Deploying Drupal on an Apache web server with mod_security or adding mod_security to an Apache server with Drupal running should be as easy as installing the relevant packages. Unfortunately, on Red Hat Enterprise Linux (RHEL) 5.4 and 5.5 servers it just isn't so. This is due to a combination of a bug and an outdated Core Rule Set (CRS) in the current mod_security package in the EPEL (Extra Packages for Enterprise Linux) repository. I've seen lots of posts online where people were struggling with this combination so I decided a how-to article was in order.

She walks you through the install process for mod_security (assuming you already have Apache and Drupal installed), what settings to change, directories and permissions to add and how to replace the old Core Rule Set with a newer version.

ModSecurity is a web application firewall. It can live in and out of the Apache web server environment, one of the most popular web servers around. ModSecurity is infinitely customizable and extremely powerful. The philosophy of ModSecurity can be summed up in a few words. Look, and only modify if I tell you to.

The author of the post (Orlanao Medina) thinks that this book is *the* resource for ModSecurity-related information, providing step-by-step information on how to work with the tool both inside and outside of Apache. It shares tips on blocking XSS attacks, brute force attacks and generally protecting your application in general.