Install ModSecurity on OpenStack controller

Install ModSecurity on OpenStack controller

To install the latest version of ModSecurity on OpenStack controllers with Ubuntu 14.04, follow the steps:

  1. Install required packages:

    sudo apt-get update && sudo apt-get upgrade
    sudo apt-get install --yes libyajl-dev libxml2 libxml2-dev
    liblua5.1 apache2-prefork-dev git
    
  2. Enable unique_id for Apache that adds a magic token to each request to guarantee it is unique. The environment variable UNIQUE_ID is set to the identifier for each request.

    sudo a2enmod unique_id
    sudo service apache2 restart
    
  3. Download ModSecurity and compile it with JSON support required for the OpenStack Identity service and other JSON-based APIs.

    cd ~
    wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
    tar xvzf modsecurity-2.9.1.tar.gz
    cd modsecurity-2.9.1/
    ./configure --with-yajl="/usr/lib/x86_64-linux-gnu /usr/include/yajl"
    sudo make
    sudo make install
    
  4. Create module configuration files

    sudo touch /etc/apache2/mods-available/security2.conf
    echo -e "<IfModule security2_module>\n\tSecDataDir
    /var/cache/modsecurity\n\tIncludeOptional /etc/modsecurity/
    .conf\n</IfModule>" >
    /etc/apache2/mods-available/security2.conf
    
    sudo touch /etc/apache2/mods-available/security2.load
    echo -e "LoadFile libxml2.so.2\nLoadModule security2_module
    /usr/lib/apache2/modules/mod_security2.so" >
    /etc/apache2/mods-available/security2.load
    
    mkdir -p /etc/modsecurity
    sudo cp modsecurity.conf-recommended unicode.mapping /etc/modsecurity/
    sudo mv /etc/modsecurity/modsecurity.conf{-recommended,}
    
  5. Enable modsecurity module:

    sudo a2enmod security2
    sudo service apache2 restart
    
  6. Turn on the ModSecurity engine with base rules for all sites on the given host.

    Note

    Verify that sites are not blocked by the rules due to the false positives. Test this before deploying to production.

    sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/'
    /etc/modsecurity/modsecurity.conf