How to secure Apache with ModSecurity?

Ievaz

ModSecurity is an Apache plug-in module that works as a firewall. It works with rule sets, which enable you to modify and adjust the security of your server.

ModSecurity may also help you identify and respond to breaches by monitoring web traffic in real-time.

So in this guide, you will see how to install ModSecurity with Apache webserver on your VPS.

Installing ModSecurity:

First of all, you need to install Apache on your VPS. For that, you can use this guide.

1. ModSecurity can be installed by running the following command in your VPS via SSH:

sudo apt install libapache2-mod-security2 -y

2. when ModSecurity is installed, you need to enable the Apache headers module:

sudo a2enmod headers

3. Then you need to restart Apache service with this command:

sudo systemctl restart apache2

Now ModSecurity should be installed on your VPS.

Configuring ModSecurity:

Since ModSecurity is a firewall, it requires rules to function.

1. So you need to remove the ** .recommended** extension from the ModSecurity configuration file name:

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

2. With a text editor such as vim (or nano), open /etc/modsecurity/modsecurity.conf and change the value for SecRuleEngine to On.

3. Then restart Apache:

sudo systemctl restart apache2

Setting rules:

The next step in the process is to set up a rule set to actively prevent your web server from attacks. For this, we will implement the OWASP Core Rule Set.

The OWASP ModSecurity Core Rule Set (CRS) is a collection of threat detection rules that may be used with ModSecurity or other compatible web application firewalls. With a minimal of false warnings, the CRS tries to defend online applications from a wide range of attacks.

1. Firstly, you need to delete the current rule set that comes prepackaged with ModSecurity by running the following command:

sudo rm -rf /usr/share/modsecurity-crs

2. Then check if git is installed:

sudo apt install git

3. Now you need to clone the OWASP-CRS GitHub repository into the /usr/share/modsecurity-crs directory with command:

sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs

4. After that, rename the crs-setup.conf.example to crs-setup.conf:

sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

5. And rename the default request exclusion rule file:

sudo mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

Now OWASP-CRS should be set up.

Enable ModSecurity in Apache:

1. Now use a text editor such as vim (or nano) and edit the /etc/apache2/mods-available/security2.conf file to include the OWASP-CRS files you have downloaded:

<IfModule security2_module>
SecDataDir /var/cache/modsecurity
Include /usr/share/modsecurity-crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
</IfModule>

2. In /etc/apache2/sites-enabled/000-default.conf file VirtualHost block, include the SecRuleEngine directive set to On.

Note 1: If you are running a website that uses SSL, add SecRuleEngine directive to that website’s configuration file as well.

3. Now restart again Apache:

sudo systemctl restart apache2

Testing ModSecurity:

You can test ModSecurity by performing a simple local file inclusion attack by running the following command:

curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash

In <SERVER-IP/DOMAIN> write your VPS IP address or your domain hosted on your server.

If ModSecurity has been configured correctly and is actively blocking attacks, you should get in the output this message:

You don't have permission to access this resource.