mod_security is an open source web-based application firewall (WAF). It is just one possible piece of a hardened Apache web server setup. Use it with, or without, other tools.
If you want to use this and other hardening tools, refer back to the Apache Hardened Web Server guide. This document also uses all of the assumptions and conventions outlined in that original document. It is a good idea to review it before continuing.
One thing missing with mod_security when installed from the generic Rocky Linux repositories, is that the rules installed are minimal. To get a more extensive package of no cost mod_security rules, this procedure uses OWASP mod_security rules found here. OWASP stands for the Open Web Application Security Project. You can find out more about OWASP here.
Tip
As stated, this procedure uses the OWASP mod_security rules. What is not used is the configuration provided by that site. That site also provides great tutorials on using mod_security and other security-related tools. The document you are working through mow does nothing but help you install the tools and rules needed for hardening with mod_security on a Rocky Linux web server. Netnea is a team of technical professionals that provides security courses on their website. Much of this content is available at no cost, but they do have options for in-house or group training.
With the rules in place, the next step is configuring these rules to load and run when httpd and mod_security run.
mod_security already has a configuration file located in /etc/httpd/conf.d/mod_security.conf. You will need to modify this file to include the OWASP rules. To do this, edit that configuration file:
vi/etc/httpd/conf.d/mod_security.conf
Add the following content just before the end tag (</IfModule):
mod_security with OWASP rules is another tool to help in hardening an Apache web server. Periodic checking of the GitHub site for newer rules and the latest official release is an ongoing maintenance step you need to make.
mod_security, as with other hardening tools, has the potential of false-positive responses, so you must prepare to tune this tool to your installation.
Like other solutions mentioned in the Apache Hardened Web Server guide, there are other no cost and fee-based solutions for mod_security rules, and for that matter, other WAF applications available. You can review one of these at Atomicorp's mod_security site.