In the journey of rebuilding my dedicated server to create a  secured cloud server, I was trying to find out what are the potential issues, besides network intrusion through various ports, and services on my server. I found numbers ranging from 70% to 85% of all intrusions actually occur by way of applications. Specifically, I am running many php and a couple Perl applications. Not to mention, I was allowing MySql to be accessed external to my machine in the past.

As I googled various options to secure Apache, I found mod_security module (

So I started off by trying several different tutorials (listed below). So it all seemed fairly straight forward from the examples.

  1. Install the plugin: yum, rpm or compile
  2. Load module in mod_security.conf: or directly into httpd.conf
  3. Load Rules: define them manually, and/or load them from additional configuration files

I spent several very long days trying to get this to work.

The first time I tried to get this to work, I just got the plugin from the CentOS yum repository. Then I configured the plugin, no errors where thrown, and Apache seemed to be working fine. I wanted to try to understand how to test or verify what I have done.

I first used a simple example from that has you create simple php file on your server

&lt;?  $secret_file = $_GET['secret_file']; include ( $secret_file); ?&gt;</em>

then try to access that page with a rogue command:

At first I kept getting a blank page, then I added some html that would print <h2>bad.php</h2> just to ensure the page was loaded. The page was succeeding, and not giving a 403 error as expected. I then tried to use the curl command that was given on the example


Well, what I did not see will hurt me… Well, It has already!

Ok, so I setup mod_security what’s going on then?

Well, the example I ended up did not Load any libraries as documented in the install guide. I thought, these examples (several of them), all professed to work, why does mine not work?

The answer has not been easy, and unfortunately, not 100% clear either. I will list through the 3 main items I had trouble with and the solution I found to finally get this to work

1. Correctly loading x86_64 libraries.

As I described an issue with several different libraries in the blog This was effecting many items in my server configuration. I also found that my libxml2 was having issues while I was hacking different configurations to get something to either work, or to throw some errors. Once this issue was solved, I go to thinking about my second issue:

2. Get correct mod_security module for x86_64.

As with my libxml2 and other libraries, I started tracking down what version of mod_security I was actually running. I was running a version I got through some means in one of these tutorials. Then I found an updated module from Jason Litka ( The install went fine, and even came with a new configuration file and rules. But then I kept getting errors trying run a configcheck on Apache:

<em>Starting httpd: httpd:
Syntax error on line 210 of /etc/httpd/conf/httpd.conf:
Syntax error on line 5 of /etc/httpd/conf.d/mod_security.conf:
Cannot load /etc/httpd/modules/ into server:
<strong>undefined symbol: ap_get_server_banner</strong></em>

I was not the only person that was having this issue.

The solution alluded to trying to rebuild apache and other modules, and I was not interested in compiling Apache to get this to work. I wanted to use yum as much as possible. So I kept researching, and quickly realized that the latest version I could find via any yum repository, was 2.5.0, yet on, the latest available version was 2.5.9 ion source version, as I did not see x86_64 CentOS listed for the update version.

Well, I downloaded this package and installed this manually because I had no other choice. But it was very easy. Now even though at the time I did not know it, this issue was resolved.

3. Find the Configuration that properly works.

After installing x86_64 version of mod_security, I still was unable to get even a simple test to work, thus my module was not working.

After several really long days hacking at various options over and over again. I was quite frustrated that, what I thought to be a simple configuration and module was such an issue to resolve. This is the part of the solution that is not 100% clear to me. I believe I had tried this configuration before, but somehow on m=one of my hacks, this configuration worked:

LoadFile /usr/lib64/
LoadFile /usr/lib64/

#Load mod_unique_id and mod_security 2
LoadModule unique_id_module modules/
LoadModule security2_module modules/
&lt;IfModule mod_security2.c&gt;
Include modsecurity.d/*asl*.conf

#Enable mod_security
SecRuleEngine On
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

#Log Configuration
SecAuditEngine RelevantOnly
SecAuditLogParts ABCFHZ
SecAuditLogType Serial
SecAuditLog logs/mod_security2.log

#SecAuditLogStorageDir logs/audit
SecAuditLogRelevantStatus ^(?:5|4\d[^4])

#General Settings
#SecTmpDir /temp
#SecUploadDir /temp/uploads
#SecUploadKeepFiles RelevantOnly


Now finally, I was able to get the desired result:
HTTP/1.1 403 Forbidden
Date: Thu, 30 Apr 2009 17:20:03 GMT
Server: Apache
Content-Length: 283
Content-Type: text/html; charset=iso-8859-1</em>

<em>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;
<strong>&lt;title&gt;403 Forbidden&lt;/title&gt;</strong>
&lt;p&gt;You don't have permission to access /bad.php
on this server.&lt;/p&gt;
&lt;address&gt;Apache Server at Port 80&lt;/address&gt;


Although x86_64 seems to not be widely used and supported with many tutorials, I can say that once I was able to get this plugin working, I was able to quickly and easily see the benefits from various web application intrusions. I also gained a better insight as to how to identify OS issues and how to notice them next time.


the end…

Mick Knutson

Java, JavaEE, J2EE, WebLogic, WebSphere, JBoss, Tomcat, Oracle, Spring, Maven, Architecture, Design, Mentoring, Instructor and Agile Consulting.

View all posts

Java / JavaEE / Spring Boot Channel

BLiNC Supporters

BLiNC Adsense