How to Configure ModSecurity on Apache?

Install ModSecurity:

 

Ubuntu/Debian

sudo apt install libapache2-modsecurity

 

Restart Apache:

/etc/init.d/apache2 restart

 

Verify the version of ModSecurity is 2.8.0 or higher:

apt-cache show libapache2-modsecurity

Note:

When listing all mods using apachectl -M, ModSecurity is listed under the name security2_module.

 

CentOS

yum install mod_security

 

Restart Apache by entering the following command:

/etc/init.d/httpd restart

 

Verify the version of ModSecurity is 2.8.0 or higher:

yum info mod_fcgid

 

OWASP ModSecurity Core Rule Set

The following steps are for Debian based distributions. File paths and commands for RHEL will differ slightly.

  1. Move and change the name of the default ModSecurity file:

    mv /etc/modsecurity/modsecurity.conf-recommended  modsecurity.conf

     

  2. Install git if needed:

    sudo apt install git

     

  3. Download the OWASP ModSecurity CRS from Github:

    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

     

  4. Navigate into the downloaded directory. Move and rename crs-setup.conf.example to crs-setup.conf. Then move rules/ as well.

    cd owasp-modsecurity-crs
    mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
    mv rules/ /etc/modsecurity/

     

  5. The configuration file should match the path above as defined in the IncludeOptional directive. Add another Include directive pointing to the rule set:

    etc/apache2/mods-available/security2.conf
    
    <IfModule security2_module>
            # Default Debian dir for modsecurity's persistent data
            SecDataDir /var/cache/modsecurity
    
            # Include all the *.conf files in /etc/modsecurity.
            # Keeping your local configuration in that directory
            # will allow for an easy upgrade of THIS file and
            # make your life easier
            IncludeOptional /etc/modsecurity/*.conf
            Include /etc/modsecurity/rules/*.conf
    </IfModule>

     

  6. Restart Apache so that the changes will take effect:

    /etc/init.d/apache2 restart

     

ModSecurity Test

OWASP CRS builds on top of ModSecurity so that existing rules can be extended.

  1. Navigate to the default Apache configuration and add two additional directives, using the default configuration as an example:

    <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    
        SecRuleEngine On
        SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
    </VirtualHost>

     

  2. Restart Apache then curl the index page to intentionally trigger the alarms:

    curl localhost/index.html?testparam=test

     

    The response code should be 403. There should be a message in the logs that shows the defined ModSecurity rule worked. You can check using: sudo tail -f /var/log/apache2/error.log

  3. Verify the OWASP CRS is in effect:

    curl localhost/index.html?exec=/bin/bash
     

Review the configuration files located in /etc/modsecurity/*.conf. Most of the files are commented with definitions of the available options. ModSecurity uses an Anomaly Scoring Level where the highest number (5) is most severe. 

Was this answer helpful? 0 Users Found This Useful (0 Votes)