ModSecurity is an open-source web application firewall. It is available as a module for the Apache Server, and also Microsoft IIS and Nginx web server. It provides a rule configuration language (SecRules) for real-time monitoring, logging, and filtering of HTTP communications. ModSecurity is probably most commonly used to add protection against general vulnerabilities using the rule set from OWASP (CRS).
Why Should We Use ModSecurity
There are a few things we must perform on a server to increase security. First among them is disabling root login and Enabling PEM Certificate Based SSH Login. Second is closing the unused open ports and enabling iptables (or UFW), third is installing fail2ban, forth is adding some security headers, fifth is adding SSL/TLS certificate, sixth is installing ModSecurity. Of course, there are more such as installing ClamAV, performing security audits, hardening Apache and MariaDB, hardening PHP, installing VSFTD, taking nightly backups and so on. But usually, the mentioned first 6-7 points are almost mandatory to prevent getting hacked.
ModSecurity allows us to do many of the things we want to do to enhance security for our server. Almost all of the dedicated & cloud server web hosts have guides on installing Modsecurity and all of them have pointed out the importance of not ignoring ModSecurity. It enables:
---
- Security monitoring
- Access control
- Security assessment
- Fine tuned logging
- Overall security of the web applications running on the server
Most importantly, it is free and supported by developers and sysadmins throughout the globe. Even on a test server running Apache, we suggest installing at least Fail2Ban and ModSecurity.
How to Install ModSecurity
This is not a specific how-to-guide, yet we are describing the basic steps:
1 2 3 4 5 6 7 | apt install gnupg2 software-properties-common curl wget git unzip -y # add-apt-repository ppa:ondrej/apache2 -y # apt update -y # apt install apache2 -y sudo apt-get install libapache2-mod-security2 -y a2enmod security2 sudo systemctl restart apache2 |
Open /etc/apache2/mods-enabled/security2.conf file:
1 | nano /etc/apache2/mods-enabled/security2.conf |
Uncomment:
1 2 3 | ... IncludeOptional /etc/modsecurity/*.conf ... |
Next, move/rename this file:
1 | mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf |
Open the ModeSecurity configuration file:
1 | nano /etc/modsecurity/modsecurity.conf |
Add these:
1 2 | SecRuleEngine On SecAuditLogParts ABCEFHJKZ |
Restart Apache:
1 | systemctl restart apache2 |
Actually for Ubuntu server, the above configuration is enough since the ModSecurity Core Rule Set already included by the repo version. I am not a security expert, but I guess that is enough for the ordinary users. This will not create odd conflicts or disturb Apache2 from restarting after a reboot. The rules can be found here:
1 | /usr/share/modsecurity-crs |
The advanced users may perform the extra steps. The above setup is enough for hosting a WordPress blog.
Naturally, if you want to replace the repo provided ModSecurity Core Rule Set to manually downloaded ModSecurity Core Rule Set from GitHub, you have to remove all the content from /usr/share/modsecurity-crs. Else, you’ll face error like this one announcing ModSecurity: Found another rule with the same id:
1 2 | AH00526: Syntax error on line 62 of /etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/REQUEST-901-INITIALIZATION.conf: ModSecurity: Found another rule with the same id |
If you are an advanced user, then delete the content of /usr/share/modsecurity-crs and proceed. Download the latest ruleset from here:
1 | https://github.com/coreruleset/coreruleset/releases |
Something like this:
1 2 3 4 5 6 7 8 | # example wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz tar xvf v3.3.0.tar.gz mkdir /etc/apache2/modsecurity-crs/ mv coreruleset-3.3.0/ /etc/apache2/modsecurity-crs cd /etc/apache2/modsecurity-crs/coreruleset-3.3.0/ mv crs-setup.conf.example crs-setup.conf nano /etc/apache2/mods-enabled/security2.conf |
Add these lines:
1 2 | IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/crs-setup.conf IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/*.conf |
Restart Apache:
1 2 | apachectl configtest systemctl restart apache2 |
Please remember that when the package will get updated by Ubuntu repo, unless you manually check the configuration and files, Apache2 may fail to restart after a reboot. Because the ModSecurity Core Rule Set from repo will get downloaded automatically.
Go to /etc/logrotate.d/:
1 2 | cd /etc/logrotate.d/ nano modsec |
Add this if the file does not exist:
1 2 3 4 5 6 7 8 9 | /var/log/apache2/modsec_audit.log { rotate 15 daily missingok compress delaycompress notifempty } |
You can update the rules with this command:
1 | sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs |
