Discussion in 'General' started by MyLinux, Sep 2, 2005.

  1. MyLinux

    MyLinux New Member

    Hi friends,
    I am relatively newbie to ispconfig.Please le me know whether there is any conflict or problem in installing mod_secirty apache module on ISPConfig web hosting servers.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I think it has not been tested yet. Generally ISPConfig does not make problems when you install additional apache modules that can not be configured trough the web interface.
  3. dspx2006

    dspx2006 New Member

    The thing is that for a newbie it is quite difficult to figure out what and where to change in the configuration of the ISPConfig to accept mod_security. I have had some trouble myself figuring that out (I am new to ISPConfig but not new to Apache configurations). So this is what I did after some hours of working (and no help on the net...).

    First of all, perhaps it is useful to remind people that ISPConfig uses its own apache (apart from system's default).
    For instance my LAMP Ubuntu server brings an apache2 while ISPConfig 2.2.6 comes with Apache 1.3.37.
    There are two apache configurations to secure:
    1. the one ISPConfig uses (1.3.37)
    2. the one used for the websites hosted, the same with system's Apache (my case latest Apache 2 from Ubuntu)
    For securing 2. just
    apt-get install libapache2-mod-security 
    add rules to /etc/apache2/mods-available/ in a separate file (you can use the rules from and ln -s to mods-enabled
    Than restart apache2.

    For securing 1, see below:

    Get the latest mod-security. Mine was 1.9.4:
    tar -zxvf modsecurity-apache_1.9.4.tar.gz
    2. go to the module you need to install in apache
    cd modsecurity-apache_1.9.4/apache1/
    3. now you need to install the module by using apxs. First find where ISPConfig established its basic directory, by searching after ispconfig_httpd
    locate ispconfig_httpd
    Copy the mod_security.c to the path obtained above
    cp mod_security.c /path/to/ispconfig_httpd/mod_security.c
    Now cd to the location of the ispconfig_httpd (where there is also apxs, the one we need)
    cd /path/to/ispconfig_httpd/
    Stop ispconfig
    /etc/init.d/ispconfig_server stop
    Backup your ispconfig_httpd
    cp ispconfig_httpd ispconfig_httpd_bk
    Rename ispconfig_httpd to httpd (so that apxs recongnizes the httpd)
    mv ispconfig_httpd httpd
    Load the module
    apxs -cia mod_security.c
    Rename httpd back to ispconfig_httpd
    mv httpd ispconfig_httpd
    Keep fingers crossed and start ispconfig
    /etc/init.d/ispconfig_server start
    If something goes wrong, change ispconfig_httd_bk to ispconfig_httpd and restart /etc/init.d/ispconfig_server restart.
    If nothing wrong happened you can see that ispconfig started and now you are using mod_security in your apache. Remember, anyway, that mod_security is useless if you don't add rules to your httpd.conf to handle the mod-security. go to
    cd ../conf
    Add the rules to httpd.conf:
    <IfModule mod_security.c>
        # mod_security rules which you can find here
        # you can include the chosen file directly by:
        # Include file
        # ...
    That's about it. From now on read the manuals on to learn about the rules.

    Last edited: Aug 27, 2006
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats not correct. ISPConfig uses the apache2 from your linux installation. Running "apt-get install libapache2-mod-security" is enough to install mod_security.

    The mod_security you installed will not secure the websites on your server, it will secure only connections on port 81 to the controlpanel frontend. I will not say that running mod_security on the controlpanel is a bad idiea, but it is maybe not that what you wanted.
  5. dspx2006

    dspx2006 New Member

    you're right!

    I'm afraid you are right! I have actually been mislead by phpMyAdmin's php_info() which only showed mod_security after I did all I described above. But you are right since phpMyAdmin also comes through ISPConfig's port 81.
    So, mea culpa!
    The above information only applies to securing the ISPConfig's apache.
    I have edited the post to correct the confusion.

    Thanks for clearing that up, Till!
    Last edited: Aug 27, 2006
  6. st2xo

    st2xo New Member

Share This Page