Jan 072010

For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.

For even more various reasons, I decided to “formalise” my notes on building, installing, and configuring mod_security2.

Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-

  • Installing the apache2_devel package from OpenCSW (pkg-get -i apache2_devel)
  • Installing the gcc3 package from OpenCSW
  • Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool
  • Installing the SunStudio package from Sun. It may be possible that gcc3 is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (/opt/SUNWspro) it is also necessary to create a symlink in the place where the OpenCSW developer placed his/her copy of SunStudio :- mkdir -p /opt/studio/SOS11; ln -s /opt/SUNWspro /opt/studio/SOS11/SUNWspro

The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-

export PATH=$PATH:/opt/SUNWspro/bin
export PATH=$PATH:/opt/csw/bin
export PATH=$PATH:/usr/ccs/bin
export PATH=$PATH:/opt/csw/gcc3/bin
export CC=gcc

(The above presumes the use of a shell that understands the above syntax)

The next step is to unpack the module source code, and configure it  :-

cd /var/tmp
gunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf -
cd modsecurity-apache_2.5.11
cd apache2
./configure --with-apxs=/opt/csw/apache2/sbin/apxs \
   --with-pcre=/opt/csw \
   --with-apr=/opt/csw/apache2 \

That should successfully general a Makefile. Edit this makefile and remove all references to “-Wall” (for APSX_EXTRA_CFLAGS, also remove the proceeding “-Wc,”). This is because modules will compile with SunStudio’s compiler no matter what we try to do to stop it, and SunStudio does not understand “-Wall”.

Now finally you can compile the software :-

sudo make install

Now we are at the point where we can start configuring mod_security2.

In the main httpd.conf file, add the following two directives somewhere appropriate (i.e. close to the other “LoadModule” directives) :-

LoadFile /opt/csw/lib/libxml2.so
#   Check that this library is installed!
LoadModule unique_id_module libexec/mod_unique_id.so
#   This will be already in the file but may be commented out
LoadModule security2_module libexec/mod_security2.so
#   And this is the one we're interested in.

At this point, try a graceful restart (/opt/csw/apache2/sbin/apachectl graceful) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the “Core Rule Set” …

First copy the rules subdirectory to an appropriate place and fix the permissions :-

cp -rp rules /opt/csw/apache2/etc/modsecurity
chown -R root:root /opt/csw/apache2/etc/modsecurity
chmod -R o+r /opt/csw/apache2/etc/modsecurity
find /opt/csw/apache2/etc/modsecurity -type d -exec chmod o+x {} \;

In the file modsecurity/modsecurity_crs_10_global_config.conf, change SecDataDir to /var/tmp.

In the file modsecurity/modsecurity_crs_10_config.conf :-

  1. Change SecAudditLog to var/log/modsec_audit.log
  2. Change SecDebugLog to var/log/modsec_debug.log

Now add the following to httpd.conf :-

Include etc/modsecurity/modsecurity_crs_10_global_config.conf
Include etc/modsecurity/modsecurity_crs_10_config.conf
Include etc/modsecurity/base_rules/*conf

And gracefully restart Apache.

At this point, mod_security2 is running and blocking stuff, but has not been finely “tweaked” to the local applications – at the very least it partially breaks WordPress, and may well break other applications.

WP2FB Auto Publish Powered By : XYZScripts.com

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.