ModSecurity is a free and open source web application that started out as an Apache module and grew to a fully-fledged web application firewall. It works by inspecting requests sent to the web server in real time against a predefined rule set, preventing typical web application attacks like XSS and SQL Injection.
ModSecurity can be installed by running the following command in your terminal:
sudo apt install libapache2-mod-security2 -y
After installing ModSecurity, enable the Apache 2 headers module by running the following command:
sudo a2enmod headers
Restart apache2 service.
ModSecurity is a firewall and therefore requires rules to function. This section shows you how to implement the OWASP Core Rule Set. First, you must prepare the ModSecurity configuration file.
Remove the .recommended extension from the ModSecurity configuration file name with the following command:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
With a text editor such as vim, open /etc/modsecurity/modsecurity.conf and change the value for SecRuleEngine to On:
SecRuleEngine On
Also check if SecRequestBodyAccess is On.
Restart Apache to apply the changes.
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The CRS provides protection against many common attack categories, including SQL Injection, Cross Site Scripting, and Local File Inclusion.
First, delete the current rule set that comes prepackaged with ModSecurity by running the following command:
sudo rm -rf /usr/share/modsecurity-crs
Clone the OWASP-CRS GitHub repository into the /etc/apache2/modsecurity.d/ directory:
sudo git clone https://github.com/coreruleset/coreruleset /etc/apache2/modsecurity.d
Rename the crs-setup.conf.example to crs-setup.conf:
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
To begin using ModSecurity, enable it in the Apache configuration file by following the steps outlined below:
Using a text editor such as vim, edit the /etc/apache2/mods-available/security2.conf file to include the OWASP-CRS files you have downloaded:
Include /etc/apache2/modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
In /etc/apache2/sites-enabled/website.com.conf file VirtualHost block, include the SecRuleEngine directive set to On.
SecRuleEngine On
Restart the apache2 service to apply the configuration.
Test ModSecurity by performing a simple local file inclusion attack by running the following command:
curl http://website.com/index.php?exec=../../../etc/passwd
If ModSecurity has been configured correctly and is actively blocking attacks, the following error is returned:
403 Forbidden
If you have any questions or need help to setup ModSecurity feel free to contact us.
