RHEL BasedRocky Linux

How To Install ModSecurity with Apache on Rocky Linux 10

r00t

Install ModSecurity with Apache on Rocky Linux 10

Web application security has never been more critical in today’s digital landscape. Cyber attacks targeting web applications continue to evolve, making robust protection mechanisms essential for any serious web infrastructure. ModSecurity stands as one of the most powerful and widely-adopted Web Application Firewall (WAF) solutions available, offering real-time protection against the OWASP Top 10 vulnerabilities and countless other security threats.

ModSecurity operates as an embedded web application firewall that monitors HTTP traffic in real-time, analyzing requests and responses against predefined security rules. When integrated with Apache HTTP Server on Rocky Linux 10, it creates a formidable security barrier that can detect and prevent SQL injection attacks, cross-site scripting (XSS), remote file inclusion, and numerous other malicious activities before they reach your web applications.

The combination of ModSecurity with Apache on Rocky Linux 10 provides enterprise-grade security for RHEL-based systems while maintaining the cost-effectiveness of open-source solutions. This powerful trio offers flexible rule engine capabilities, extensive logging and monitoring features, and the reliability that enterprise environments demand. Throughout this comprehensive guide, you’ll learn to implement this security solution from initial system preparation through advanced configuration and ongoing maintenance.

System administrators and security professionals will find detailed step-by-step instructions, practical troubleshooting solutions, and best practices that ensure successful deployment and optimal performance. The installation process requires intermediate Linux knowledge, including command-line proficiency and basic understanding of Apache configuration concepts.

Prerequisites and System Requirements

Hardware and Software Requirements

Before beginning the ModSecurity installation process, ensure your Rocky Linux 10 system meets the minimum hardware specifications. Your server should have at least 2GB of RAM, though 4GB or more is recommended for production environments handling moderate to high traffic volumes. CPU requirements are typically modest, with dual-core processors being sufficient for most deployments, though quad-core systems provide better performance under load.

Storage requirements include at least 10GB of free disk space for the operating system, Apache, ModSecurity, and associated log files. Consider allocating additional space for log retention, especially in high-traffic environments where ModSecurity generates substantial audit logs.

Rocky Linux 10 compatibility remains excellent for ModSecurity installations, building upon the stable RHEL foundation. Apache version 2.4.x is required, with newer versions providing enhanced security features and better performance. Verify your Apache installation supports dynamic module loading, as ModSecurity operates as a loadable module.

Required User Privileges and Access

Administrative privileges are absolutely essential for ModSecurity installation and configuration. Root access or sudo privileges enable the installation of packages, compilation of source code, modification of system configuration files, and management of Apache services. SSH access to your Rocky Linux server streamlines the installation process, allowing secure remote administration.

Ensure your user account belongs to the wheel group for sudo access, or plan to perform installations directly as the root user. Network connectivity requirements include access to package repositories, GitHub for source code downloads, and any external rule update sources you plan to utilize.

Essential Packages and Dependencies Overview

ModSecurity compilation requires several development tools and libraries that may not be present in minimal Rocky Linux installations. The Development Tools group provides essential compilers including GCC, make utilities, and various build dependencies. Critical libraries include pcre-devel for Perl Compatible Regular Expression support, openssl-devel for SSL/TLS functionality, and curl-devel for HTTP client capabilities.

Additional dependencies encompass flex and bison for parsing operations, automake and autoconf for build system management, and git for source code repository access. LibXML2-devel supports XML processing capabilities, while yajl-devel provides JSON parsing functionality essential for modern web application security.

System Preparation and Initial Setup

Updating Rocky Linux 10 System

Begin your ModSecurity installation by ensuring your Rocky Linux 10 system contains the latest security patches and package updates. System updates reduce potential compatibility issues and ensure access to the most recent package versions available in Rocky Linux repositories.

