Install ModSecurity on OpenStack controller

Install ModSecurity on OpenStack controllerΒΆ

To install the latest version of ModSecurity on OpenStack controllers with Ubuntu 14.04, follow the steps:

  1. Install required packages:

    sudo apt-get update && sudo apt-get upgrade
    sudo apt-get install --yes libyajl-dev libxml2 libxml2-dev
    liblua5.1 apache2-prefork-dev git
  2. Enable unique_id for Apache that adds a magic token to each request to guarantee it is unique. The environment variable UNIQUE_ID is set to the identifier for each request.

    sudo a2enmod unique_id
    sudo service apache2 restart
  3. Download ModSecurity and compile it with JSON support required for the OpenStack Identity service and other JSON-based APIs.

    cd ~
    tar xvzf modsecurity-2.9.1.tar.gz
    cd modsecurity-2.9.1/
    ./configure --with-yajl="/usr/lib/x86_64-linux-gnu /usr/include/yajl"
    sudo make
    sudo make install
  4. Create module configuration files

    sudo touch /etc/apache2/mods-available/security2.conf
    echo -e "<IfModule security2_module>\n\tSecDataDir
    /var/cache/modsecurity\n\tIncludeOptional /etc/modsecurity/
    .conf\n</IfModule>" >
    sudo touch /etc/apache2/mods-available/security2.load
    echo -e "LoadFile\nLoadModule security2_module
    /usr/lib/apache2/modules/" >
    mkdir -p /etc/modsecurity
    sudo cp modsecurity.conf-recommended unicode.mapping /etc/modsecurity/
    sudo mv /etc/modsecurity/modsecurity.conf{-recommended,}
  5. Enable modsecurity module:

    sudo a2enmod security2
    sudo service apache2 restart
  6. Turn on the ModSecurity engine with base rules for all sites on the given host.


    Verify that sites are not blocked by the rules due to the false positives. Test this before deploying to production.

    sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/'