When the installation is complete, you will find the configuration files for both tools in
/etc/httpd/conf.d.
# ls -l
l /etc/httpd/conf.d
2. Untar the CRS file and change the name of the directory for one of our convenience.
# tar xzf master
# mv SpiderLabs-owasp
owasp-modsecurity-crs-ebe8790 owasp-modsecurity
modsecurity-crs
3. Now its time to configure mod_security. Copy the sample file with rules (owaspmodsecurity-crs/modsecurity_crs_10_setup.conf.example
crs/modsecurity_crs_10_setup.conf.example)) into another file without the
.example extension:
# cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
and tell Apache to use this file along with the module by inserting the following lines in the web
servers main configuration file /etc/httpd/conf/httpd.conf file. If you chose to unpack the
tarball in another directory you will need to edit the paths following the Include directives:
<IfModule security2_module>
Include crs-tecmint/owasp
tecmint/owasp-modsecurity-crs/modsecurity_crs_10_setup.conf
crs/modsecurity_crs_10_setup.conf
Include crs-tecmint/owasp
tecmint/owasp-modsecurity-crs/base_rules/*.conf
crs/base_rules/*.conf
</IfModule>
Finally, it is recommended that we create our own configuration file within the
/etc/httpd/modsecurity.d
d directory where we will place our customized directives (we will
name it tecmint.conf in the following example) instead of modifying the CRS files directly.
Doing so will allow for easier upgrading the CRSs as new versions are released.
<IfModule mod_security2.c>
urity2.c>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml
application/octet-stream
stream
SecDataDir /tmp
</IfModule>
You can refer to the SpiderLabs ModSecurity GitHub repository for a complete explanatory
guide of mod_security configuration directives.
Next, add this directive in the mod_evasive.conf file with the rest of the other directives:
DOSEmailNotify you@yourdomain.com
If this value is set and your mail server is working properly, an email will be sent to the address
specified whenever an IP address becomes blacklisted.
DOSSystemCommand
This needs a valid system command as argument,
DOSSystemCommand </command>
IMPORTANT:: As a default security policy, yyou can only run sudo in a terminal. Since in this
case we need to use sudo without a tty,, we have to comment out the line that is highlighted in
the following image:
#Defaults requiretty
Blocked Attacker IP
Conclusion
With mod_security and mod_evasive enabled, the simulated attack causes the CPU and RAM
to experiment a temporary usage peak for only a couple of seconds before the source IPs are
blacklisted and blocked by the firewall. Without these tools, the simulation will surely knock
down the server very fast and render it unusable during the duration of the attack.
We would love to hear if youre planning on using (or have used in the past) these tools. We
always look forward to hearing from you, so dont hesitate to leave your comments and
questions, if any, using the form below.
Reference Links
https://www.modsecurity.org/
http://www.zdziarski.com/blog/?page_id=442