mod_security is a well known web application firewall for Apache that is easy to setup and provides a fair amount of protection from web malware and can even provide some protection from comment spam. The benefits of mod_security have been discussed over and over again and with the recent unforeseen problems with WordPress (In case you have not heard about it, if you have not upgraded your WordPress 2.1.1 installation, you need to do it NOW), mod_security would have provided a level of security if it was installed. Since I had to install mod_security on one of my servers, the steps are fresh in my mind and worth a post. All of the steps below are assuming that you have some sort of a LAMP installation over which you have complete control. If you are on a shared host on LAMP, you will have to ask your provider to install mod_security for you.
If you are running some version of Fedora greater than Core 2, mod_security installation might be as simple as invoking yum:
/usr/bin/yum install mod_security
For Debian and Ubuntu, you could do:
apt-get install libapache2-mod-security
If per chance you are running a version of Fedora that does not have the mod_security package, you will need to download the source, compile the module, configure mod_security and restart Apache.
- Get the latest version of mod_security from http://www.modsecurity.org/download/modsecurity-apache_2.1.0.tar.gz
- Make sure you have httpd-devel installed with
/usr/bin/yum httpd-devel install
- Follow the steps outlined here. The steps are very clear and should not be confusing. For the step that asks to configure mod_security, you can use a very basic config from here and copy the contents to /etc/httpd/conf.d/mod_security.conf More detailed rules can be found here.
- After Apache restarts, make sure you web application (and WordPress) are running as normal
If things break, removing the module is as simple as commenting out the line that activates mod_security in httpd.conf (search for mod_security in /etc/httpd/conf/httpd.conf) and restarting your Apache. There are lots of fun rules for comment spam mitigation, Google Hack Signatures and other tricks that you can add to mod_security. As with any high level application security, this adds overhead and there is a delicate balance between protection and paranoia. mod_security 2.1.0 has significant performance improvements over earlier versions.
Standard Disclaimer: This How To comes without any warranty or guarantee of any sort. Please take these steps at your own risk and do not modify or change anything you are not familiar or comfortable with. I will not be responsible if you break your server.