Introduction

ModSecurity is a plug-in module for Apache that works like a firewall. It functions through rule sets, which allow a high level of customization over your server security.

ModSecurity can also monitor web traffic in real time and help you detect and respond to intrusions. It can be used with Apache, Nginx, and IIF and is compatible with Debian, Ubuntu, & CentOS.

This tutorial shows you how to install and configure ModSecurity on Apache web servers.

how to install and configure modsecurity on apache

Prerequisites

  • The LAMP (Linux, Apache, MySQL, PHP) stack installed and configured
  • Access to a user account with sudo or root privileges
  • A package manager (Aptitude or YUM), included by default
  • A command line/terminal window (Ctrl-Alt-T, Ctrl-Alt-F1)
  • A text editor, like nano

Step 1: Update Software Repositories

Open a terminal window, and enter the following:

Debian / Ubuntu:

sudo apt-get update

CentOS:

sudo yum update

Step 2: Installing ModSecurity On Apache

Install ModSecurity on Debian

1. In a terminal window, enter the following:

sudo apt install libapache2-modsecurity

2. Restart the Apache service:

/etc/init.d/apache2 restart

3. Check the software version (it should be 2.8.0 or later):

apt-cache show libapache2-modsecurity

Install ModSecurity on Ubuntu

Note: Ubuntu has a slightly different syntax for the ModSecurity package.

1. In a terminal window, enter:

sudo apt-get install libapache2-mod-security2

2. Restart the Apache service:

/etc/init.d/apache2 restart

3. Check the software version (should be 2.8.0 or later):

apt-cache show libapache2-mod-security2

Install ModSecurity on CentOS

1. Enter the following into a terminal window:

sudo yum install mod_security

2. Restart the Apache service:

/etc/init.d/httpd restart

3. Check the software version (should be 2.8.0 or later):

yum info mod_security

Step: 3 Configure ModSecurity

Upon installation, ModSecurity is set to log events according to default rules. You’ll need to edit the configuration file to adjust the rules to detect and block traffic. The default configuration file is /etc/modsecurity/modsecurity.conf-recommended.

1. Copy and rename the file:

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

2. Next, change the ModSecurity detection mode.

Open the configuration file in a text editor:

sudo nano /etc/modsecurity/modsecurity.conf

Near the top, you should see an entry labeled:

SecRuleEngine = DetectionOnly

Change this to read as follows:

SecRuleEngine = on

3. Use CTRL+X to exit, then press y then Enter to save the changes. Restart Apache per the instructions in Step 2.

This will turn on ModSecurity using the basic default rules. In some versions of Linux, this includes the OWASP Core Rule Set. However, this might differ from the latest version maintained by the developers.

Step 4: Download Latest OWASP ModSecurity Rules

The latest Core Rule Set (CRS) for ModSecurity is maintained on GitHub.

1. Install Git if it’s not already included on your system:

sudo apt install git
sudo yum install git

2. Download a copy of the CRS:

git clone https ://github.com/SpiderLabs/owasp-modsecurity-crs.git

This places a copy of the directory as a subdirectory of your current working location.

3. Open a new directory:

cd owasp-modsecurity-crs

4. Move the crs-setup file:

sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf

5. Then move the rules/ directory:

sudo mv rules/ /etc/modsecurity

If you encounter an error trying to move this directory. Enter:

sudo mkdir /etc/modsecurity/rules
cd rules 
sudo cp *.* /etc/modsecurity/rules

6. Next, check your security2.conf file to verify it’s set to load the ModSecurity rules:

sudo nano /etc/apache2/mods-enabled/security2.conf

Verify you have the following lines included and uncommented:

IncludeOptional /etc/modsecurity/*.conf

Include /etc/modsecurity/rules/*.conf

If they are not there, add them. Do not duplicate them, or you risk disabling your Apache service.

7. Restart Apache as in Step 2.

Step 5: Test Apache Configuration

1. Open the default Apache configuration:

sudo nano /etc/apache2/sites-available/000-default.conf

2. At the bottom of the file, just above the </virtualhost> tag, add the following lines:

SecRuleEngine On

SecRule ARGS:testparam “@contains test” “id:1234,deny,status:403,msg:’The test rule was triggered’”

Save and exit the file (CTRL+X > y > Enter). Restart Apache as in Step 2.

3. Then enter the following command:

curl localhost/index.html?testparam=test

The system should respond by attempting to display the default webpage. Instead, it will generate 403 forbidden error codes.

4. You can confirm this by displaying the Apache error logs with the command:

sudo tail -f /var/log/apache2/error.log

The last entry on the list should have a log of the error test.

Test ModSecurity With Bash Script

Another method you can use to test ModSecurity is to use a Bash script.

1. Enter the following:

curl localhost/index.html?exec=/bin/bash

Again, you should receive a 403 forbidden error.

2. To edit the error log and look at the ModSecurity error log in detail:

sudo nano /var/log/apache2/error.log

The last line should display your most recent attempt to execute a script.

Step 6: Create ModSecurity Rules

This creates an example scenario in which you can use ModSecurity to block keywords on a PHP form.

1. Start by creating a PHP file with the command:

sudo nano /var/form/test.php

2. Enter the following into the form:

<html>

<body>

<?php

if(isset($_POST['data']))

echo $_POST['data'];

else

{

?>

<form method="post" action="">

Enter text here:<textarea name="data"></textarea>

<input type="submit"/>

</form>

<?php

}

?>

</body>

</html>

Save the file and exit.

3. Next, create a new ModSecurity custom rules file:

sudo nano /etc/modsecurity/modsecurity_custom_rules.conf

Add the following lines:

SecRule REQUEST_FILENAME "form.php" "id:'400001',chain,deny,log,msg:'Spam detected'"

SecRule REQUEST_METHOD "POST" chain

SecRule REQUEST_BODY "@rx (?i:(enlarge|Nigerian|gold))"

Save the file and exit. Reload Apache as in Step 2.

4. Launch a web browser, and type one of the keywords into the form (the keywords are enlarge Nigerian and gold).

You should receive a 403 Forbidden error message. You can also check the /var/log/apache2/error.log file to verify ModSecurity’s action.


Note: We don’t need to add this custom_rules file to the security2.conf file, because we specified a wildcard (IncludeOptional /etc/modsecurity/*.conf). If we had specified an individual .conf file, we would need to add this custom_rules file to the security2.conf file.


Conclusion

You should now have a solid understanding of how to install, set up, and configure ModSecurity on Apache. This guide uses the OWASP rule set. OWASP stands for Open Web Application Security Project.