Install ModSecurity to Directadmin with Custombuild 2.x


If you dont have custombuild or version is 1.x, you need first upgrade to custombuild 2.x.

Upgrade instruction

Update Custombuild

Update custombuild:

# cd /usr/local/directadmin/custombuild
# ./build update


Edit options.conf file and change these lines to below:


Build ClamAV scanner

# ./build clamav

Optional can use Malware Expert ClamAV Signatures and Linux Malware Detect

Build ModSecurity

# ./build modsecurity

Mod_Security Rules

In options.conf possible values to modsecurity_ruleset is: comodo/owasp/no


Comodo ModSecurity Rules –
Owasp ModSecurity Rules –

If no, then can use Malware Expert ModSecurity Rules –

We select Malware Expert ModSecurity Rules, so set in options.conf file:


Set to ‘no’ to use no default ruleset and use a custom one. (Need Uploaded to custom/modsecurity/conf directory.)

Buy Malware Expert Rules and create custom configuration:

# cd /usr/local/directadmin/custombuild
# mkdir custom
# mkdir custom/modsecurity
# mkdir custom/modsecurity/conf

Add file malware_expert.conf to custom/modsecurity/conf folder and replace (serial key) with buyed one. (here)

SecRemoteRules (serial key)

# ./build modsecurity_rules


Also apache modsecurity configuration need little modifications, because ClamAV need scan uploaded files.

# cd /usr/local/directadmin/custombuild
# mkdir custom
# mkdir custom/ap2
# mkdir custom/ap2/conf
# mkdir custom/ap2/extra

Add custom/ap2/extra/httpd-modsecurity.conf file with these modifications:

LoadFile /usr/local/lib/
LoadModule security2_module /usr/lib/apache/
<IfModule mod_security2.c>
    # Default recommended configuration
    SecRuleEngine On
    SecRequestBodyAccess On
    SecDefaultAction "phase:1,deny,log,status:406"
    SecDefaultAction "phase:2,deny,log,status:406"
    SecRemoteRulesFailAction Warn
    SecRequestBodyLimitAction ProcessPartial
    SecResponseBodyLimitAction ProcessPartial

    SecPcreMatchLimit 250000
    SecPcreMatchLimitRecursion 250000

    SecCollectionTimeout 600

    SecDebugLog /var/log/httpd/modsec_debug.log
    SecDebugLogLevel 0
    SecAuditEngine RelevantOnly

    SecAuditLogDirMode 1733 
    SecAuditLogFileMode 0550 
    SecAuditLogType Concurrent
    SecAuditLogStorageDir /var/log/modsec_audit

    SecAuditLog /var/log/httpd/modsec_audit.log
    SecUploadDir /tmp
    SecTmpDir /tmp
    SecDataDir /tmp
    SecUploadFileMode 0644

    SecTmpSaveUploadedFiles on

    # ModSecurity Core Rules Set and Local configuration
    IncludeOptional /etc/modsecurity.d/*.conf.main
    IncludeOptional /etc/modsecurity.d/*.conf

Rebuild configurations

# ./build rewrite_confs

Activate rules and modifications:

# ./build modsecurity_rules