ModSecurityTM is an open source intrusion detection and prevention engine for web applications (or a web application firewall). Operating as an Apache Web server module or standalone, the purpose of ModSecurity is to increase web application security, protecting web applications from known and unknown attacks. from http://www.modsecurity.org/
 
Installing mod_security as DSO is easier, and the procedure is the same for both Apache branches. First unpack the distribution somewhere (anywhere will do, I copy the .c files in my home),

# cd
# wget http://www.modsecurity.org/download/mod_security-1.9.4.tar.gz
# tar -zxfv mod_security-1.9.4.tar.gz
# cd mod_security-1.9.4/apache2

and compile the module with:

apache1apache2
/usr/local/psa/admin/bin/apxs  -cia ~/mod_security.c/usr/sbin/apxs2  -cia ~/mod_security.c

First problem that may occur is the absence of
  • GccThe GNU Compiler Collection (usually shortened to GCC) is a set of programming language compilers produced by the GNU Project. It is free software distributed by the Free Software Foundation (FSF) under the GNU GPL, and is a key component of the GNU toolchain. It is the standard compiler for the open source Unix-like operating systems, and certain proprietary operating systems derived therefrom such as Mac OS X. [WikiPedia]
  • apache-dev: contains the apxs tool, and required pache heder to compile a module
Both can be installed via YaST2...

Tips: if your apxs2 is not located at /usr/bin/apxs2, you can search it by typing # find / -name apxs2

# /usr/sbin/apxs2  -cia ~/mod_security.c
/usr/share/apache2/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -march=i586 -mcpu=i686 -fmessage-length=0 -Wall -g -fPIC -Wall -fno-strict-aliasing -D_LARGEFILE_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -DAP_DEBUG -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -pthread -I/usr/include/apache2  -I/usr/include/apache2   -I/usr/include/apache2   -c -o /root/mod_security.lo /root/mod_security.c && touch /root/mod_security.slo
/usr/share/apache2/build/libtool --silent --mode=link gcc -o /root/mod_security.la  -rpath /usr/lib/apache2 -module -avoid-version    /root/mod_security.lo
/usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/share/apache2/build/libtool' /root/mod_security.la /usr/lib/apache2
/usr/share/apache2/build/libtool --mode=install cp /root/mod_security.la /usr/lib/apache2/
cp /root/.libs/mod_security.so /usr/lib/apache2/mod_security.so
cp /root/.libs/mod_security.lai /usr/lib/apache2/mod_security.la
cp /root/.libs/mod_security.a /usr/lib/apache2/mod_security.a
ranlib /usr/lib/apache2/mod_security.a
chmod 644 /usr/lib/apache2/mod_security.a
PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/apache2

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/apache2/mod_security.so
apxs:Error: Config file /etc/apache2/httpd2-prefork.conf not found.

Do not take care of the error in blue, since the resulting shared library (mod_security.so) has been automatically copied into /usr/lib/apache2

Copy then the desired rule set (modsecurity-general.conf or modsecurity-php.conf) into /etc/apache2

Edit /etc/apache2/httpd.conf and add the following lines at the end of file, it is also recommended to use the rules from www.GotRoot.com

LoadModule security_module /usr/lib/apache2/mod_security.so
SecFilterEngine On
Include /etc/apache2/modsecurity_rules/modsecurity-general.conf
Include /etc/apache2/modsecurity_rules/modsecurity-hardening.conf

rules set found at http://www.gotroot.com/tiki-index.php?page=mod_security+rules
Include /etc/apache2/modsecurity_rules/gotroot/apache2-rules.conf
Include /etc/apache2/modsecurity_rules/gotroot/badips.conf
Include /etc/apache2/modsecurity_rules/gotroot/blacklist2.conf
Include /etc/apache2/modsecurity_rules/gotroot/blacklist.conf
Include /etc/apache2/modsecurity_rules/gotroot/exclude.conf
Include /etc/apache2/modsecurity_rules/gotroot/jitp.conf
Include /etc/apache2/modsecurity_rules/gotroot/proxy.conf
Include /etc/apache2/modsecurity_rules/gotroot/recons.conf
Include /etc/apache2/modsecurity_rules/gotroot/rootkits.conf
Include /etc/apache2/modsecurity_rules/gotroot/rules.conf
Include /etc/apache2/modsecurity_rules/gotroot/useragents.conf

BUT be carefull with modsecurity-hardening.conf
  1. This fle has to be tuned  for your server: logs files location, advanced rulesets, read carfeully and uncomment TODO if needed
  2. As default mod_security is in learning mode: it log and let the request  pass through (line SecFilterDefaultAction "pass, log"), recommended as soon as You have a good rulesets SecFilterDefaultAction "deny,log,status:500"
 Restart Apache2 by typing
# /etc/init.d/apache2 restart

Now it is time to check if mod_security is running       

# tail -f /var/log/apache2/error_log
[Mon Aug 21 18:43:38 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations
[Mon Aug 21 19:01:56 2006] [notice] caught SIGTERM, shutting down
[Mon Aug 21 19:01:57 2006] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)
[Mon Aug 21 19:01:57 2006] [notice] mod_security/1.9.4 configured
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `h790663.serverkompetenz.net' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Mon Aug 21 19:01:57 2006] [notice] Apache/2.0.53 (Linux/SUSE) configured -- resuming normal operations

links