ModSecurity is a free tool that helps protect websites from attacks. It works with the Apache web server, checking incoming traffic for harmful activity. ModSecurity can stop many common attacks, like SQL injection, cross-site scripting, and file inclusion. It is adjustable to fit your website’s specific needs and is widely used for web server protection.
When you add ModSecurity to your Apache web server, your website becomes much safer. This guide will help you set up ModSecurity on Apache for Ubuntu and similar Linux systems.
Prerequisites
- A server running Ubuntu or other Debian-based system.
- Access to a terminal window or command-line shell with sudo privileges.
Step 1: Update Your System
As a best practice its good to keep the system packages up-to-date. You can install or upgrade packages by running the following commands:
sudo apt updatesudo apt upgrade
Step 2: Installing Apache with ModSecurity
First, we need to install the Apache web server on our Ubuntu or Debian system. Execute the following command to install Apache:
sudo apt install apache2
Next, install the ModSecurity module for Apache by running the following command:
sudo apt install libapache2-mod-security2
After the ModSecurity module is installed, it needs to be enabled. Run the following command to enable it:
sudo a2enmod security2
Step 3: Configure ModSecurity
ModSecurity is pre-configured with a basic set of rules, but you may need to customize it to suit your needs. The main configuration file for ModSecurity is located at /etc/modsecurity/modsecurity.conf.
You can modify this file to enable/disable specific rules or modify their severity. For example, to enable a rule that blocks SQL injection attempts, find the following line:
Comment the “SecRuleEngine DetectionOnly” line by prefiing # symbol and add the “SecRuleEngine On” line.
#SecRuleEngine DetectionOnly
SecRuleEngine On
After you have made changes to the configuration file, restart the Apache web server to apply the changes:
sudo systemctl restart apache2
Step 4: Enable the Latest Rule Set
The ModSecurity rule set is a collection of rules that determine how ModSecurity behaves in response to various types of attacks. It is important to enable the latest rule set to get the most protection from ModSecurity.
To enable the latest rule set, first, remove the default rule set:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then, download the latest rule set:
sudo git clone https://github.com/coreruleset/coreruleset.git /etc/modsecurity.d/owasp-crs
Finally, include the rule set in the main ModSecurity configuration file:
sudo nano /etc/modsecurity/modsecurity.conf
Add the following line at the end of the file:
IncludeOptional /etc/modsecurity.d/owasp-crs/crs-setup.conf
IncludeOptional /etc/modsecurity.d/owasp-crs/rules/*.conf
Save and close the file, then restart Apache to apply the changes:
sudo systemctl restart apache2
Step 5: Fine-Tune the ModSecurity Rules
While the latest rule set provides a good level of protection, it is not perfect. There may be cases where some rules need to be fine-tuned or disabled altogether. For example, if a rule is causing false positives, it may need to be disabled.
To fine-tune ModSecurity rules, you will need to modify the main ModSecurity configuration file. You can find it at “/etc/modsecurity/modsecurity.conf”.
Each rule is identified by a unique ID number, which you can use to modify or disable the rule. For example, to disable rule ID number 123456, add the following line to the configuration file:
SecRuleRemoveById 123456
Save and close the file, then restart Apache to apply the changes.
Step 6: Verify that ModSecurity is Working
To verify that ModSecurity is working correctly, create a test PHP file on your web server:
sudo nano /var/www/html/test.php
Add the following PHP code to the file:
<?php
$name = $_GET['name'];
echo "Hello, $name!";
?>
Save and close the file.
Next, try accessing the test file with a URL that includes a SQL injection attack:
If ModSecurity is working correctly, it should block the request and return a 403 Forbidden error. If you see the message “Hello, Robert’); DROP TABLE students;–!”, then ModSecurity is not working.
Step 7: Monitor ModSecurity Logs
ModSecurity logs can be an invaluable tool for monitoring your web server’s security. By reviewing the logs regularly, you can identify attack attempts and other security events.
To enable ModSecurity logging, add the following lines to the main configuration file:
SecAuditEngine On
SecAuditLog /var/log/modsec_audit.log
Save and close the file, then restart Apache to apply the changes. The logs will be stored in the file “/var/log/modsec_audit.log”.
Conclusion
Security is always the first priority for the production applications. ModSecurity is an effective way to protect web applications from various attacks. In this tutorial, we showed you how to install and configure ModSecurity for Apache on Ubuntu and Debian. By following the steps above, you can enhance the security of your web applications and protect them from common web application vulnerabilities.