How to Secure Apache 2 With ModSecurity – Linode

What is ModSecurity?

ModSecurity is a free and open source web application that started as an Apache module and grew to become a complete web application firewall. It works by inspecting requests sent to the web server in real time against a set of predefined rules, preventing typical attacks on web applications such as XSS and SQL Injection.

Prerequisites and requirements

To install and configure ModSecurity, you must have a Linux server with the following services running:

Apache

  • 2

For instructions, see our guide on How to Install Apache Web Server on Ubuntu 18.04 LTS. Installation instructions for several other Linux distributions are also accessible from this guide.

Installing

ModSecurity ModSecurity can be installed by running the following

  1. command in your terminal

    :sudo apt install libapache2-mod-security2 -y

  2. Alternatively, you

  3. can also compile ModSecurity manually by cloning the official ModSecurity Github repository.

  4. After installing ModSecurity, enable the Apache 2 headers module by running the following command:

    sudo a2enmod headers

After installing ModSecurity and enabling the header module, you need to restart the apache2 service, this can be done by running the following command: sudo systemctl restart apache2

You should now have ModSecurity installed. The next steps involve enabling and configuring ModSecurity and OWASP-CRS.

Configuring

ModSecurity

ModSecurity is a firewall and therefore requires rules to function. This section shows how to implement the OWASP core rule set. First of all, you need to prepare the ModSecurity configuration file.

Remove the .recommended

  1. extension from the name of the ModSecurity configuration file with the following command

  2. : sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

  3. Using a text editor such as vim, open /etc/modsecurity/modsecurity.conf and change the value of SecRuleEngine to On:File: /etc/modsecurity/modsecurity.conf

  4. Restart Apache to apply changes:

    sudo systemctl restart apache2

ModSecurity should now be configured to run. The next step in the process is to set up a set of rules to actively prevent your web server from being attacked.

OWASP ModSecurity Core Rule Set The

OWASP ModSecurity (CRS) Core Rule Set is a set of generic attack detection rules for use with ModSecurity or supported web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, such as SQL injection, cross-site scripting, and local file inclusion.

To configure the OWASP-CRS, follow the procedures below.

  1. First, delete the current rule set that comes prepackaged with ModSecurity by running the following command

  2. :sudo rm -rf /usr/share/modsecurity-crs Make sure git is installed:sudo apt install git

  3. Clone the OWASP-CRS GitHub repository in the

    /usr/share/modsecurity-crs directory:sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs Rename crs-setup.conf.example

  4. to

  5. crs-setup.conf: sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf Rename the default request exclusion rule file:sudo mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /

  6. usr/share/modsecurity-crs/rules/

    REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

You should now have the OWASP-CRS configuration ready to be used in your Apache configuration.

Enabling

ModSecurity in Apache 2

To start using ModSecurity, enable it in the Apache configuration file by following the steps below

:Using a text editor such as vim, edit the /etc/apache2/mods-available/security2.conf file

  1. to include the OWASP-CRS files you downloaded

    :File:

  2. /etc/apache2/mods-available/security2.conf In the file /

  3. etc/apache2/sites-enabled/000-default.conf VirtualHost block, include the SecRuleEngine directive set to On.

    File: /etc/apache2/sites-enabled/000-default.conf

    If you are running a website that uses SSL, also add the SecRuleEngine directive to the configuration file for that website. See our guide on SSL certificates with Apache on Debian and Ubuntu for more information.

  4. Restart the apache2

  5. service to apply the settings:

    sudo systemctl restart apache2

ModSecurity must now be configured and run to protect your web server from attacks. You can now perform a quick test to verify that ModSecurity is running.

ModSecurity Test Test

ModSecurity

by performing a simple local file inclusion attack by running

the following command:curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash

If ModSecurity has been configured correctly and is actively blocking attacks, the following error is returned:

<! DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don’t have permission to access this resource.</p> <hr> <address>Apache/2.4.25 (Debian) Server at 96.126.105.75 Port 80</address> </body></html>