What is ModSecurity?
ModSecurity is a free and open source web application that started as an Apache module and grew to become a complete web application firewall. It works by inspecting requests sent to the web server in real time against a set of predefined rules, preventing typical attacks on web applications such as XSS and SQL Injection.
Prerequisites and requirements
To install and configure ModSecurity, you must have a Linux server with the following services running:
Apache
- 2
For instructions, see our guide on How to Install Apache Web Server on Ubuntu 18.04 LTS. Installation instructions for several other Linux distributions are also accessible from this guide.
Installing
ModSecurity ModSecurity can be installed by running the following
-
command in your terminal
:sudo apt install libapache2-mod-security2 -y
-
can also compile ModSecurity manually by cloning the official ModSecurity Github repository.
-
After installing ModSecurity, enable the Apache 2 headers module by running the following command:
sudo a2enmod headers
Alternatively, you
After installing ModSecurity and enabling the header module, you need to restart the apache2 service, this can be done by running the following command: sudo systemctl restart apache2
You should now have ModSecurity installed. The next steps involve enabling and configuring ModSecurity and OWASP-CRS.
Configuring
ModSecurity
ModSecurity is a firewall and therefore requires rules to function. This section shows how to implement the OWASP core rule set. First of all, you need to prepare the ModSecurity configuration file.
Remove the .recommended
-
extension from the name of the ModSecurity configuration file with the following command
-
Using a text editor such as vim, open /etc/modsecurity/modsecurity.conf and change the value of SecRuleEngine to On:File: /etc/modsecurity/modsecurity.conf
-
Restart Apache to apply changes:
sudo systemctl restart apache2
: sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
ModSecurity should now be configured to run. The next step in the process is to set up a set of rules to actively prevent your web server from being attacked.
OWASP ModSecurity Core Rule Set The
OWASP ModSecurity (CRS) Core Rule Set is a set of generic attack detection rules for use with ModSecurity or supported web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, such as SQL injection, cross-site scripting, and local file inclusion.
To configure the OWASP-CRS, follow the procedures below.
-
First, delete the current rule set that comes prepackaged with ModSecurity by running the following command
-
Clone the OWASP-CRS GitHub repository in the
/usr/share/modsecurity-crs directory:sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs Rename crs-setup.conf.example
-
to
- usr/share/modsecurity-crs/rules/
REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
:sudo rm -rf /usr/share/modsecurity-crs Make sure git is installed:sudo apt install git
crs-setup.conf: sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf Rename the default request exclusion rule file:sudo mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /
You should now have the OWASP-CRS configuration ready to be used in your Apache configuration.
Enabling
ModSecurity in Apache 2
To start using ModSecurity, enable it in the Apache configuration file by following the steps below
:Using a text editor such as vim, edit the /etc/apache2/mods-available/security2.conf file
-
to include the OWASP-CRS files you downloaded
:File:
-
etc/apache2/sites-enabled/000-default.conf VirtualHost block, include the SecRuleEngine directive set to On.
File: /etc/apache2/sites-enabled/000-default.conf
If you are running a website that uses SSL, also add the SecRuleEngine directive to the configuration file for that website. See our guide on SSL certificates with Apache on Debian and Ubuntu for more information.
-
service to apply the settings:
sudo systemctl restart apache2
/etc/apache2/mods-available/security2.conf In the file /
Restart the apache2
ModSecurity must now be configured and run to protect your web server from attacks. You can now perform a quick test to verify that ModSecurity is running.
ModSecurity Test Test
ModSecurity
by performing a simple local file inclusion attack by running
the following command:curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash
If ModSecurity has been configured correctly and is actively blocking attacks, the following error is returned:
<! DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don’t have permission to access this resource.</p> <hr> <address>Apache/2.4.25 (Debian) Server at 96.126.105.75 Port 80</address> </body></html>