Use the ModSecurity Apache module on a cloud server with Ubuntu 16.04

ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

VPS Hosting
Fully virtualized servers with root access
  • Unlimited traffic
  • Fast SSD NVMe storage
  • Free Plesk Web Host Edition

Requirements

  • A Cloud Server running Linux (Ubuntu 16.04)
  • Apache installed and running.
Note

Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

Install ModSecurity

Install the libapache2-modsecurity package:

sudo apt-get install libapache2-modsecurity

Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

user@localhost:~# apachectl -M | grep security
security2_module (shared)

Create a directory for the ModSecurity rules:

sudo mkdir /etc/modsecurity

Create a file for ModSecurity rules and open the file for editing:

sudo nano /etc/modsecurity/mod_security.conf

Add the following to the file:

<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On 
    SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
    SecDataDir /tmp
</IfModule>

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart apache2

Install and configure the OWASP Core Rule Set (CRS)

The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

First, install the git package:

sudo apt-get install git

Go to the /etc/apache2 directory:

cd /etc/apache2/

Download the OWASP installation files:

sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Move to the new OWASP directory:

cd owasp-modsecurity-crs

Create a copy of the example setup file and rename it:

sudo cp crs-setup.conf.example crs-setup.conf

Open the main Apache configuration file for editing:

sudo nano /etc/apache2/apache2.conf

Scroll down to the section which reads:

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Add the following two lines:

Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

Save and exit the file. Then restart Apache for the changes to take effect:

systemctl restart apache2
Web Hosting
Fast, scalable hosting for any website
  • 99.9% uptime
  • PHP 8.3 with JIT compiler
  • SSL, DDoS protection, and backups

Verify that ModSecurity is installed and the OWASP CRS is loaded

You can test ModSecurity's OWASP CRS by visiting the URL:

http://example.com/?param="><script>alert(1);</script>

Where example.com is replaced with your server's domain name or IP address.

You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

[Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client 79.196.255.255] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "50.21.182.126:80"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "50.21.182.126"] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

Update the OWASP Core Rule Set (CRS)

The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs

If you run it now to test the command, it will respond with:

crs:
From https://github.com/SpiderLabs/owasp-modsecurity-crs
 * branch            HEAD       -> FETCH_HEAD
Already up-to-date.

We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.

Was this article helpful?
We use cookies on our website to provide you with the best possible user experience. By continuing to use our website or services, you agree to their use. More Information.
Page top