How to install Apache Security Module in Amazon Linux AMI
Apache mod_security is a firewall module to prevent against SQL Injection, cross site scripting, bad user agents, and a lot of other exploits.
Depends on the Amazon Linux AMI version you may have to issue one of the below commands on a trial & error basis.
sudo yum install mod24_security.x86_64
sudo yum install mod_security --enablerepo=epel
Once the package manager has installed the necessary packages we need to configure mod security as appropriate for the web application.
Below is the essential conf file for mod security,
The parameters we would essentially deal with are,
SecRuleEngine DetectionOnly SecRequestBodyAccess On
The "DetectionOnly" says Apache not to block any requests which may be valid in the context of your application instead log the suspicious requests to error.log.
It is recommended to run the application in "DetectionOnly" mode for a couple of days or so to avoid the false negative. For instance, in Drupal 7 some administrative pages (Panel Edit) & Views AJAX pager stopped working when "SecRuleEngine" to "ON".
Once the error log is reviewed & parameters are tweaked to meet the application needed SecRuleEngine can be changed On.
Mod security relies on a set of parameters rule to gauze a request as genuine or malicious. The following steps would help us place the rule in place,
cd /etc/httpd/modsecurity.d sudo wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.0/master.zip sudo unzip master.zip sudo mv owasp-modsecurity-crs-3.0-master modsecurity-crs cd /etc/httpd/modsecurity.d/modsecurity-crs sudo cp crs-setup.conf.example crs-setup.conf
Add the following line to your httpd.conf. You can alternatively place these in any config file included by Httpd:
cd /etc/httpd/conf.d sudo vim mod_security.conf
Add the following lines,
IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf IncludeOptional modsecurity.d/local_rules/*.conf
Restart web server and ensure it starts without errors.
sudo service httpd restart
Make sure your web sites are still running fine.