Linux - How to Install ModSecurity for Apache

1. Enable mod_unique_id module

Make sure you have the mod_unique_id module installed. The module is packaged with Apache Http.

Check if mod_unique_id is enabled with:

$ sudo apachectl -M | grep unique_id
Syntax OK
 unique_id_module (shared)

if the command doesn’t return the mod name we need to enable it with:

$ cd /etc/apache2/mods-enabled
$ sudo ln -s ../mods-available/unique_id.load .

The commands will be little different if you use Centos or Windows.

Test configuration with:

$ apachectl -t
Syntax OK

Restart the server:

# for Ubuntu
$ sudo service apache2 reload

# for Centos
$ sudo service httpd reload

Now try again the command:

$ sudo apachectl -M | grep unique_id
Syntax OK
 unique_id_module (shared)

Now the module is enabled and you can go to step 2.

2. Take the source files

Take the source files from Or just execute the command below:

$ wget

3. Install Dependencies Libraries

Before keep going we need to install some dependencies.

For Ubuntu:

# apt-get install apache2-dev
# apt-get install liblua5.1-0-dev
# apt-get install libxml2-dev

For Centos:

# yum install httpd-devel
# yum install libxml2-devel
# yum install lua-static

For compiling the module apxs is required.

Find apxs location we need to use it later:

$ which apxs

4. Extract and Install

Extract the archive with you have already downloaded:

$ tar -xvf modsecurity-2.9.1.tar.gz
$ cd modsecurity-2.9.1

Configure and change the path of apxs with the correct one:

$ ./configure --with-apxs=/usr/sbin/apxs

Make and install:

$ make
$ sudo make install

After the installation the module file should be in one of these locations:

  • /usr/local/modsecurity/lib/
  • /usr/lib/apache2/modules/
  • /usr/local/apache2/modules/

Check if the file is present inside the Apache modules folder, if not, copy the file inside the folder.

Edit the main Apache httpd config file (usually httpd.conf or apache2.conf)

On UNIX you must load libxml2 and lua5.1 before enabling ModSecurity with something like this:

#The libraries can be in different locations

#For Ubuntu:
LoadFile /usr/lib/x86_64-linux-gnu/
LoadFile /usr/lib/x86_64-linux-gnu/

#For Centos:
LoadFile /usr/lib64/
LoadFile /usr/lib64/

Load the ModSecurity module adding the following directive to httpd.conf or apache2.conf

# [IMPORTANT] Put this directive before the Include directives!
LoadModule security2_module modules/

5. Configuration

We need to copy the default configuration file for the module inside apache conf folder.


Change the apache folder accordingly

Go to the extracted source folder (in my case modsecurity-2.9.1) and follow these commands.

For Ubuntu:

$ cd modsecurity-2.9.1
$ cp modsecurity.conf-recommended /etc/apache2/conf-available/modsecurity.conf
$ cp unicode.mapping /etc/apache2/conf-enabled/
$ cd /etc/apache2/conf-enabled
$ ln -s /etc/apache2/conf-available/modsecurity.conf .

For Centos:

$ cd modsecurity-2.9.1
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
$ cp unicode.mapping /etc/httpd/conf.d/

In this case inside apache2.conf or httpd.conf there will be a directive like

# For Ubuntu:
IncludeOptional conf-enabled/*.conf

# For Centos:
Include conf.d/*.conf

Test the configuration with:

$ apachectl -t
Syntax OK

6. CRS Configuration


OWASP ModSecurity Core Rule Set Project - OWASP -> (

Get the archive with all the rules from here:

For this tutorial I will use the version 2.2.9 taken from here:

$ cd /usr/local/modsecurity/
$ wget
$ tar -xvf 2.2.9.tar.gz

Rename the folder because too long...:

$ mv owasp-modsecurity-crs-2.2.9 crs
$ cd crs
$ mv modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf

Copy inside the folder activated_rules all the rules that you find here:

Create a file modsecurity_crs_99_whitelist.conf inside the activated_rules folder and add the following whitelist directives at the end of the file:

Whitelisted rules ->

Add the following directives to the main apache conf file and change the location with the right one:

# Apache 2.4
IncludeOptional /usr/local/modsecurity/crs/*.conf
IncludeOptional /usr/local/modsecurity/crs/activated_rules/*.conf

# Apache 2.2
Include /usr/local/modsecurity/crs/*.conf
Include /usr/local/modsecurity/crs/activated_rules/*.conf


Put all the ``Include`` directives after the LAST ``LoadModule`` directive!

8. Activate ModSecurity

ModSecurity by default is DetectionOnly in order to stop bad things happening we need to change the SecRuleEngine directive and turn it On!

$ cd /etc/httpd/conf.d
$ sudo sed -i "s/SecRuleEngine DetectionOnly/SecRuleEngine On/" modsecurity.conf

Restart the apache server and we have done!

9. Read the log!

ModSecurity will write his log into the file defined from the following directive:

SecAuditLog logs/modsec_audit.log

Check it and see if it block bad things!