Configure your Apache Server with ModSecurity Module on Debian / Ubuntu
The Apache web server is very configurable and may be customised in a variety of ways to meet your specific requirements. There are several third-party modules available to help you customise Apache to your liking.
ModSecurity is an Apache webserver-native open-source WAF (Web Application Firewall). It began as an Apache module alone but has now evolved into a full-fledged web app firewall. Nginx and even IIS now support it.
ModSecurity checks incoming web server requests against a predetermined set of criteria. It often offers a set of rules called the CRS (Core Rule Set) that protects a website against a variety of web application threats such as SQL injection, XSS, and session hijacking, among other vulnerabilities
In protecting sites from external assaults, the ModSecurity application firewall is an essential component of PCI DSS compliance. When you enable the module, you will see a ‘403 Forbidden Error,’ which simply means that you do not have adequate rights to access the resource on the website.
This article will walk you through installing and configuring ModSecurity to operate with Apache on Debian and Ubuntu Linux.
Lets Start:
Step 1: Install ModSecurity on Debian / Ubuntu
To do anything in a Linux distro, always have the habit of updating the distro before installing any features or modules, it will make your life easier when it comes to issues or bugs.
We should update the distro by the following command:
$ sudo apt updateNext, we need to install the ModSecurity package alongside other dependencies and libraries by the following command, please follow along
$ sudo apt install libapache2-mod-security2
Afterwards, we need to enable that very module with the following command,
$ sudo a2enmod security2Then we need to restart the Apache webserver to apply the changes. Remember that Apache Restarting function needs to be called many times when making changes to it, restarting it with every other changes will help you run in to less problems when it comes to updating the changes, so please follow along,
$ sudo systemctl restart apache2At this point, Our ModSecurity should be successfully installed. Now Let’s now configure it. Shall we ?
Step 2: Configuring the ModSecurity in Debian / Ubuntu
ModSecurity is just set to detect and log suspicious behaviour by default. We must go one step further and set it to identify as well as prohibit suspicious activities.
Copy the default ModSecurity configuration file — modsecurity.conf-recommended — to a new file using the command supplied below.
$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.confUsing your preferred text editor, open the file by the following command, here we use nano editor as you can see below:
$ sudo nano /etc/modsecurity/modsecurity.confNext, we need to Locate the line that says SecRuleEngine → DetectionOnly,
SecRuleEngine DetectionOnlyAnd the change it to SecRuleEngine → On,
SecRuleEngine On
Next we need to save these changes and then we exit from the file.
To apply the changes in Apache, restart the web server. Like i said restarting should be a common process for changes in apache, do that with the following command below,
$ sudo systemctl restart apache2Step 3: We need to download the OWASP ModSecurity Core Ruleset
The next step is to download the latest OWASP ModSecurity Core Rule Set (CRS) from the GitHub page.
We need to Clone the OWASP git repository as shown.
$ git clone https://github.com/coreruleset/coreruleset.gitThen, we need to CD into the directory as follows:
$ cd coreruleset/Note: Please make sure to move the crs-setup.conf.example file to the modsecurity directory and rename it as crs-setup.conf.
$ sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.confIn addition, move the rules directory to the ModSecurity directory as well.
$ sudo mv rules/ /etc/modsecurity/Next, we will edit the security2.conf file as follows:
$ sudo nano /etc/apache2/mods-enabled/security2.confThen we need to make sure that it contains the following lines as follows,
IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf
Then restart Apache for the changes to persist. Ohh no not again !! Lol !!
Now restart the apache with the command below,
$ sudo systemctl restart apache2Let us now test our ModSecurity configuration. Shall we ?
Step 4: Now we need to Test the ModSecurity Configuration on Debian / Ubuntu
Lastly, we need to test that ModSecurity can detect and block suspicious HTTP traffic. To achieve this, we need to edit the default virtual host file.
$ sudo nano /etc/apache2/sites-available/000-default.confNext, we will create a blocking rule that will block access to a certain URL when accessed by a web browser.
Append these lines at the end before the ‘Virtualhost’ closing tag.
SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"Feel free to set the ‘id’ and ‘msg’ tags to whatever desirable values.
Then restart the Apache webserver to apply the changes made to the virtual host configuration file.
$ sudo systemctl restart apache2On your web browser, try to visit the URL shown ?testparam=test at the end.
http://server-ip/?testparam=testYou get a ‘403 Forbidden error’ indicating that you have been blocked from accessing the resource.
You can further confirm the client was blocked by checking the error logs as follows.
$ cat /var/log/apache2/error.log | grep “Test Successful”
Hopefully, you have learnt something new today, always be mindful of sharing things when you learn, as it will benefit others by learning something new and hopefully continuing the cycle of learning, sharing and solving as we all know sharing is caring, and learning for the purpose of solving problems no matter big or small.
References:
GitHub. (2020). SpiderLabs/ModSecurity. [online] Available at: https://github.com/SpiderLabs/ModSecurity.
Modsecurity.org. (2019). ModSecurity: Open Source Web Application Firewall. [online] Available at: https://www.modsecurity.org/.
