What is mod_security?
Mod_security is an excellent tool to combat web based attacks, file/sql injection and it is a web application firewall that can work either embedded or as a reverse proxy. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis. Mod_security is free and open source which is available to everyone.
Install mod_security on Plesk
Since plesk is fully rpm based you can just install the mod_security module using the yum but mod_secuirty is not available in the common rpm repos, so you can make use if the atomicorp.com auto repo setup script to install the module using yum.
- # wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh
# yum install mod_security
Unlike other Apache modules rpm installation, it wont add the LoadModule in the httpd conf by default. So you have to edit the httpd.conf file and add the following two lines below the LoadModule section.
- # vi /etc/httpd/conf/httpd.conf
- LoadFile /usr/lib/libxml2.so
LoadModule security2_module modules/mod_security2.so
Include conf/mod_security.d/*.conf
Create the mod_security.d under the /etc/httpd/conf/ folder to download and setup the mod_security rule-set
- mkdir /etc/httpd/conf/mod_security.d
cd /etc/httpd/conf/mod_security.d
Download the rule-set from http://www.modsecurity.org/download/ and make sure that you are untaring the file inside the /etc/httpd/conf/mod_security.d directory
- wget http://www.modsecurity.org/download/modsecurity-core-rules_2.1-1.4.3.tar.gz
tar zxf modsecurity-core-rules_2.1-1.4.3.tar.gz
rm -f modsecurity-core-rules_2.1-1.4.3.tar.gz
Restart the web server
- service httpd restart
(or)
/etc/init.d/httpd restart
NOTE : Rules are strong and may block the web application throwing url deny errors. Keep watching the /etc/httpd/logs/error_logs and remove the rules which you don’t want.
Few problems and solutions :
If you are getting ModSecurity: Rule execution error – PCRE limits exceeded (-8): (null). waring in your error logs
The above error may eat up all your cpu’s and memory resource by creating around 100 to 150 MB of RSS memory per pid and you will see an unusual usage of locale-archive around 60 MB in pmap. To solve this problem
create the file pcre_modsecurity_exceeded_limits.conf inside the /etc/httpd/conf
- vi /etc/httpd/conf/pcre_modsecurity_exceeded_limits.conf SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
Restart Apache, now check the Apache error logs and make sure no errors spitting out.
