How To Setup Apache ModSecurity on Ubuntu & Debian

    By 5 Mins Read

    ModSecurity is an open-source web application firewall (WAF) that is designed to protect web applications from various types of attacks. It is a module for the Apache web server that intercepts incoming web traffic and analyzes it for signs of malicious activity. ModSecurity can detect and prevent attacks such as SQL injection, cross-site scripting (XSS), file inclusion, and many other common web-based attacks. It is highly customizable and can be fine-tuned to meet the specific needs of your web application. ModSecurity has become a widely used tool for protecting web servers and is a key component in the overall security posture of many organizations.

    By implementing ModSecurity on your Apache web server, you can significantly enhance the security of your web application and reduce the risk of data breaches and other security incidents. In this tutorial, we will show you how to install and configure ModSecurity for Apache on Ubuntu and other Debian-based Linux distributions.

    Prerequisites

    • A server running Ubuntu or Debian-based Linux.
    • Access to a terminal window or command-line shell with sudo privileges.

    Step 1: Update Your System

    Before installing any packages, it is recommended to update your Ubuntu system to the latest version. Run the following commands to update the system:

    sudo apt update 
sudo apt upgrade

    Step 2: Install Apache and ModSecurity Module

    First, we need to install the Apache web server on our Ubuntu system. Run the following command to install Apache:

    sudo apt install apache2

    Next, install the ModSecurity module for Apache by running the following command:

    sudo apt install libapache2-mod-security2

    After the ModSecurity module is installed, it needs to be enabled. Run the following command to enable it:

    sudo a2enmod security2

    Step 3: Configure ModSecurity

    ModSecurity is pre-configured with a basic set of rules, but you may need to customize it to suit your needs. The main configuration file for ModSecurity is located at /etc/modsecurity/modsecurity.conf.

    You can modify this file to enable/disable specific rules or modify their severity. For example, to enable a rule that blocks SQL injection attempts, find the following line:

    Comment the “SecRuleEngine DetectionOnly” line by prefiing # symbol and add the “SecRuleEngine On” line.

    
#SecRuleEngine DetectionOnly
SecRuleEngine On

    After you have made changes to the configuration file, restart the Apache web server to apply the changes:

    sudo systemctl restart apache2

    Step 4: Enable the Latest Rule Set

    The ModSecurity rule set is a collection of rules that determine how ModSecurity behaves in response to various types of attacks. It is important to enable the latest rule set to get the most protection from ModSecurity.

    To enable the latest rule set, first, remove the default rule set:

    sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

    Then, download the latest rule set:

    sudo git clone https://github.com/coreruleset/coreruleset.git /etc/modsecurity.d/owasp-crs

    Finally, include the rule set in the main ModSecurity configuration file:

    sudo nano /etc/modsecurity/modsecurity.conf

    Add the following line at the end of the file:

    
IncludeOptional /etc/modsecurity.d/owasp-crs/crs-setup.conf
IncludeOptional /etc/modsecurity.d/owasp-crs/rules/*.conf

    Save and close the file, then restart Apache to apply the changes:

    sudo systemctl restart apache2

    Step 5: Fine-Tune the ModSecurity Rules

    While the latest rule set provides a good level of protection, it is not perfect. There may be cases where some rules need to be fine-tuned or disabled altogether. For example, if a rule is causing false positives, it may need to be disabled.

    To fine-tune ModSecurity rules, you will need to modify the main ModSecurity configuration file. You can find it at “/etc/modsecurity/modsecurity.conf”.

    Each rule is identified by a unique ID number, which you can use to modify or disable the rule. For example, to disable rule ID number 123456, add the following line to the configuration file:

    
SecRuleRemoveById 123456

    Save and close the file, then restart Apache to apply the changes.

    Step 6: Verify that ModSecurity is Working

    To verify that ModSecurity is working correctly, create a test PHP file on your web server:

    sudo nano /var/www/html/test.php

    Add the following PHP code to the file:

    Save and close the file.

    Next, try accessing the test file with a URL that includes a SQL injection attack:

  • http://your_server_ip/test.php?name=Robert’); DROP TABLE students;–

    • If ModSecurity is working correctly, it should block the request and return a 403 Forbidden error. If you see the message “Hello, Robert’); DROP TABLE students;–!”, then ModSecurity is not working.

    Step 7: Monitor ModSecurity Logs

    ModSecurity logs can be an invaluable tool for monitoring your web server’s security. By reviewing the logs regularly, you can identify attack attempts and other security events.

    To enable ModSecurity logging, add the following lines to the main configuration file:

    
SecAuditEngine On
SecAuditLog /var/log/modsec_audit.log

    Save and close the file, then restart Apache to apply the changes. The logs will be stored in the file “/var/log/modsec_audit.log”.

    Conclusion

    Security is always the first priority for the production applications. ModSecurity is an effective way to protect web applications from various attacks. In this tutorial, we showed you how to install and configure ModSecurity for Apache on Ubuntu and Debian. By following the steps above, you can enhance the security of your web applications and protect them from common web application vulnerabilities.

    Share.

    Related Posts

    Add A Comment

    Leave A Reply