I have a fresh installation of CentOS 8. I installed Apache 2.4.37 from the repo. Then installed the latest ModSecurity:
dnf install mod_security -y
Checked the installation
dnf info mod_security
Name : mod_security Version : 2.9.2
The required Apache modules are available / loaded:
apachectl -M | grep security -> security2_module (shared) apachectl -M | grep unique -> unique_id_module (shared)
Installed the core rule set from the repo:
dnf install mod_security_crs
which automatically links the rules into the apache folder
Rules have been checked / are at place.
The main config file
includes necessary further config files, including the rules conf files themselves:
IncludeOptional /etc/httpd/modsecurity.d/crs-setup.conf IncludeOptional /etc/httpd/modsecurity.d/activated_rules/*.conf IncludeOptional /etc/httpd/modsecurity.d/local_rules/*.conf
(paths have been double-checked) and activates the rules engine:
The rules config file
modsecurity.d/crs-setup.conf (which is included in
mod_security.conf, see above) provides
SecDefaultAction "phase:1,log,auditlog,deny,status:403" SecDefaultAction "phase:2,log,auditlog,deny,status:403"
Apache httpd.conf calls ModSecurity:
A restart (
apachectl restart) shows that ModSecurity was loaded successfully:
ModSecurity: StatusEngine call successfully sent. <-- including LUA etc.
Tests with manipulated URLs like a script insert:
show no reaction whatsoever on ModSecurity’s side. No entries at all in ModSecuritie’s audit and debug log files (debug level was set to 3), no errors in Apache’s log files.