Skip to main content
knackforge blog knowledge base

How to install Apache Security Module in Amazon Linux AMI

Apache mod_security is a firewall module to prevent against SQL Injection, cross-site scripting, bad user agents, and a lot of other exploits. 

Depends on the Amazon Linux AMI version you may have to issue one of the below commands on a trial & error basis.

sudo yum install mod24_security.x86_64


sudo yum install mod_security --enablerepo=epel

Once the package manager has installed the necessary packages we need to configure mod security as appropriate for the web application.

Below is the essential conf file for mod security, 


The parameters we would essentially deal with are,

SecRuleEngine DetectionOnly
SecRequestBodyAccess On

The "DetectionOnly" says Apache not to block any requests which may be valid in the context of your application instead log the suspicious requests to error.log.

It is recommended to run the application in "DetectionOnly" mode for a couple of days or so to avoid the false negative. For instance, in Drupal 7 some administrative pages (Panel Edit) & Views AJAX pager stopped working when "SecRuleEngine" to "ON". 

Once the error log is reviewed & parameters are tweaked to meet the application needed SecRuleEngine can be changed On.

SecRuleEngine On

Mod security relies on a set of parameters rule to gauze a request as genuine or malicious. The following steps would help us place the rule in place,

cd /etc/httpd/modsecurity.d

sudo wget

sudo unzip

sudo mv owasp-modsecurity-crs-3.0-master modsecurity-crs

cd /etc/httpd/modsecurity.d/modsecurity-crs

sudo cp crs-setup.conf.example crs-setup.conf

Add the following line to your httpd.conf. You can alternatively place these in any config file included by Httpd:

cd /etc/httpd/conf.d

sudo vim mod_security.conf

Add the following lines,

IncludeOptional modsecurity.d/*.conf
IncludeOptional modsecurity.d/activated_rules/*.conf
IncludeOptional modsecurity.d/local_rules/*.conf

Restart web server and ensure it starts without errors.

sudo service httpd restart

Make sure your websites are still running fine.