.conf file, but not your /etc/httpd/conf.d/modsecurity.conf file, which contains all of your local configuration settings for your mod_security - which you do not want to automatically over write. So, to recap, setup at least two files:
Which will contain all your local mod_security config settings, and in that file, make sure you add this line:
And if you want to add more rules, such as the comment spam blacklist, add in another line like this:
Then use those files, such as /etc/modsecurity/mod_security_rules.conf, to store all your rules or signatures (and feel free to overwrite it with our signature file (cache)). Also, feel free to add in your own files for your own local rulesets.
Last, but not least, Download the rules and install them into your /etc/modsecurity/ directory. Then restart apache, if you don't get any errors, hurray! the rules loaded. If you do get any errors, check your config files to make sure you have the syntax right, and try commenting out the Include lines to see if the problem is with your configuration, or with the rules. If its with the rules, please try commenting that signature out in your signature file(s) and then report the specific error (cut and paste works best) in this forum and we will fix it ASAP. We usually turn error reports around within a day, sometimes sooner if its during the week and we're all in town