Apache security: installing mod_security

1. # www.fduran.com
2. # installing mod_security http://www.modsecurity.org (Debian-based distro)
3.  
4. # apachectl -M
5. apache2: Could not reliably determine the server's fully qualified domain name, using boxmetric.com for ServerName
6. Loaded Modules:
7. core_module (static)
8. log_config_module (static)
9. logio_module (static)
10. mpm_prefork_module (static)
11.  
12. install apxs:
13. # apt-get install apache2-prefork-dev
14.  
15. check:
16. # apxs2
17.  
18. # apt-get install libxml2 libxml2-dev
19.  
20. check if already installed: libpcre3 libapr1 libaprutil1
21.  
22. download from http://www.modsecurity.org/download/ :
23.  
24. # cd /usr/local/src/
25. # wget http://www.modsecurity.org/download/modsecurity-apache_2.6.3.tar.gz
26. # tar zxvf modsecurity-apache_2.6.3.tar.gz
27. # cd modsecurity-apache_2.6.3
28. # ./configure
29. # make
30.  
31. For some reason "make" tryes to make also mlogc which is optional, if making mlogc fails but before that there are no errors then it should be fine (mod_security2.so exists).
32.  
33. # ln -s /usr/local/src/modsecurity-apache_2.6.3/apache2/.libs/mod_security2.so /usr/lib/apache2/modules/mod_security2.so
34.  
35. # echo "LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so" > /etc/apache2/mods-available/security2.load
36. # a2enmod security2
37. # /etc/init.d/apache2 restart
38.  
39. check module is loaded:
40. # apachectl -M |grep security
41. Syntax OK
42. security2_module (shared)
43.  
44. test for example with default configuration from http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#A_Recommended_Base_Configuration
45. copy into /etc/apache2/conf.d/mod_security , restart apache to check