I installed mod_security on a couple of production RHEL5 Web servers lately, and here are a few of my observations.
Installing mod_security is pretty easy and is documented in the mod_security download. I found that I needed to install the following packages to meet some dependencies and to build mod_security:
- pcre and pcre-devel
I had the support of my managers to put mod_security in full blocking mode, so after copying the rules directory to
/etc/httpd/modsecurity.d, I saved the following in
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
The Web servers run a variety of custom Web applications as well as some canned software like Webcalendar and Wordpress. I didn't experience any problems with the custom applications or Webcalendar, but mod_security took issue when someone tried to edit an existing blog post in Wordpress (curiously, there wasn't any trouble when submitting a new post). So I put the following in
I'm in the fortunate (and perhaps unusual) situation of being able to restrict access to the
wp-admindirectory by IP address, so I don't have the entire Internet hammering at the thing. Looks like blogsecurity.net has a custom mod_security configuration for Wordpress which I just haven't had time to try yet.
Another wrinkle I had was that some command-line Perl programs I run would be blocked because they weren't providing "accept" and "user-agent" request headers. One of these programs looked something like this:
my $ua = LWP::UserAgent->new();
my $uri = shift @ARGV;
my $res = $ua->request( GET $uri );
I had to make the following two changes/addition:
my $res = $ua->request( GET $uri, accept => 'text/html' );
(Looks like just about any non-blank user-agent will do.)
Another trick I've learned is that instead of using
SecRuleEngine Off(like I did for the Wordpress
wp-admindirectory, which makes mod_security totally ignore that directory), you can use
SecRuleEngine DetectionOnly, which makes mod_security log what it would do without actually blocking requests. This can be good for debugging.
And although I haven't needed it, the mod_security documentation suggests a way to whitelist requests from a specific host:
SecRule REMOTE_ADDR "^192\.168\.1\.100$" nolog,phase:1,allow
All in all, installing mod_security has been a fairly easy transition, and it's nice having another layer of protection.