Install ModSecurity:



sudo apt install libapache2-modsecurity


Restart Apache:

/etc/init.d/apache2 restart


Verify the version of ModSecurity is 2.8.0 or higher:

apt-cache show libapache2-modsecurity


When listing all mods using apachectl -M, ModSecurity is listed under the name security2_module.



yum install mod_security


Restart Apache by entering the following command:

/etc/init.d/httpd restart


Verify the version of ModSecurity is 2.8.0 or higher:

yum info mod_fcgid


OWASP ModSecurity Core Rule Set

The following steps are for Debian based distributions. File paths and commands for RHEL will differ slightly.

  1. Move and change the name of the default ModSecurity file:

    mv /etc/modsecurity/modsecurity.conf-recommended  modsecurity.conf


  2. Install git if needed:

    sudo apt install git


  3. Download the OWASP ModSecurity CRS from Github:

    git clone


  4. Navigate into the downloaded directory. Move and rename crs-setup.conf.example to crs-setup.conf. Then move rules/ as well.

    cd owasp-modsecurity-crs
    mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
    mv rules/ /etc/modsecurity/


  5. The configuration file should match the path above as defined in the IncludeOptional directive. Add another Include directive pointing to the rule set:

    <IfModule security2_module>
            # Default Debian dir for modsecurity's persistent data
            SecDataDir /var/cache/modsecurity
            # Include all the *.conf files in /etc/modsecurity.
            # Keeping your local configuration in that directory
            # will allow for an easy upgrade of THIS file and
            # make your life easier
            IncludeOptional /etc/modsecurity/*.conf
            Include /etc/modsecurity/rules/*.conf


  6. Restart Apache so that the changes will take effect:

    /etc/init.d/apache2 restart


ModSecurity Test

OWASP CRS builds on top of ModSecurity so that existing rules can be extended.

  1. Navigate to the default Apache configuration and add two additional directives, using the default configuration as an example:

    <VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SecRuleEngine On
        SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"


  2. Restart Apache then curl the index page to intentionally trigger the alarms:

    curl localhost/index.html?testparam=test


    The response code should be 403. There should be a message in the logs that shows the defined ModSecurity rule worked. You can check using: sudo tail -f /var/log/apache2/error.log

  3. Verify the OWASP CRS is in effect:

    curl localhost/index.html?exec=/bin/bash

Review the configuration files located in /etc/modsecurity/*.conf. Most of the files are commented with definitions of the available options. ModSecurity uses an Anomaly Scoring Level where the highest number (5) is most severe. 

Ha estat útil la resposta? 0 Els usuaris han Trobat Això Útil (0 Vots)