UPDATE: there were several bugs in my original version – by Debian standards, ModSecurity is damn hard to configure correctly, mainly because the Debian packager has left out so much that’s essential! This version is fully tested and working…
Mod Security is an awesome, open-source product for Apache that will protect your webserver against attackers, using a custom rules-language that lets you easily filter for any kind of website attack. Even better, it comes with a pre-built (and regularly updated) set of “official” default rules for cutting out the majority of common internet attacks.
But, pretty shocking … I tried 10 different tutorials / HOWTO’s for this, and each one was wrong. Out of the 10, 6 of them lead to fundamentally insecure / misconfigured systems.
Mostly it’s the vendor’s fault for providing huge long-winded webpages in place of basic install instructions. Partly, it’s the Debian packager’s fault for both mis-packaging, and also “forgetting” to document what they’d done (e.g most of the README’s are empty. Grr!). Whatever. Here’s my HOWTO for doing it correctly, and picking up the excellent default security rules, that *should* work with most installs of Debian.