How to install apache2 mod_security and mod_evasive on openSuSE server

This guide is based on various community forum posts, and hours of frustration. 

This guide is intended as a relatively easy step by step guide to:

  • Install and configure Apache2 ModSecurity and mod_evasive modules on openSuSE 11.04 or later
  • This is only a starting point for getting mod_security and mod_evasive working. Refer to both projects documentation for the various configuration option  available and configure your security settings as required.

Requirements:

  • openSuSE 11.04 or later installed on your machine. 
  • Apache2 webserver setup and configured.

1. Install ModSecurity on your server.

  • Install the dependancies. Open the Terminal Window and enter :
sudo yast2 -i libxml2-devel pcre-devel apache2-devel apache2-prefork
  • Now install ModSecurity
sudo yast2 -i apache2-mod_security2

2. Download and install OWASP ModSecurity Core Rule Set.

sudo mkdir /etc/apache2/mod_security
  • The default folder for ModSecurity rules is /etc/apache2/mod_security/ . All .conf files will be included and need to be configured as required.
  • We need to download and install the latest OWASP ModSecurity Core Rule Set from the project website. Click here for more information.
  • We will also activate the default CRS config file modsecurity_crs_10_setup.conf. 
  • Open the Terminal Window and enter the follwoing as root user:
cd /tmp
wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master
tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz
cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/apache2/mod_security/
rm SpiderLabs-owasp-modsecurity-crs.tar.gz
rm -R SpiderLabs-owasp-modsecurity-crs-*
cd /etc/apache2/mod_security
mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
  • We need to add SecDataDir directive to the modsecurity_crs_10_setup.conf  file. 
  • Open the Terminal Window and enter :
sudo vi /etc/apache2/mod_security/modsecurity_crs_10_setup.conf
  • Add the following line to the end of the file and save :
SecDataDir /var/asl/data/msa
  • Now we create symbolic links to all activated base rules and the optional rules. Open a terminal window and enter :
cd /etc/apache2/mod_security/base_rules
for f in * ; do sudo ln -s /etc/apache2/mod_security/base_rules/$f /etc/apache2/mod_security/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/apache2/mod_security/optional_rules/$f /etc/apache2/mod_security/activated_rules/$f ; done 

3. Edit mod_security2.conf configuration file.

  • We need to add our Core Rule Set include path to the mod_security2.conf file. 
  • Open the Terminal Window and enter :
sudo vi /etc/apache2/conf.d/mod_security2.conf
  • 32bit servers only, add the following two lines to the other options and save the file :
LoadFile /usr/lib/libxml2.so
Include /etc/apache2/mod_security/*.conf
Include /etc/apache2/mod_security/activated_rules/*.conf
  • 64bit servers only, add the following two lines to the other options and save the file :
LoadFile /usr/lib64/libxml2.so
Include /etc/apache2/mod_security/*.conf
Include /etc/apache2/mod_security/activated_rules/*.conf
  • You might also want to edit the SecRequestBodyLimit in the mod_security2.conf file.
  • SecRequestBodyLimit limits the page request size and limits file uploads to 128 KB by default. Change this to the size of files you would accept uploaded to the server.
  • This settings is very important as it limits the size of all uploaded files to the server. For CMS sites using Drupal or Wordpress this setting is the source of much pain. 
  • Open the Terminal Window and enter :
sudo vi /etc/apache2/conf.d/mod_security2.conf
  • Edit the following to option to increase the request size to 16 MB and save the file :
SecRequestBodyLimit 16384000
SecRequestBodyInMemoryLimit 16384000

4. Enable ModSecurity module and restart Apache.

  • Before restarting Apache2 enable the mod_security2 and mod_unique_id modules.
  • Open the Terminal Window and enter :
sudo a2enmod mod_unique_id
sudo a2enmod mod_security2
  • Then restart the Apache2 webserver :
sudo service apache2 restart
  • OR
sudo /etc/init.d/apache2 restart

5. Download, compile and Install ModEvasive.

  • We need to download the source code from the authors website here.
  • Open the Terminal Window and enter the following as root user :
cd /tmp
wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
apxs2 -ci mod_evasive20.c
cd ..
rm -R mod_evasive*

6. Create log file directory for mod_evasive.

  • Open the Terminal Window and enter :
sudo mkdir /var/log/apache2/mod_evasive
  • Change the log folder permissions :
sudo chmod 640 /var/log/apache2/mod_evasive/

7. Create mod_evasive.conf file and configure ModEvasive.

  • Open the Terminal Window and enter :
sudo vi /etc/apache2/conf.d/mod_evasive.conf
  • and add the following, changing the email value, and other options below as required :
<IfModule mod_evasive20.c>
   DOSHashTableSize 3097
   DOSPageCount  2
   DOSSiteCount  50
   DOSPageInterval 1
   DOSSiteInterval  1
   DOSBlockingPeriod  10
   DOSLogDir   /var/log/apache2/mod_evasive
   DOSEmailNotify  EMAIL@DOMAIN.com
   DOSWhitelist   127.0.0.1
</IfModule>

8. Enable ModEvasive and restart Apache.

  • Before restarting Apache2 enable the module.
  • Open the Terminal Window and enter :
sudo a2enmod mod_evasive20
  • Then restart the Apache2 webserver :
sudo service apache2 restart
  • OR
sudo /etc/init.d/apache2 restart

9. Check if everything is working.

  • Open the Terminal Window and enter :
tail -f /var/log/apache2/error_log
  • The output should look something like this :
[Sat Mar 09 23:18:31 2012] [notice] caught SIGTERM, shutting down
[Sat Mar 09 23:18:33 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 09 23:18:34 2012] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Sat Mar 09 23:18:34 2012] [notice] Original server signature: Apache/2.x.x (Linux/SUSE)
[Sat Mar 09 23:18:34 2012] [notice] Digest: generating secret for digest authentication ...
[Sat Mar 09 23:18:34 2012] [notice] Digest: done
[Sat Mar 09 23:18:35 2012] [notice] Apache/2.x.x (Linux/SUSE) configured -- resuming normal operations

Tags: