0

I have a Debian server where apache2 is running. I want to use modsecurity for throttling.

apache2 info

$ apache2ctl -v
Server version: Apache/2.4.29 (Debian)
Server built:   2018-01-14T11:01:58

I installed libapache2-mod-security2 with

sudo apt install libapache2-mod-security2

created the modsecurity conf file with

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

changed SecRuleEngine from DetectionOnly to On in /etc/modsecurity/modsecurity.conf

Restarted apache2 service

At this point, ideally, I should see a /var/log/apache2/modsec_audit.log file, which I dont.

Here is the apache error.log file;

[Thu Sep 15 13:03:13.707900 2022] [:notice] [pid 5215] ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
[Thu Sep 15 13:03:13.707908 2022] [:notice] [pid 5215] ModSecurity: APR compiled version="1.5.2"; loaded version="1.6.2"
[Thu Sep 15 13:03:13.707910 2022] [:warn] [pid 5215] ModSecurity: Loaded APR do not match with compiled!
[Thu Sep 15 13:03:13.707912 2022] [:notice] [pid 5215] ModSecurity: PCRE compiled version="8.39 "; loaded version="8.39 2016-06-14"
[Thu Sep 15 13:03:13.707914 2022] [:notice] [pid 5215] ModSecurity: LUA compiled version="Lua 5.1"
[Thu Sep 15 13:03:13.707916 2022] [:notice] [pid 5215] ModSecurity: YAJL compiled version="2.1.0"
[Thu Sep 15 13:03:13.707917 2022] [:notice] [pid 5215] ModSecurity: LIBXML compiled version="2.9.4"
[Thu Sep 15 13:03:13.707919 2022] [:notice] [pid 5215] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

I also tried putting gibrish text in /etc/modsecurity/modsecurity.conf and apache2 restart still wont fail. Which means that apache is not reading /etc/modsecurity/modsecurity.conf

What am I missing here? How do I debug this?

Hussain Nagri
  • 181
  • 8

1 Answers1

0

If you stumble here, here is the answer. I still dont know why modsecurity was not working, my guess is because of the version mismatch in modsecurity compiled APR and runtime loaded APR as it says in the logs but with a warn only.

anyways, I got it working by removing the existing modsecurity altogether and then building it from source.

You do

sudo apt autoremove --purge libapache2-mod-security2

to remove the existing modsecurtiy.

then you may/may not have to install some development packages that the modsecurtity depends on.

sudo apt install apache2-dev libxml2-dev

then clone the modsecurity code from the repo https://github.com/SpiderLabs/ModSecurity.git

checkout the version v2/master

then the following in order;

./autogen.sh
./configure
make
make test
make install

This will create a shared object file /usr/local/modsecurity/lib/mod_security2.so

you add this so in the apache.conf so that apache knows which module to load. Put the following line in apache2.conf

LoadModule security2_module /usr/local/modsecurity/lib/mod_security2.so

also from the modsecurity repo you would have got modsecurity.conf-recommended rename it to modsecurity.conf put it in your prefered location. then add

Include /<your path to/modsecurity.conf

to your apache2.conf file.

After this you restart your apache2 and pray to the heavens that you find the logfiles that modsecurity generates.

Hussain Nagri
  • 181
  • 8