Execute the following commands to update your system completely:

sudo dnf clean all
sudo dnf update -y
sudo reboot

The system reboot ensures all kernel updates and critical system changes take effect properly. After rebooting, verify your system version and confirm successful updates:

cat /etc/rocky-release
dnf history list

Configure additional repositories if needed, particularly the Extra Packages for Enterprise Linux (EPEL) repository, which provides additional software packages not included in standard Rocky Linux repositories:

sudo dnf install epel-release -y
sudo dnf update -y

Installing Apache HTTP Server

Apache HTTP Server installation on Rocky Linux 10 utilizes the dnf package manager, which replaces yum in newer RHEL-based distributions. The httpd package provides the complete Apache web server implementation with all necessary modules and configuration files.

Install Apache using the following command:

sudo dnf install httpd httpd-devel -y

The httpd-devel package includes header files and libraries necessary for compiling Apache modules like ModSecurity. After installation, enable Apache to start automatically at boot time and start the service immediately:

sudo systemctl enable httpd
sudo systemctl start httpd
sudo systemctl status httpd

Verify Apache installation by checking the service status and testing web server functionality. Open your web browser and navigate to your server’s IP address. You should see the default Apache test page confirming successful installation.

Configure firewall rules to allow HTTP and HTTPS traffic:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Installing Development Tools and Dependencies

ModSecurity compilation requires comprehensive development tools and specific libraries. Install the Development Tools group, which includes GCC compiler collection, make utilities, and essential build dependencies:

sudo dnf groupinstall "Development Tools" -y

Install additional required packages for ModSecurity compilation:

sudo dnf install gcc-c++ flex bison yajl-devel curl-devel \
                  pcre-devel libxml2-devel pkgconfig \
                  openssl-devel autoconf automake \
                  libtool git -y

Verify successful installation of critical development tools:

gcc --version
make --version
autoconf --version

Each command should return version information, confirming proper installation. Address any missing packages before proceeding with ModSecurity compilation.

ModSecurity Installation Process

Downloading ModSecurity Source Code

ModSecurity version 3.x represents the latest generation of this web application firewall, offering improved performance, enhanced rule capabilities, and better integration with modern web servers. Navigate to the ModSecurity GitHub repository to identify the most recent stable release.

Create a dedicated directory for ModSecurity source code and navigate to it:

mkdir -p /opt/modsecurity
cd /opt/modsecurity

Download the latest ModSecurity source code using git:

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity.git
cd ModSecurity

The --depth 1 flag reduces download time by fetching only the latest commit, while --single-branch limits the download to the specified branch. Alternatively, download a specific release tarball for more predictable builds:

wget https://github.com/owasp-modsecurity/ModSecurity/releases/download/v3.0.14/modsecurity-v3.0.14.tar.gz
tar -xzf modsecurity-v3.0.14.tar.gz
cd modsecurity-v3.0.14

Compiling and Installing ModSecurity

ModSecurity compilation involves several steps, beginning with build system preparation and dependency resolution. Initialize the build system using the provided build script:

./build.sh

This script runs autoreconf to generate configure scripts and prepare the build environment. Address any errors related to missing autotools or dependencies before proceeding.

Configure the build with appropriate options for your system:

./configure --enable-pcre-jit --enable-ssdeep

The --enable-pcre-jit option enables Just-In-Time compilation for Perl Compatible Regular Expressions, significantly improving rule processing performance. The --enable-ssdeep option adds fuzzy hashing capabilities for advanced threat detection.

Compile ModSecurity using all available CPU cores to reduce build time:

make -j$(nproc)

Monitor the compilation process for errors. Common issues include missing development headers or incompatible library versions. Successful compilation produces no error messages and generates the necessary library files.

