From Fedora Project Wiki

I'm going to document mod_security setup.

  1. yum install mod_security
  2. mkdir /var/lib/httpd/mod_security
  3. add SecDataDir /var/lib/httpd/mod_security to /etc/httpd/modsecurity.d/modsecurity_localrules.conf

In my test this removed all messages from the error log in apache. I would recommend that we add the following configuration directives to put the logging in their own files in modsecurity_localrules.conf:

SecAuditLog logs/modsec_audit.log

Ok, so I got my proxy fully set up so I can now post through my proxy. I've updated the mod_security configuration to be:

# Drop your local rules in here.

SecDataDir /var/lib/httpd/mod_security
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_audit.log
SecAuditLogParts ABCFHZ
SecAuditLogStorageDir /var/lib/httpd/modsec_logs
SecAuditLogType Concurrent

SecDebugLog /var/lib/httpd/modsec_logs/modsec_debug.log
SecDebugLogLevel 0


To test mod_security I believe we should set it up in the staging environment. I think it should be deployed with individual audit logs because that provides the best performance at the cost of increased file io. It should be deployed in staging while we tweak the configuration rules to eliminate most false positives.


Once the rule set has been optimized on the staging servers the configuration can be deployed to the production systems. I think it should be left in a detection only configuration while the configuration is further tweak from larger exposure. Once we are satisfied with the rule set we should then change it to enforcing.

0-day exploits

We could decide to use mod_security only as a means to hot-fix any potential exploits. This would involve creating a custom SecRule that matches the exploit and then blocks the access.