Overview
The mod_security2
Apache module provides the ModSecurity™ web application firewall for Apache.
Warnings:
- This document only applies to systems that run EasyApache 4.
- If your ruleset contains rule ID conflicts or syntactical errors, ModSecurity will fail and Apache will not start. For more information about how EasyApache handles issues with your ModSecurity rules, read the Compatibility section.
Usage
Use the mod_security2
Apache module to install the ModSecurity web application firewall. You can configure this module to protect your Apache web applications from various attacks. The ModSecurity web application firewall also provides additional tools to monitor your Apache web server.
Requirements
This module has no requirements.
Compatibility
Rule compatibility
Major versions of the mod_security2
Apache module use different syntaxes for ModSecurity rules.
Warnings:
- No conversion utility exists to rewrite rules between versions.
- Minor versions of ModSecurity may also include syntactical changes that are incompatible with older rulesets.
For more information on the migration process from ModSecurity 1.x to ModSecurity 2.x, visit the following websites:
- ModSecurity — This website includes ModSecurity 1.x to 2.x Migration Matrix documentation.
- ModSecurity FAQ — This website includes directions for how to migrate rules from the ModSecurity 1.x format into the 2.x format.
- The ModSecurity mailing list — This is the ModSecurity users' mailing list.
Important:
If your system uses either the mod_ruid2
or the mod_mpm_itk
Apache modules and also uses Persistant Storage with the initcol, setuid, or setsid directives in the ModSecurity rules, Apache will fail to track that rule. Apache will also log errors to its error_log
file. For example, the IP Reputation rule in the OWASP core ruleset may give this error.
How to install or uninstall mod_security2
Important:
- After you install the
mod_security2
Apache module, you must configure the application in WHM's ModSecurity™ Configuration interface (WHM >> Home >> Security Center >> ModSecurity™ Configuration). - We strongly recommend that you include the
mod_security2
Apache module in your profile. For more information about profiles in EasyApache 4, read our EasyApache 4 - Create a Profile documentation. - We patch the
mod_security2
Apache module to only generate theSecHashKey
directive if theSecHashEngine
directive enables transaction logging to improve system performance.
Interface
To install or uninstall the mod_security2
Apache module, use the EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4).
Command line
To install the mod_security2
Apache module in EasyApache 4 from the command line, run the following command:
yum install ea-apache24-mod_security2
To uninstall the mod_security2
Apache module in EasyApache 4 from the command line, run the following command:
yum remove ea-apache24-mod_security2
Apache, mod_security2, and EasyApache 4 configuration
EasyApache 4 enables the mod_security2
Apache module for all virtual hosts by default, except for the default virtual host. The section for the default virtual host in your /etc/apache2/conf/httpd.conf
file contains the following directive:
<IfModule mod_security2.c> SecRuleEngine Off </IfModule>
By default, the mod_security2
Apache module stores its log file in the /etc/apache2/logs/modsec_audit.log
file.
Important:
EasyApache 4 installs the mod_security2
Apache module with several include files
ModSecurity Rules
Use the following file information to configure your ModSecurity firewall rules.
cPanel & WHM Version 56 or earlier
When you install the
mod_security2
RPM , the installation places the following files into your/etc/apache2/conf.d
directory :modsec2.conf modsec2.cpanel.conf
When the system loads, it uses the
conf.d/*.conf
glob file to pull the files into your configuration.
In EasyApache 4, the
/etc/apache2/conf.d/modsec2.conf
mod_security2
Apache module, and the followingI
nclude
directives :Include "/etc/apache2/conf.d/modsec2.user.conf" Include "/etc/apache2/conf.d/modsec2.cpanel.conf"
The
/etc/apache2/conf.d/modsec2.user.conf
file contains the ModSecurity firewall application rules that you define.Warning:
We strongly recommend that you do not use
Include
directives in themodsec2.user.conf
file. When you convert to EasyApache 4, the system comments out anyInclude
directives and you must manually verify the paths.
cPanel & WHM Version 58 or later
When you install the
mod_security2
RPM, the installation places the following files into your/etc/apache2/conf.d/modsec/
directory:modsec2.user.conf modsec2.cpanel.conf
When the system loads, it uses the
conf.d/*.conf
glob file to pull the files into your configuration.
In EasyApache 4, the
/etc/apache2/conf.d/modsec2.conf
file contains the basic directives for themod_security2
Apache module, and the followingI
nclude
directives :Include "/etc/apache2/conf.d/modsec/modsec2.user.conf" Include "/etc/apache2/conf.d/modsec/modsec2.cpanel.conf"
The
/etc/apache2/conf.d/modsec/modsec2.user.conf
file contains the ModSecurity firewall application rules that you define.Warning:
We strongly recommend that you do not use
Include
directives in themodsec2.user.conf
file. When you convert to EasyApache 4, the system comments out anyInclude
directives and you must manually verify the paths.
ModSecurity utilities
ModSecurity SDBM
cPanel & WHM provides the ModSecurity SDBM utility to purge expired entries from the /var/cpanel/secdatadir/users/username/ip.pag
cache file, where username
represents the cPanel username. For more information, read the ModSecurity SDBM Utility documentation.
ModSecurity Audit Log Collector (mlogc)
cPanel & WHM includes the ModSecurity Audit Log Collector (mlogc) with the ModSecurity installation. Mlogc implements remote logging of your ModSecurity audit logs. For more information, read the mlogc documentation.
Vendor documentation
The following text is an excerpt from the ModSecurity website:
With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure. Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.
For more information on the mod_security2
Apache module, visit the ModSecurity for Apache website.
Additional documentation