How to Set Up ModSecurity with Apache on Debian/Ubuntu?

The Apache web servers highly support customization and can be configured in multiple ways to suit your needs. There are many third-party modules that you can use to configure Apache to your preference.

 

ModSecurity is an open-source WAF (Web Application Firewall) that is native to the Apache webserver. It was initially an Apache module only but has grown to become a fully-fledged web app firewall, and Nginx and even IIS now support it. It inspects incoming requests to the webserver against a predefined set of rules. Typically, it provides a set of rules known as CRS (Core Rule Set) that protect a website from an array of web application attacks such as SQL injection, XSS, session hijacking, among other exploits.

 

The ModSecurity application firewall forms an integral part of PCI DSS compliance in shielding sites from external attacks. When the module is enabled, it triggers a ‘403 Forbidden Error', implying that you have insufficient permissions to access the web server's resource.

 

This guide will show you how to set up and configure ModSecurity to work with Apache on Debian and Ubuntu Linux.

Step 1: Install ModSecurity on Ubuntu

We will begin by, first, refreshing the package lists as follows:

$ sudo apt update

 

Next, install the ModSecurity package alongside other dependencies and libraries:

$ sudo apt install libapache2-mod-security2

 

Now, enable the module.

$ sudo a2enmod security2

 

Then restart the Apache webserver to reflect the changes.

$ sudo systemctl restart apache2

 

At this point, ModSecurity is installed successfully. Let's now configure it.

Step 2: Configure ModSecurity in Ubuntu

By default, ModSecurity is only configured to detect and log suspicious activity. We need to go an extra step and configure it to detect and block suspicious activity.

 

Copy, the default ModSecurity configuration file – modsecurity.conf-recommended – to a new file as provided in the command below.

$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

 

Using your preferred text editor, open the file

$ sudo nano /etc/modsecurity/modsecurity.conf

 

Locate the line:

SecRuleEngine DetectionOnly

 

Set it to:

SecRuleEngine On

 

Save the changes and exit the file.

 

To apply the changes in Apache, restart the webserver.

$ sudo systemctl restart apache2

Step 3: Download OWASP ModSecurity Core Ruleset

The next step is to download the latest OWASP ModSecurity Core Rule Set (CRS) from the GitHub page.

Clone the OWASP git repository as shown.

$ git clone https://github.com/coreruleset/coreruleset.git

 

Navigate into the directory.

$ cd coreruleset/

 

Be sure to move the crs-setup.conf.example file to the modsecurity directory and rename it as crs-setup.conf.

$ sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf

 

In addition, move the rules directory to the modsecurity directory as well.

$ sudo mv sudo mv rules/ /etc/modsecurity/

 

Next, edit the security2.conf file.

$ sudo nano /etc/apache2/mods-enabled/security2.conf

 

Ensure that it contains the following lines.

IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf

 

Then restart Apache for the changes to persist.

$ sudo systemctl restart apache2

 

Let us now test our ModSecurity configuration.

Step 4: Testing the ModSecurity Configuration on Ubuntu

Lastly, we need to test that ModSecurity can detect and block suspicious HTTP traffic. To achieve this, we need to edit the default virtual host file.

$ sudo nano /etc/apache2/sites-available/000-default.conf

 

Next, we will create a blocking rule that will block access to a specific URL when accessed by a web browser.

Append these lines at the end before the 'Virtualhost' closing tag.

SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"

 

Feel free to set the 'id' and 'msg' tags to whatever desirable values.

 

Then restart the Apache webserver to apply the changes made to the virtual host configuration file.

$ sudo systemctl restart apache2

 

On your web browser, try to visit the URL shown with ?testparam=test at the end.

http://server-ip/?testparam=test

 

You get a ‘403 Forbidden error' indicating that you have been blocked from accessing the resource.

 

You can further confirm the client was blocked by checking the error logs as follows.

$ cat /var/log/apache2/error.log | grep "Test successful"

 

This is confirmation that we have successfully set up ModSecurity to detect and block unwanted traffic. In this guide, we have walked you through the process of setting up ModSecurity with Apache on Debian/Ubuntu systems.

Was this answer helpful? 0 Users Found This Useful (0 Votes)