Secure Apache 2 with mod-security 2 on Debian Lenny

This article describes how to install mod_security2 on Debian Lenny. It should work on Etch, too.

On the website there is a link to the mod_security2 pakets for Debian. (Community-Produced Binary packages)

Note: You should check this website for the latest versions and change the example “wget” commands in this howto.

1. Download the pakets and install via dpkg:


dpkg -i mod-security2-common_2.5.5-1~etch1_all.deb libapache2-mod-security2_2.5.5-1~etch1_amd64.deb

Note: You may need an other paket than amd64 !!!

2. Create a subfolder for the mod_security rules in the Apache config folder:

mkdir /etc/apache2/modsecurity2
chmod 600 /etc/apache2/modsecurity2

3. Download the rulsets from


and extract the files and move the “conf” files to mod security:

tar vfx modsecurity-core-rules_2.5-1.6.1.tar.gz
mv *.conf /etc/apache2/modsecurity2/

4. You have to create a symlink to fit Apache log directory to the Debian logs.

(Or fix all rules :-))

ln -s /var/log/apache2 /etc/apache2/logs

5. Enable modsecurity

a2enmod mod-security

6. Configuration

Edit “/etc/apache2/conf.d/mod_security”:

        # mod_security configuration directives
        # ...
        # Turn the filtering engine On or Off
        SecFilterEngine On

        # Some sane defaults
        #Check if URL characters where encoded
        SecFilterCheckURLEncoding On
        #Check UTF-8 encoding
        SecFilterCheckUnicodeEncoding Off

        #Allow 1 byte characters
        # Accept almost all byte values
        SecFilterForceByteRange 0 255

        # Server masking is optional
        # SecServerSignature "Microsoft-IIS/0.0"

        SecAuditEngine RelevantOnly
        # The name of the audit log file
        SecAuditLog /var/log/apache2/audit_log

        # You normally won't need debug logging
        # Debug level set to a minimum
        SecFilterDebugLog /var/log/apache2/modsec_debug_log
        SecFilterDebugLevel 0

        # Should mod_security inspect POST payloads
        SecFilterScanPOST On

        # By default log and deny suspicious requests
        # with HTTP status 500
        SecFilterDefaultAction "deny,log,status:500"

7. Now you can restart your Apache webserver:

/etc/init.d/apache2 restart

8. Links:

This Post Has 4 Comments

  1. article doesnt enable modsecurity at all – just intsalls it – mod-security.load never gets loaded – article doesnt talk about the required config settings as well

  2. Thanks for sharing!

Schreibe einen Kommentar

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.