Installation and simple configuration for Ossec and Mod_security on Centos

What is Mod Security? It is an open source application that acts as a firewall to prevent and block any intrusion in web applications. Protect and monitor HTTP traffic in real-time and web applications from brutal attack.

Installation and  simple configuration for Ossec and Mod_security on Centos

Mod_security install

rpm -Uvh
yum install -y mod_security

We do small adjustments in configuration

nano /etc/httpd/conf.d/mod_security.conf

Increase the limit for SecRequestBodyNoFilesLimit (otherwise you can not upload a picture in wordpress exceeding 120K). Default is 131072

SecRequestBodyNoFilesLimit 3145728

If you have a fixed IP and do not want to be block by mod_security add a new rule (whitelist IP address)

SecRule REMOTE_ADDR "^$" "phase:1,t:none,nolog,allow,ctl:ruleEngine=Off,ctl:auditEngine=Off,id:200016"

If you install wordpress on a server then you should apply the following rule.

SecRule REQUEST_URI "xmlrpc.php" \ "id:'200007',phase:2,severity:'3',deny,log,msg:'Spam on xmlrpc.php'"

What is the rule above? Do not let wordpress from your server to spam another site. Someone can make requests on xmlpc.php and pings are directed to a victim site. Command example for sends pings: $ curl -D –  “” -d ‘<methodCall><methodName></methodName><params><param><value><string></string></value></param><param><value><string></string></value></param></params></methodCall>’

service httpd restart

Ossec Installation (ossec monitors logs and acts to block and reject possible intrusions)

yum install ossec-hids ossec-hids-server

Default configuration is good.

service httpd restart


If you want a better protection we can install another set of rules for mod_security

cd  /etc/httpd/
tar -xzvf owasp-modsecurity-crs-2.2.8.tar.gz
mv owasp-modsecurity-crs-2.2.8 modsecurity-crs
cd modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup

Edit the mod_security configuration file

nano /etc/httpd/conf.d/mod_security.conf

Add new rules:

Include modsecurity-crs/modsecurity_crs_10_setup.conf

Save file and exit (ctrl+o AND exit ctrl+x)

service httpd restart

Leave a Reply

Your email address will not be published. Required fields are marked *