You are here » Home » Servers » How to Configure ModSecurity on Apache?

How to Configure ModSecurity on Apache?

by

Apache is a widely used web server and web server security is one of the most important aspects while configuring a web server. ModSecurity works like a firewall for Apache web servers. It also monitors HTTP traffic in real-time to detect attacks. Here is a complete guide to configure ModSecurity on the Apache web server.

Configure-ModSecurity-on-Apache
Configure-ModSecurity-on-Apache

ModSecurity also works as an Intrusion Detection System allowing you to act against suspicious events.

Right after the installation, OWASP core rule set comes installed with ModSecurity. The main goal of the OWASP project is to provide an assessment to test generic attacks and provide a base level of security for any web application. The configuration is done by setting the rules to prevent common attacks like SQL injections, remote code execution, and cross-site scripting.

In this guide, you will learn how you can configure the default rule set of ModSecurity on Apache.

Install ModSecurity

On Ubuntu

$ sudo apt install libapache2-mod-security2

Restart Apache service

$ sudo systemctl restart apache2

On CentOS

$ sudo yum install mod_security

Restart Apache service

$ sudo systemctl restart apache2

OWASP ModSecurity rule set

The below steps are for Debian-based systems. For RHEL and CentOS, paths and commands will differ

Move and rename the default ModSecurity file

$ sudo mv /etc/modsecurity/modsecurity.conf-recommended  modsecurity.conf

Install git

$ sudo apt install git

Download OWASP ModSecurity CRS from GitHub

$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Move inside the downloaded directory and rename “crs-setup.conf.example” to “crs-setup.conf”. Make sure to move rules/ as well

$ cd owasp-modsecurity-crs
$ sudo crs-setup.conf.example /etc/modsecurity/crs-setup.conf
$ sudo mv rules/ /etc/modsecurity/

$ sudo nano /etc/apache2/mods-available/security2.conf

Copy and paste the code below

<IfModule security2_module>
    # Default Debian dir for modsecurity's persistent data
    SecDataDir /var/cache/modsecurity

    # Include all the *.conf files in /etc/modsecurity.
    # Keeping your local configuration in that directory
    # will allow for an easy upgrade of THIS file and
    # make your life easier
    IncludeOptional /etc/modsecurity/*.conf
    Include /etc/modsecurity/rules/*.conf
</IfModule>

Restart Apache service

$ sudo systemctl restart apache2

Testing ModSecurity

Open the default Apache configuration file and add two additional directives as shown below

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SecRuleEngine On
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
</VirtualHost>

Restart Apache service

$ sudo systemctl restart apache2

Curl index page to trigger alarms

$ sudo curl localhost/index.html?testparam=test

You can check the error in your logs file using

$ sudo tail -f /var/log/apache2/error.log
"ModSecurity: Access denied with code 403 (phase 2). String match "test" at ARGS:testparam. [file "/etc/apache2/sites-enabled/000-default.conf"] [line "24"] [id "1234"] [msg "Our test rule has triggered"] [hostname "localhost"] [uri "/index.html"] [unique_id "WfnEd38AAAEAAEnQyBAAAAAB"]"

With this, you have successfully configured ModSecurity for Apache

I.T Engineer by profession, tech lover. Passionate for reading and writing technical stuffs. Loves to share knowledge.

Leave a Comment