Install ModSecurity to system directories:

sudo make install

Verify successful installation by checking library placement:

ls -la /usr/local/modsecurity/

Installing ModSecurity-Apache Connector

The ModSecurity-Apache connector bridges ModSecurity library functionality with Apache HTTP Server through a loadable module. Download the connector source code from its dedicated repository:

cd /opt/modsecurity
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-apache.git
cd ModSecurity-apache

Generate build configuration files:

./autogen.sh

Configure the build process with proper Apache and ModSecurity library paths:

./configure --with-libmodsecurity=/usr/local/modsecurity/

Compile the Apache connector:

make -j$(nproc)

Install the connector module to Apache’s modules directory:

sudo make install

Verify module installation:

ls -la /usr/lib64/httpd/modules/mod_security3.so

Apache Configuration for ModSecurity

Loading the ModSecurity Module

Apache module loading requires modification of the main Apache configuration file. Edit the Apache configuration to load the ModSecurity module:

sudo nano /etc/httpd/conf/httpd.conf

Add the LoadModule directive for ModSecurity:

LoadModule security3_module modules/mod_security3.so

Place this directive near other LoadModule statements in the configuration file. Save the file and test Apache configuration syntax:

sudo httpd -t

Successful configuration validation displays “Syntax OK”. Address any syntax errors before proceeding.

Creating ModSecurity Configuration Directory

Organize ModSecurity configuration files in a dedicated directory structure for maintainability and clarity:

sudo mkdir -p /etc/httpd/modsecurity.d
sudo mkdir -p /var/log/httpd/modsecurity

Set appropriate permissions for configuration and log directories:

sudo chown -R apache:apache /var/log/httpd/modsecurity
sudo chmod 750 /var/log/httpd/modsecurity

Basic ModSecurity Configuration

Create the main ModSecurity configuration file with essential security settings:

sudo nano /etc/httpd/modsecurity.d/modsecurity.conf

Add the following basic configuration:

# Basic ModSecurity Configuration
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyLimitAction Reject
SecPcreMatchLimit 100000
SecPcreMatchLimitRecursion 100000

# Audit Logging
SecAuditEngine RelevantOnly
SecAuditLog /var/log/httpd/modsecurity/audit.log
SecAuditLogParts ABDEFHIJZ
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecAuditLogType Serial

# File Upload
SecTmpDir /tmp/
SecDataDir /tmp/

This configuration enables ModSecurity’s rule engine, configures request body processing, sets up audit logging, and defines temporary file handling. Adjust these settings based on your specific security requirements and server capacity.

Apache Virtual Host Configuration

Integrate ModSecurity into your Apache virtual host configuration. Edit your site’s virtual host file:

sudo nano /etc/httpd/conf.d/your-site.conf

Add ModSecurity directives within your virtual host:

<VirtualHost *:80>
    ServerName your-domain.com
    DocumentRoot /var/www/html
    
    # ModSecurity Configuration
    modsecurity On
    modsecurity_rules_file /etc/httpd/modsecurity.d/modsecurity.conf
    
    ErrorLog logs/your-site_error.log
    CustomLog logs/your-site_access.log combined
</VirtualHost>

OWASP Core Rule Set Installation

Understanding OWASP CRS Importance

The OWASP Core Rule Set (CRS) provides a comprehensive collection of security rules that protect against the OWASP Top 10 vulnerabilities and numerous other attack vectors. CRS rules undergo continuous development and testing by security professionals worldwide, ensuring protection against emerging threats and attack techniques.

CRS covers protection against SQL injection, cross-site scripting, remote file inclusion, local file inclusion, command injection, and many other common web application vulnerabilities. Regular updates incorporate new attack signatures and improve detection accuracy while reducing false positives.

Downloading and Installing OWASP CRS

Download the latest OWASP Core Rule Set from the official repository:

cd /opt/modsecurity
wget https://github.com/coreruleset/coreruleset/releases/download/v4.16.0/coreruleset-4.16.0.tar.gz.asc
tar -xzf coreruleset-4.16.0.tar.gz.asc
sudo cp -R coreruleset-4.16.0/* /etc/httpd/modsecurity.d/

Alternatively, use git for easier updates:

git clone https://github.com/coreruleset/coreruleset.git
sudo cp -R coreruleset/* /etc/httpd/modsecurity.d/

