Use the ModSecurity Apache module on a cloud server with Ubuntu 16.04

IONOS editorial team05/19/20214 mins

ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

VPS Hosting

Fully virtualized servers with root access

Unlimited traffic
Fast SSD NVMe storage
Free Plesk Web Host Edition

Requirements

A Cloud Server running Linux (Ubuntu 16.04)
Apache installed and running.

Note

Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

Install ModSecurity

Install the libapache2-modsecurity package:

sudo apt-get install libapache2-modsecurity

Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

user@localhost:~# apachectl -M | grep security
security2_module (shared)

Create a directory for the ModSecurity rules:

sudo mkdir /etc/modsecurity

Create a file for ModSecurity rules and open the file for editing:

sudo nano /etc/modsecurity/mod_security.conf

Add the following to the file:

<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On 
    SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
    SecDataDir /tmp
</IfModule>

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart apache2

Install and configure the OWASP Core Rule Set (CRS)

The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

First, install the git package:

sudo apt-get install git

Go to the /etc/apache2 directory:

cd /etc/apache2/

Download the OWASP installation files:

sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Move to the new OWASP directory:

cd owasp-modsecurity-crs

Create a copy of the example setup file and rename it:

sudo cp crs-setup.conf.example crs-setup.conf

Open the main Apache configuration file for editing:

sudo nano /etc/apache2/apache2.conf

Scroll down to the section which reads:

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Add the following two lines:

Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

Save and exit the file. Then restart Apache for the changes to take effect:

systemctl restart apache2

Web Hosting

Fast, scalable hosting for any website

99.9% uptime
PHP 8.3 with JIT compiler
SSL, DDoS protection, and backups

Verify that ModSecurity is installed and the OWASP CRS is loaded

You can test ModSecurity's OWASP CRS by visiting the URL:

http://example.com/?param="><script>alert(1);</script>

Where example.com is replaced with your server's domain name or IP address.

You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

[Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client 79.196.255.255] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "50.21.182.126:80"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "50.21.182.126"] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

Update the OWASP Core Rule Set (CRS)

The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs

If you run it now to test the command, it will respond with:

crs:
From https://github.com/SpiderLabs/owasp-modsecurity-crs
 * branch            HEAD       -> FETCH_HEAD
Already up-to-date.

We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.

Was this article helpful?

Oleksiy Markshutterstock

How to Install and Configure Apache for WordPress

Learn How to install and configure apache for WordPress. With this guide we will show you how to install and setup Apache for a WordPress installation.

Wordpress
Tutorials
Apache

GaudiLabshutterstock

How to install Apache Tomcat on CentOS 7

Learn how to install and use Apache Tomcat on CentOS 7. Apache Tomcat is a Java Servlet container developed by Apache to which allows you to deploy Java servlets and JSPs. Apache Tomcat also functions as a web server, which is able to support small to medium-sized websites. This…

Tutorials
Apache

ra2 studioShutterstock

How to enable CGI scripts on Apache

Learn how to enable CGI scripts to run on the Apache web server. This tutorial includes step-by-step instructions for adding the necessary Apache configurations to allow CGI scripts to run, and how to set the correct permissions on the directory and CGI files.

Tutorials
Apache