Introduction:

ModSecurity is an open-source web application firewall (WAF) module for the Apache HTTP Server. It helps protect web servers against common attacks such as SQL injection, cross-site scripting (XSS), remote file inclusion, and malicious HTTP requests.

Compiling Apache with ModSecurity allows administrators to integrate advanced request filtering and security rules directly into the web server environment. This guide explains how to download, compile, configure, and enable ModSecurity on Apache servers.

Prerequisites:

Before starting the installation, ensure the following requirements are met:

  • Root or sudo access to the server
  • Apache installed on the system
  • Apache development tools (apxs and httpd-devel)
  • GCC compiler and build tools installed
  • Basic knowledge of Linux command line operations

Install required development packages if they are not already available:

$ yum install httpd-devel gcc make -y

For Debian/Ubuntu systems:

$ apt-get install apache2-dev build-essential -y

It is also recommended to create a backup of the Apache configuration before making any changes.

Implementation:

Step 1: Download and Extract ModSecurity

Download the ModSecurity source package:

$ wget http://www.modsecurity.org/download/modsecurity-apache_1.9.4.tar.gz

Extract the archive:

$ tar -zxf modsecurity-apache_1.9.4.tar.gz

Step 2: Navigate to the Apache Version Directory

For Apache 1.3.x

$ cd modsecurity-apache_1.9.4/apache1

For Apache 2.x

$ cd modsecurity-apache_1.9.4/apache2

Note: Most modern Linux distributions and control panels such as Plesk use Apache 2.x.

Step 3: Compile ModSecurity

Compile the ModSecurity module using the Apache Extension Tool (apxs):

$ /etc/httpd/bin/apxs -cia mod_security.c

If the above command fails due to missing development files, install the Apache development package and retry:

$ yum install httpd-devel -y/usr/sbin/apxs -cia mod_security.c

Successful compilation will install the mod_security.so module into the Apache modules directory.

Step 4: Backup Apache Configuration

Before modifying the Apache configuration, create a backup:

$ cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf-mod_sec

Step 5: Edit Apache Configuration

Open the Apache configuration file:

$ vi /etc/httpd/conf/httpd.conf

For Apache 1.3.x

Locate the following line:

AddModule mod_security.c

If it does not exist, add it with the other module entries.

For Apache 2.x

Locate the following line:

 LoadModule security_module modules/mod_security.so

Below this line, add the ModSecurity ruleset configuration.

Step 6: Configure ModSecurity Rules

Add the following basic ModSecurity directives:

# Enable ModSecuritySecFilterEngine On# Hide Apache version informationSecServerSignature "Apache"# Unicode checkSecFilterCheckUnicodeEncoding Off# Audit loggingSecAuditEngine RelevantOnlySecAuditLog logs/audit_log# Scan POST payloadsSecFilterScanPOST On# Default actionSecFilterDefaultAction "deny,log,status:403"

Additional custom filtering rules can then be added based on security requirements.

The provided ruleset includes protections against:

  • XSS attacks
  • Malicious file downloads
  • Email header injection
  • Remote command execution attempts
  • Common exploit patterns

Step 7: Restart Apache

After saving the configuration, restart Apache to apply the changes.

On CentOS/RHEL

$ service httpd restart

On Ubuntu/Debian

$ systemctl restart apache2

Step 8: Verify ModSecurity

Check whether ModSecurity is loaded successfully:

$ httpd -M | grep security

Or on Debian/Ubuntu:

$ apache2ctl -M | grep security

You should see output similar to:

security_module (shared)

Monitor the ModSecurity audit log for blocked or suspicious requests:

$ tail -f /etc/httpd/logs/audit_log

Conclusion

Compiling Apache with ModSecurity provides an additional layer of security for web servers by enabling request filtering and intrusion detection capabilities directly within Apache. Once installed and configured, ModSecurity can help prevent many common web application attacks and improve overall server security.

Regular monitoring of the audit logs and periodic updates to the ruleset are recommended to ensure continued protection against emerging threats.

Post Views: 88

Leave a Reply