How to Install the ModSecurity Apache Module

ModSecurity is an open-source web application firewall (WAF) module for the Apache HTTP Server (Apache) and other web servers. It provides an additional layer of security by monitoring and filtering HTTP traffic between a client and a web application. The ModSecurity module is designed to protect web applications from various types of attacks, including but not limited to:
Cross-Site Scripting (XSS) attacks:ModSecurity can inspect and filter HTTP requests and responses for malicious scripts or code that could be injected into web pages to exploit vulnerabilities.
SQL Injection attacks:ModSecurity can detect and block attempts to execute unauthorized SQL queries by analyzing and validating the contents of HTTP requests.
Remote File Inclusion (RFI) attacks:ModSecurity can prevent attackers from including remote files into web applications, which could lead to the execution of malicious code.
Local File Inclusion (LFI) attacks:ModSecurity can detect and block attempts to include local files through web application vulnerabilities, which could expose sensitive system files.
Cross-Site Request Forgery (CSRF) attacks:ModSecurity can enforce security measures to ensure that requests made to a web application are legitimate and originated from authorized sources.

ModSecurity uses a rule-based engine to analyze and evaluate HTTP requests and responses based on predefined rulesets. These rulesets define patterns and conditions that trigger specific actions, such as blocking, logging, or modifying requests. ModSecurity supports custom rule creation, allowing administrators to tailor the security policies to their specific needs. In this blog, you will learn how to install the ModSecurity Apache module.

Open a terminal or SSH into your Ubuntu 20.04 server and using the following command the switch to the root user so you have the permission for later operations. Then, input password as prompted.

$ sudo -i

Next, update the package repositories to ensure you have the latest package information.

$ apt update -y

Download and install the ModSecurity Apache module using the following command and type y and enter.

$ apt install libapache2-mod-security2

Restart the Apache service

$ systemctl restart apache2 

Ensure the installed software version is at least 2.9

$ apt-cache show libapache2-mod-security2

Copy the default ModSecurity configuration file to a new file. Then edit the file with your prefered editor. In this case, we use the nano editor.

$ cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
$ nano /etc/modsecurity/modsecurity.conf

Change the value of SecRuleEngine from DetectionOnly to On.

Then, save the changes by pressing Ctrl + X, followed by y and enter. Next restart Apache service.

$ systemctl restart apache2

Download OWASP Core Rule Set

The OWASP Core Rule Set (CRS) is a set of rules designed to enhance the security of web applications by providing protection against various types of attacks.The OWASP CRS is an open-source project driven by the community. It is continuously updated and maintained by a team of security professionals and volunteers, ensuring that it stays up-to-date with emerging threats and vulnerabilities. By downloading the CRS, you can benefit from the collective knowledge and expertise of the security community.

Remember to regularly update the CRS ruleset to benefit from the latest security enhancements and improvements. To ensure you have the latest ModSecurity rules, you can download the latest ModSecurity Core Rule Set (CRS) from Open Web Application Security Project (OWASP) at CoreRuleSet.org and replace the GitHub URL as needed.

$ wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.zip

Verify the checksum of your downloaded file against the provided message digest, replacing "vFileName" with the actual file name (e.g. v3.3.0.zip).

$ sha1sum FileName.zip && echo ProvidedChecksum

Then, unzip the file.

$ unzip FileName.zip

Next, move the CRS setup file from the new directory into your ModSecurity directory.

$ mv coreruleset-3.3.0/crs-setup.conf.example /etc/modsecurity/crs-setup.conf

You can also choose to move the rules directory from the new directory to your ModSecurity directory. This step is optional.

$ mv coreruleset-3.3.0/rules/ /etc/modsecurity/

After that, edit your Apache security2.conf file to ensure it’ll load ModSecurity rules. As always, we use the nano editor.

$ nano /etc/apache2/mods-enabled/security2.conf

In the configuration file, make sure the following two lines are included. If not, add them into the file. When you finish the editing, save the file.

IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf

Restart the Apache service.

$ systemctl restart apache2 

If you cannot restart Apache, go back to Apache security2.conf file and comment out this file path by adding a # in the beginning of the line: # IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load.

$ nano /etc/apache2/mods-enabled/security2.conf

Now, you should be able to restart the Apache service.

$ systemctl restart apache2 

Now, we can create a test blocking rule and check if we will receive a 403 error and a ModSecurity log entry.

Edit your default Apache configuration file. If you haven't changed the default Apache configuration file, it should be /etc/apache2/sites-available/000-default.conf. In this example, we have change the default file to /etc/apache2/sites-available/mytestsite.com.conf. Replace the default configuration file with your default configuration file.

$ nano /etc/apache2/sites-available/000-default.conf

At the bottom of the file, above , add the following custom ModSecurity rule. Feel free to change the id number and msg as desired.

$ SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:999,deny,status:403,msg:'Test Successful'"

Press Ctrl + X, then y and enter to save the changes.

Restart the Apache service.

$ systemctl restart apache2 

Open a browser, access your server IP or your domain on that server with ?testparam=test on the end (e.g. domain.com/?testparam=test). In our case, we use mytestsite.com/?testparam=test. As expected, we receive the 403 forbidden error.

In your Apache error log for ModSecurity errors, you can also search for this log using your error message (“Test Successful”) or id number (999):

$ cat /var/log/apache2/error.log | grep 'Test Successful'

Afterwards, you can delete this test rule from your configuration file.

installing the ModSecurity Apache module is a valuable step in enhancing the security of your web server and protecting your web applications against common attacks. By following the installation steps outlined in this blog, you can easily integrate ModSecurity into your Apache server and leverage its powerful features to detect and prevent various types of web vulnerabilities. The ModSecurity module, with its extensive rule set, provides an additional layer of defense, giving you peace of mind and helping you meet security requirements. Please do remember to regularly update the rule set and fine-tune the configuration to ensure optimal protection without impacting legitimate traffic.