ModSecurity is an open-source web application firewall (WAF) that is designed to protect web applications from various types of attacks. It is a module for the Apache web server that intercepts incoming web traffic and analyzes it for signs of malicious activity. ModSecurity can detect and prevent attacks such as SQL injection, cross-site scripting (XSS), file inclusion, and many other common web-based attacks. It is highly customizable and can be fine-tuned to meet the specific needs of your web application. ModSecurity has become a widely used tool for protecting web servers and is a key component in the overall security posture of many organizations.
By implementing ModSecurity on your Apache web server, you can significantly enhance the security of your web application and reduce the risk of data breaches and other security incidents. In this tutorial, we will show you how to install and configure ModSecurity for Apache on Ubuntu and other Debian-based Linux distributions.
- A server running Ubuntu or Debian-based Linux.
- Access to a terminal window or command-line shell with sudo privileges.
Step 1: Update Your System
Before installing any packages, it is recommended to update your Ubuntu system to the latest version. Run the following commands to update the system:
sudo apt update
sudo apt upgrade
Step 2: Install Apache and ModSecurity Module
First, we need to install the Apache web server on our Ubuntu system. Run the following command to install Apache:
sudo apt install apache2
Next, install the ModSecurity module for Apache by running the following command:
sudo apt install libapache2-mod-security2
After the ModSecurity module is installed, it needs to be enabled. Run the following command to enable it:
sudo a2enmod security2
Step 3: Configure ModSecurity
ModSecurity is pre-configured with a basic set of rules, but you may need to customize it to suit your needs. The main configuration file for ModSecurity is located at /etc/modsecurity/modsecurity.conf.
You can modify this file to enable/disable specific rules or modify their severity. For example, to enable a rule that blocks SQL injection attempts, find the following line:
Comment the “SecRuleEngine DetectionOnly” line by prefiing # symbol and add the “SecRuleEngine On” line.
#SecRuleEngine DetectionOnly SecRuleEngine On
After you have made changes to the configuration file, restart the Apache web server to apply the changes:
sudo systemctl restart apache2
Step 4: Enable the Latest Rule Set
The ModSecurity rule set is a collection of rules that determine how ModSecurity behaves in response to various types of attacks. It is important to enable the latest rule set to get the most protection from ModSecurity.
To enable the latest rule set, first, remove the default rule set:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then, download the latest rule set:
sudo git clone https://github.com/coreruleset/coreruleset.git /etc/modsecurity.d/owasp-crs
Finally, include the rule set in the main ModSecurity configuration file:
sudo nano /etc/modsecurity/modsecurity.conf
Add the following line at the end of the file:
IncludeOptional /etc/modsecurity.d/owasp-crs/crs-setup.conf IncludeOptional /etc/modsecurity.d/owasp-crs/rules/*.conf
Save and close the file, then restart Apache to apply the changes:
sudo systemctl restart apache2
Step 5: Fine-Tune the ModSecurity Rules
While the latest rule set provides a good level of protection, it is not perfect. There may be cases where some rules need to be fine-tuned or disabled altogether. For example, if a rule is causing false positives, it may need to be disabled.
To fine-tune ModSecurity rules, you will need to modify the main ModSecurity configuration file. You can find it at “/etc/modsecurity/modsecurity.conf”.
Each rule is identified by a unique ID number, which you can use to modify or disable the rule. For example, to disable rule ID number 123456, add the following line to the configuration file:
Save and close the file, then restart Apache to apply the changes.
Step 6: Verify that ModSecurity is Working
To verify that ModSecurity is working correctly, create a test PHP file on your web server:
sudo nano /var/www/html/test.php
Add the following PHP code to the file:
Save and close the file.
Next, try accessing the test file with a URL that includes a SQL injection attack:
If ModSecurity is working correctly, it should block the request and return a 403 Forbidden error. If you see the message “Hello, Robert’); DROP TABLE students;–!”, then ModSecurity is not working.
Step 7: Monitor ModSecurity Logs
ModSecurity logs can be an invaluable tool for monitoring your web server’s security. By reviewing the logs regularly, you can identify attack attempts and other security events.
To enable ModSecurity logging, add the following lines to the main configuration file:
SecAuditEngine On SecAuditLog /var/log/modsec_audit.log
Save and close the file, then restart Apache to apply the changes. The logs will be stored in the file “/var/log/modsec_audit.log”.
Security is always the first priority for the production applications. ModSecurity is an effective way to protect web applications from various attacks. In this tutorial, we showed you how to install and configure ModSecurity for Apache on Ubuntu and Debian. By following the steps above, you can enhance the security of your web applications and protect them from common web application vulnerabilities.