Set appropriate ownership and permissions:

sudo chown -R root:root /etc/httpd/modsecurity.d/
sudo chmod -R 644 /etc/httpd/modsecurity.d/*.conf

CRS Configuration and Customization

Configure the Core Rule Set by copying and editing the setup configuration:

sudo cp /etc/httpd/modsecurity.d/crs-setup.conf.example /etc/httpd/modsecurity.d/crs-setup.conf
sudo nano /etc/httpd/modsecurity.d/crs-setup.conf

Key configuration options include:

# Paranoia Level (1-4, higher = more aggressive)
SecAction "id:900000,phase:1,nolog,pass,t:none,setvar:tx.paranoia_level=2"

# Anomaly Scoring Thresholds
SecAction "id:900110,phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=5"
SecAction "id:900111,phase:1,nolog,pass,t:none,setvar:tx.outbound_anomaly_score_threshold=4"

# Application-specific settings
SecAction "id:900200,phase:1,nolog,pass,t:none,setvar:tx.allowed_methods=GET HEAD POST OPTIONS"

Configuration File Setup and Optimization

ModSecurity Main Configuration Editing

Enhance your ModSecurity configuration with production-ready settings that balance security and performance:

sudo nano /etc/httpd/modsecurity.d/modsecurity.conf

Add advanced configuration directives:

# Enhanced Security Settings
SecServerSignature "Apache"
SecComponentSignature "ModSecurity"
SecArgumentsLimit 1000
SecArgumentNameLength 400
SecArgumentValueLength 64000

# Performance Optimization
SecStreamInBodyInspection Off
SecStreamOutBodyInspection Off
SecRuleUpdateTargetByTag "OWASP_CRS" "!@detectXSS"

# Geographic IP Blocking (optional)
SecGeoLookupDb /etc/httpd/modsecurity.d/GeoLite2-Country.mmdb

# Rate Limiting
SecAction "id:900012,phase:1,nolog,pass,t:none,setvar:ip.reqs_per_min=60"

Rule File Organization and Management

Create an organized include structure for better rule management:

sudo nano /etc/httpd/modsecurity.d/main.conf

Structure your rule includes logically:

# Load Core Configuration
Include modsecurity.d/modsecurity.conf
Include modsecurity.d/crs-setup.conf

# Load Core Rules
Include modsecurity.d/rules/REQUEST-901-INITIALIZATION.conf
Include modsecurity.d/rules/REQUEST-903-IP-REPUTATION.conf
Include modsecurity.d/rules/REQUEST-905-COMMON-EXCEPTIONS.conf

# Application-specific rules
Include modsecurity.d/custom/wordpress-rules.conf
Include modsecurity.d/custom/application-specific.conf

# Response Rules
Include modsecurity.d/rules/RESPONSE-950-DATA-LEAKAGES.conf
Include modsecurity.d/rules/RESPONSE-980-CORRELATION.conf

Log Configuration and Monitoring Setup

Configure comprehensive logging for security monitoring and incident response:

sudo nano /etc/httpd/modsecurity.d/logging.conf

Add detailed logging configuration:

# Debug Logging
SecDebugLog /var/log/httpd/modsecurity/debug.log
SecDebugLogLevel 3

# Guardian Log
SecGuardianLog /var/log/httpd/modsecurity/guardian.log

# Custom Audit Log Format
SecAuditLogFormat JSON
SecAuditLogStorageDir /var/log/httpd/modsecurity/audit/

# Log Rotation Integration
SecAuditLogDirMode 0750
SecAuditLogFileMode 0640

Testing and Verification

Apache Configuration Syntax Testing

Validate your complete Apache and ModSecurity configuration before starting services:

sudo httpd -t -D DUMP_MODULES | grep security

This command tests configuration syntax and displays loaded security modules. Successful output shows mod_security3 in the loaded modules list.

Test configuration with detailed syntax checking:

sudo httpd -S

Review virtual host configurations and ensure ModSecurity directives are properly loaded.

