Configure ModSecurity with Apache on Ubuntu Linux

[jibinw]

In this article, I will explain how to install and configure mod_security on Ubuntu 16.04 server.

System Requirements

• Newly deployed Ubuntu 16.04 server.
• A static IP address 192.168.1.10 is configured on your server.

Update the System

First, you will need to update your system with the latest stable version. You can do this with the following command:

Code: [Select]

apt-get update -y
apt-get upgrade -y
Install LAMP Server

Before starting, you will need LAMP installed on your server, if not you can install it with the following command:

Code: [Select]

apt-get install apache2 mysql-server libapache2-mod-auth-mysql php5-mysql php5 libapache2-mod-php5 php5-mcrypt
Once the installation is complete, start apache service and enable it to start at boot:

Code: [Select]

systemctl start apache2
systemctl enable apache2
Install mod_security

By default, mod_security is available in Ubuntu 16.04 repository. You can simply install it with the following command:

Code: [Select]

apt-get install libapache2-modsecurity
Once the installation is complete, you can test it with the following command:

Code: [Select]

apachectl -M | grep security
If everything is fine, you should see the following output:

security2_module (shared)

Configure mod_security

By default, mod_security doesn’t work because it needs rules to work. First, you will need to rename the example modsecurity.conf-recommended file located at /etc/modsecurity directory. You can do this with the following command:

Code: [Select]

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Next, you will need to enable mod_security rule engine.

Code: [Select]

nano /etc/modsecurity/modsecurity.conf
Change the following line:

Code: [Select]

SecRuleEngine on
Save the file and restart Apache for the changes to take effect.

Code: [Select]

systemctl restart apache2
By default, mod_security comes with core rule set (security rules) located at /usr/share/modsecurity-crs directory. But it is recommended to download the mod_security CRS from GitHub repository.

First, remove the default CRS with the following command:

Code: [Select]

rm -rf /usr/share/modsecurity-crs
Next, download the latest version of mod_security CRS with the following command:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Next, rename the example setup file with the following command:

Code: [Select]

cd /usr/share/modsecurity-crs
mv crs-setup.conf.example crs-setup.conf
Next, you will need to enable these rules to get it working with Apache.

You can do this by configuring /etc/apache2/mods-enabled/security2.conf file:

nano /etc/apache2/mods-enabled/security2.conf

Change the file as shown below:

<IfModule security2_module>
     SecDataDir /var/cache/modsecurity

Save and close the file, then restart apache service.

Code: [Select]

systemctl restart apache2
Test mod_security

Once everything is configured properly, we will test mod_security by sending some malicious requests to Apache web server and see if the requests are being blocked or not.

we will test mod_security against SQL Injection attack with the following command:

Code: [Select]

curl "http://192.168.1.10/?q='1 OR 1=1"
You should get 403 Forbidden response shown in the following output:

Code: [Select]

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.10 Port 80</address>
</body></html>