Install ModSecurity:

 

Ubuntu/Debian

sudo apt install libapache2-modsecurity

 

Restart Apache:

/etc/init.d/apache2 restart

 

Verify the version of ModSecurity is 2.8.0 or higher:

apt-cache show libapache2-modsecurity

Note:

When listing all mods using apachectl -M, ModSecurity is listed under the name security2_module.

 

CentOS

yum install mod_security

 

Restart Apache by entering the following command:

/etc/init.d/httpd restart

 

Verify the version of ModSecurity is 2.8.0 or higher:

yum info mod_fcgid

 

OWASP ModSecurity Core Rule Set

The following steps are for Debian based distributions. File paths and commands for RHEL will differ slightly.

  1. Move and change the name of the default ModSecurity file:

    mv /etc/modsecurity/modsecurity.conf-recommended  modsecurity.conf

     

  2. Install git if needed:

    sudo apt install git

     

  3. Download the OWASP ModSecurity CRS from Github:

    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

     

  4. Navigate into the downloaded directory. Move and rename crs-setup.conf.example to crs-setup.conf. Then move rules/ as well.

    cd owasp-modsecurity-crs
    
mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
    
mv rules/ /etc/modsecurity/

     

  5. The configuration file should match the path above as defined in the IncludeOptional directive. Add another Include directive pointing to the rule set:

    etc/apache2/mods-available/security2.conf

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.conf
        Include /etc/modsecurity/rules/*.conf
</IfModule>

     

  6. Restart Apache so that the changes will take effect:

    /etc/init.d/apache2 restart

     

ModSecurity Test

OWASP CRS builds on top of ModSecurity so that existing rules can be extended.

  1. Navigate to the default Apache configuration and add two additional directives, using the default configuration as an example:

    <VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SecRuleEngine On
    SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
</VirtualHost>

     

  2. Restart Apache then curl the index page to intentionally trigger the alarms:

    curl localhost/index.html?testparam=test

     

    The response code should be 403. There should be a message in the logs that shows the defined ModSecurity rule worked. You can check using: sudo tail -f /var/log/apache2/error.log

  3. Verify the OWASP CRS is in effect:

    curl localhost/index.html?exec=/bin/bash
     

Review the configuration files located in /etc/modsecurity/*.conf. Most of the files are commented with definitions of the available options. ModSecurity uses an Anomaly Scoring Level where the highest number (5) is most severe. 

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Hide the Apache Version Number?

It is possible to hide apache web server version and other information. This is done for...
Add a command/binary to CageFS

What is CageFS?CageFS is a virtualized file system and a set of tools to contain each user in its...
Disable TRACE or TRACK method in Apache web server

If you like to keep your VPS hosting server or dedicated server secure you may need to disable...
Add your own php.ini file to the crontab command

If you want to use your own php.ini in the implementation of cronjobs, add the following to the...
Can I use short tags in PHP scripts

Yes! you can. The settings of PHP (short_open_tag) allow you to use short tags in PHP scripts.