ModSecurity Functionality Testing

Verify ModSecurity functionality with controlled test attacks. Create a simple test script:

curl -X GET "http://your-server/test?id=1' OR '1'='1"

This SQL injection attempt should trigger ModSecurity rules and appear in audit logs. Check the audit log:

sudo tail -f /var/log/httpd/modsecurity/audit.log

Test XSS detection:

curl -X POST -d "data=<script>alert('xss')</script>" http://your-server/test

Performance and Load Testing

Measure baseline performance without ModSecurity, then compare with ModSecurity enabled. Use Apache Bench for basic performance testing:

ab -n 1000 -c 10 http://your-server/

Monitor system resources during testing:

htop
iostat -x 1

Document performance metrics for ongoing optimization and capacity planning.

Troubleshooting Common Issues

Installation and Compilation Problems

Common compilation errors often relate to missing development libraries or incompatible versions. Address pkg-config issues:

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:$PKG_CONFIG_PATH
sudo ldconfig

Resolve library path problems by updating library cache:

echo "/usr/local/modsecurity/lib" | sudo tee /etc/ld.so.conf.d/modsecurity.conf
sudo ldconfig -v

Configuration and Startup Issues

Apache startup failures typically result from module loading errors or configuration syntax problems. Check Apache error logs:

sudo tail -f /var/log/httpd/error_log

Common issues include incorrect file paths, missing configuration files, or permission problems. Verify file ownership and permissions:

sudo chown -R apache:apache /var/log/httpd/modsecurity/
sudo chmod -R 750 /var/log/httpd/modsecurity/

Performance and False Positive Management

High false positive rates require rule tuning and custom exceptions. Create exception rules for legitimate traffic:

sudo nano /etc/httpd/modsecurity.d/custom/exceptions.conf

Add specific rule exceptions:

# Whitelist specific IP addresses
SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" "id:1001,phase:1,nolog,allow"

# Disable specific rules for certain URLs
SecRuleRemoveById 920100 920200
SecRuleRemoveByMsg "SQL Injection Attack"

Security Best Practices and Maintenance

Ongoing Maintenance Requirements

Establish regular maintenance schedules for optimal ModSecurity performance. Update Core Rule Set monthly:

cd /opt/modsecurity/coreruleset
git pull origin v4.16.0/master
sudo cp -R * /etc/httpd/modsecurity.d/
sudo systemctl reload httpd

Monitor log files for attack patterns and system performance. Implement log rotation to prevent disk space issues:

sudo nano /etc/logrotate.d/modsecurity

Add log rotation configuration:

/var/log/httpd/modsecurity/*.log {
    daily
    missingok
    rotate 52
    compress
    notifempty
    create 640 apache apache
    postrotate
        /bin/systemctl reload httpd
    endscript
}

Advanced Security Configurations

Implement additional security layers for comprehensive protection. Configure rate limiting rules:

# Rate limiting based on IP address
SecAction "id:900020,phase:1,nolog,pass,t:none,initcol:ip=%{remote_addr},setvar:ip.counter=+1,expirevar:ip.counter=60"
SecRule IP:COUNTER "@gt 100" "id:900021,phase:1,deny,status:429,msg:'Rate limit exceeded'"

Integrate with external threat intelligence feeds and SIEM systems for enhanced monitoring capabilities.

Backup and Disaster Recovery

Implement comprehensive backup strategies for ModSecurity configurations:

#!/bin/bash
# ModSecurity Backup Script
BACKUP_DIR="/backup/modsecurity/$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

cp -R /etc/httpd/modsecurity.d/ $BACKUP_DIR/
cp /etc/httpd/conf/httpd.conf $BACKUP_DIR/
tar -czf $BACKUP_DIR.tar.gz $BACKUP_DIR/

Document configuration changes and maintain version control for configuration files using git.

Congratulations! You have successfully installed ModSecurity with Apache. Thanks for using this tutorial for installing ModSecurity with Apache on Rocky Linux 10 system. For additional help or useful information, we recommend you check the official ModSecurity website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button