ModSecurity is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks
manual installation
cd /usr/src
wget http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz
tar zxvf modsecurity-apache-1.9.2.tar.gz
cd modsecurity-apache-1.9.2
4. Now you need to determine which version of apache you use:
APACHE 1.3.x users
cd apache1/
APACHE 2.x users
cd apache2/
5. Lets Compile the module now:
/usr/local/apache/bin/apxs -cia mod_security.c
for this locate apxs and find the path
6. Ok, now its time to edit the httpd conf file. First we will make a backup just incase something goes wrong:
cp /usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.backup
7. Now that we have backed it all up, we can edit the httpd.conf. Replace pico with nano depending on what you have
pico /usr/local/apache/conf/httpd.conf
8. Lets look for something in the config, do this by holding control and pressing W and you are going to search for
<IfModule mod_dir.c> (altho any of the IfModules would work fine)
9. Now add this
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Change Server: string
SecServerSignature " "
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# This setting should be set to On only if the Web site is
# using the Unicode encoding. Otherwise it may interfere with
# the normal Web site operation.
SecFilterCheckUnicodeEncoding Off
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis. "On" will log everything,
# "DynamicOrRelevant" will log dynamic requests or violations,
# and "RelevantOnly" will only log policy violations
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog /var/log/httpd/audit_log
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:500"
# Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Prevent path traversal (..) attacks
SecFilter "../"
# Weaker XSS protection but allows common HTML tags
SecFilter "<[[:space:]]*script"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
</IfModule>
10. Save the file Ctrl + X then Y
11. Restart Apache
/etc/rc.d/init.d/httpd stop
/etc/rc.d/init.d/httpd start
http://www.webhostgear.com/forums/showthread.php?t=778&highlight=apache
apacheconf
SecFilterEngine On
AddModule mod_security.c
LoadModule security_module libexec/mod_security.so
#SecFilter /usr/local/mysql/
#SecFilter /var/
#SecFilter /bin/cc
#SecFilter /bin/gcc
#SecFilter "<[[:space:]]*script"
#SecFilter "<(.|\n)+>"
#SecFilter "delete[[:space:]]+from"
#SecFilter "insert[[:space:]]+into"
#SecFilter "select.+from"
#SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Monitor viewtopic.php on phpbb
#SecFilterSelective THE_REQUEST "viewtopic.php" chain
#SecFilterSelective ARGS_VALUES "(system|exec|passthru|cmd)" deny,log
#SecFilterSelective THE_REQUEST "viewtopic.php" chain
#SecFilter "http:"
#SecFilterSelective THE_REQUEST "admin_cash.php" chain
#SecFilter "http:"
#SecFilterSelective THE_REQUEST "album_portal.php" chain
#SecFilter "http:"
#SecFilterSelective THE_REQUEST "viewforum.php" chain
#SecFilter "http:"
#SecFilterSelective THE_REQUEST "quick_reply.php" chain
#SecFilter "http:"
#SecFilterSelective THE_REQUEST "viewtopic.php" chain
#SecFilter "&highlight=%2527\."
#SecFilterSelective THE_REQUEST "viewtopic.php" chain
#SecFilter "system"
#SecFilterSelective THE_REQUEST "viewtopic.php" chain
#SecFilter "fopen"
#SecFilterSelective THE_REQUEST "viewtopic.php" chain
#SecFilter "fwrite"
#SecFilterSelective ARG_highlight %27
#SecFilterSelective ARG_highlight %2527
</IfModule>
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&