ModSecurity is a free and open-source firewall tool supported by various web servers, such as Apache, Nginx, and IIS. It is a signature-based firewall that is capable to block several types of attacks including, cross-site scripting (XSS), brute force attacks, and known code injection attacks. It provides different rule sets that allow you to customize and configure your server security. It can also monitor web traffic in real time and help you detect and respond to intrusions.
Install ModSecurity
Run the following command to install the ModSecurity Apache module:
|
1 |
<strong>apt install libapache2-mod-security2 -y</strong> |
Once the package is installed, enable the ModSecurity module with the following command:
|
1 |
<strong>a2enmod security2</strong> |
Next, restart the Apache service to apply the changes:
|
1 |
<strong>systemctl restart apache2</strong> |
You can also check the Apache status using the following command:
|
1 2 3 4 5 |
<strong>systemctl status apache2 --------------------------------------------------------------- </strong> |
Configure ModSecurity
Next, edit the ModSecurity configuration file:
|
1 |
<strong>nano /etc/apache2/mods-enabled/security2.conf</strong> |
Uncomment the following line:
|
1 2 3 4 5 |
<strong>IncludeOptional /etc/modsecurity/*.con</strong>f Comment the following line: <strong>IncludeOptional /usr/share/modsecurity-crs/*.loa</strong>d |
Save and close the file then rename the ModSecurity configuration file:
|
1 |
<strong>mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf</strong> |
Next, edit the ModeSecurity configuration file:
|
1 |
<strong>nano /etc/modsecurity/modsecurity.co</strong>nf |
Change the following lines:
|
1 2 3 |
<strong>SecRuleEngine On SecAuditLogParts ABCEFHJKZ </strong> |
Save and close the file then restart the Apache service to apply the changes:
|
1 2 3 4 5 |
<strong>systemctl restart apache2 ------------------------------------------------------------------------- </strong> |
Install the OWASP Core Rule Set
In order to protect your web application from malicious attacks, you will need to download and install the OWASP core rule set to your server.
First, download the latest rule set with the following command:
|
1 |
<strong>wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.g</strong>z |
Once the download is completed, extract the downloaded file using the following command:
|
1 |
<strong>tar xvf v3.3.0.tar.gz</strong> |
Next, create a directory for rules and move the extracted ruls inside that directory:
|
1 2 |
<strong>mkdir /etc/apache2/modsecurity-crs/</strong> <strong>mv coreruleset-3.3.0/ /etc/apache2/modsecurity-crs</strong> |
Next, navigate to your OWASP rules directory and rename the configuration file:
|
1 2 |
<strong>cd /etc/apache2/modsecurity-crs/coreruleset-3.3.0/</strong> <strong>mv crs-setup.conf.example crs-setup.conf</strong> |
Next, edit the ModSecurity configuration file and define the path of your OWASP rule sets:
|
1 2 3 |
<strong>nano /etc/apache2/mods-enabled/security2.conf </strong>Add the following lines: |
|
1 2 |
<strong>IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/crs-setup.conf IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/*.c</strong>onf |
Save and close the file then verify the Apache for any syntax error with the following command:
|
1 |
<strong>apache2ctl -t</strong> |
If everything is fine, you will get the following output:
|
1 2 |
<strong>Syntax OK </strong> |
Finally, restart the Apache service to apply the configuration:
|
1 2 3 4 5 |
<strong>systemctl restart apache</strong>2 ------------------------------------------------------------------------------ You can also check the ModSecurity log for more information: |
|
1 2 3 |
<strong>tail /var/log/apache2/modsec_audit.log </strong> |
Verify ModSecurity
At this point, the Apache web server is configured with ModSecurity. Now, it’s time to test whether it works or not.
Open your command-line interface and run the following command:
|
1 |
<strong>curl http://localhost/index.html?exec=/bin/bash</strong> |
You should get the 403 Forbidden error:
|
1 2 3 4 5 6 7 8 9 10 |
<strong><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address> </body></html> </strong> |
You can also test the ModSecurity using the following command:
|
1 |
<strong>curl localhost?doc=/bin/ls</strong> |
You will get the following output:
|
1 2 3 4 5 6 7 8 9 10 |
<strong><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> <hr> <address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address> </body></html> </strong> |
You can also check the ModSecurity log for more information:
|
1 |
<strong>tail /var/log/apache2/modsec_audit.log</strong> |
You will get the following output:
|
1 2 3 4 5 6 7 8 9 |
<strong>SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_threshold}" "phase:5,id:980130,pass,t:none,log,noauditlog,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.0" SecAction "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.0,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}" SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt %{tx.outbound_anomaly_score_threshold}" "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.0,chain" #SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1" --c2d93508-Z--</strong> |
|
1 |
<strong> </strong> |