How to install ModSecurity (mod_security) in apache web server on Ubuntu!

ModSecurity is one of the best web application level firewall, it can stop most of the common web attacks before even they reach your web application. If your website is vulnerable to an XSS attack, and ModSecurity is installed in your server than it can easily prevent that attack from reaching your web application, that does not means you should stop securing your web application, but its another layer of security for your web applications. In this article we will see how to install modsecurity in apache server.

We will manually compile it from source, so that we can have all the options available for us to modify and make good use of modsecurity.

Note: This article applies to Ubuntu, but installation is similar with Centos as well.

How does mod_security works?

ModSecurity works by parsing each request made to a web server, and than scan each request against the rules (We will see how we can set rules later), and if any rule is matched than the action specified by that rule is taken. For example :

If a web request contains following string <script>, and you have a rule against this string to serve a 503 Service Unavailable page, than it will be served as a response to this web request. So that this request does not reach your web application.

Step 1: Install Apache Web Server

Since this article is not related to apache installation, I’ve listed the commands below that you can use to install apache

# install per-requisites 

yum install pcre-devel -y

yum install gcc

cd ~


tar zxf httpd-2.4.23.tar.gz

cd ~/httpd-2.4.23/srclib/


tar zxf apr-1.5.2.tar.gz
tar zxf apr-util-1.5.4.tar.gz

mv apr-1.5.2 apr
mv apr-util-1.5.4 apr-util

# install apache

cd ~/httpd-2.4.23

./configure --prefix=/usr/local/apache --enable-so
sudo make install

# Start apache using


Once apache is installed, you can view the default ‘It works’ page at http://localhost (if you have installed it on your machine), else replace it with the IP you have installed it on.

Step 2: Get and Install ModSecurity

You need to download the modsecurity source code and install it, to get the source code run:

# get source code


# extract 

tar xzf modsecurity-2.9.1.tar.gz

Configure and compile modsecurity using :

./configure --with-apxs=/usr/local/apache/bin/apxs --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config

sudo make install

Now you need to add following two lines too your httpd.conf file, so that it can load modsecurity module.

httpd.conf would be located at : /usr/local/apache/conf

  • LoadModule security2_module modules/
  • LoadModule unique_id_module modules/

Also include the modsecurity configuration files, that we will use later to define modsecurity configurations and add rules.

<IfModule mod_security2.c>
Include main.conf
Include rules.conf

And than create two empty files under /usr/local/apache named:



At this stage we’ve completed the installation part of modsecurity, its time we should configure and make use of our web application firewall.

Step 3: Configure ModSecurity

Just like apache directives, modsecurity have its own directives to make use of, one of the most important directive is : SecRuleEngine, it can have three parameters:

  • DetectionOnly : Only detect and log the attacks, so that we can analyze the logs later.
  • Off : Turn off the modsecurity.
  • On : In this mode, modsecurity will not only log the attack but also stop it from reaching your web application.

You might think that we only need the On parameter, but some times our web application may not behave normally with modsecurity On, so in that case we’ve to switch to DetectionOnly mode and see the logs to make sure every thing is on right track.

So in your main.conf file enter the following line:

SecRuleEngine DetectionOnly

Step 3.1: Configurations inside main.conf

First we will have to define some parameters inside main.conf for proper usage of modsecurity so that we can later add rules.

Directives that deals with request body

  • SecRequestBodyAccess On – So that modsecurity will be able to look into the body of HTTP requests.
  • SecRequestBodyLimit 1510720 – Request Body size limit.
  • SecRequestBodyNoFilesLimit 151072 – Body without files.
  • SecRequestBodyInMemoryLimit 231072 – How much of the request body is stored in ram.

Directives that deals with folder locations

Inside your apache installation folders, you need to create three folders to deal with modsecurity filesystem needs.

mkdir /usr/local/apache/tmpdata
mkdir /usr/local/apache/data
mkdir /usr/local/apache/uploads

 Now use following directives to use these folders to store modsecurity data.

  • SecTmpDir /usr/local/apache/tmpdata
  • SecDataDir /usr/local/apache/data
  • SecUploadDir /usr/local/apache/uploads
  • SecUploadKeepFiles Off
  • SecUploadFileMode 0600
  • SecUploadFileLimit 32

Debug and Audit Log Directives

These are one of the most important part of modsecurity configurations, because without these logs modsecurity is of no use.

  • SecDebugLog /usr/local/apache/logs/debug.log
    SecDebugLogLevel 3
  • SecAuditEngine RelevantOnly
  • SecAuditLogRelevantStatus ^5
  • SecAuditLogParts ABDEFHIJKZ
  • SecAuditLogType Serial
  • SecAuditLog /usr/local/apache/logs/audit.log

This is how your main.conf finally looks like:

SecRuleEngine DetectionOnly

SecRequestBodyAccess On
SecRequestBodyLimit 1510720
SecRequestBodyNoFilesLimit 151072
SecRequestBodyInMemoryLimit 231072

SecTmpDir /usr/local/apache/tmpdata
SecDataDir /usr/local/apache/data
SecUploadDir /usr/local/apache/uploads
SecUploadKeepFiles Off
SecUploadFileMode 0600
SecUploadFileLimit 32

SecDebugLog /usr/local/apache/logs/debug.log
SecDebugLogLevel 3
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogType Serial
SecAuditLog /usr/local/apache/logs/audit.log

Restart apache to make sure everything is correct:

/usr/local/apache/bin/httpd -k stop

/usr/local/apache/bin/httpd -k start

Step 4: Insert your first Rule

If everything works fine until now, you are ready to insert first rule inside rule.conf and see if it logs the attack.

Open your rule.conf file and add the following line:

SecRule ARGS script “phase:2,log,deny,id:’1234′,status:503”

Restart your apache and visit : http://localhost/?test=script

After vising this url, you can open the audit.log and debug.log to see if this attack has been logged.

In our rule we said if we find the string ‘script’ inside a request , than it must be logged. Than in our url we set the test parameter=script, which alerts our rule and adds the following entries to our debug.log

[25/Sep/2016:21:09:37 +0500] [localhost/sid#b8cb38][rid#7f0484002970][/][2] Warning. Pattern match “script” at ARGS:test. [file “/usr/local/apache/rules.conf”] [line “1”] [id “1234”]

That means modsecurity is working fine and detecting the attack vectors already. Since the entry inside audit.log is very long, I am not pasting it here, but you can open and look at it. Audit.log file will give you a complete information about the malicious HTTP request.

Step 5: Download Rules

As you can see that modsecurity deals and works with rules, so if their are no rules modsecurity will be of no use, if you don’t know how to write good rules, you can download the set of rule already made by experts in this field. Some urls to download rules are:

If you need my help setting up ModSecurity you can reach me at my twitter @ranausmannasir, or you can also order hosting from 9xvps and let them set up ModSecurity for you.


Leave a Reply

Your email address will not be published. Required fields are marked *