Apache Web Server is a modular web server that can have flexibility, power, and high performance on all different platforms and environments. The modularity of this web server means that most of the key features in it are designed in the form of modules that can be enabled or unenabled during compilation or even during execution, and using this allows a webmaster to configure the Apache webserver. ModSecurity is one of the Apache Web Server modules. After reading this article, you will fully understand how to Configure ModSecurity for Apache on Ubuntu.
ModSecurity is an open-source web-based firewall software that can work as a reverse proxy and is supporting by Apache, Nginx, and IIS web servers. Web application firewalls are using to create an external security layer that increases the level of protection, detecting and preventing attacks before they reach web applications.
ModSecurity is also one of the Apache web server modules that prevent the execution of dangerous web scripts and also adds intrusion detection and prevention features to the web server. It is basically similar to IDS used to analyze network traffic. Contains a set of core rules that include various rules for website scripting, malicious user agents, SQL injection, Trojans, sessions, and other exploits.
– HTTP Protection: Violation of HTTP protocol and locally defined usage policy detection
– Protection against common web attacks: Identify common attacks against web applications
– Automatic detection: bots, crawlers, scanners, and other malicious activities
– Trojan protection: detection of Trojan access
– Hide Error Messages: Hide error messages sent by the server
Apache is free and open-source software that runs on 67% of all web servers in the world. This software has high speed, reliability, and high security and can customize using plugins and modules to meet the needs of all users in all environments. WordPress hosts use Apache as web server software. Apache web server was originally developed for Linux and Unix operating systems, which was later adapted to work with other systems including Windows and Mac. The difference in using Apache in different operating systems is the type of directory path and installation steps.
– A Linux VPS plan that runs the Ubuntu OS
– A non-root user who can perform sudo tasks
First, you should update the Ubuntu package by entering the following command:
sudo apt-get update
Now you can install Apache by executing the following command:
sudo apt-get install Apache2
Next, you have to press Y and then Enter. Also, the ModSecurity module for Apache is available in the default Ubuntu repository. You should just execute the following command to install it:
sudo apt install libapache2-mod-security2
Enter the following command to enable ModSecurity:
sudo a2enmod security2
To make the changes take effect, just restart Apache with the following command:
sudo systemctl restart apache2
Now you should find the following line in the /etc/apache2/mods-enabled/security2.conf configuration file:
IncludeOptional /etc/modsecurity/*.conf
Apache includes all *.conf files in the folder written in the following command. To do this, you need to rename the Modsecurity.conf file:
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then in this step, you should edit the above file with your desired command-line text editor:
sudo nano /etc/modsecurity/modsecurity.conf
Now you need to find the following line:
SecRuleEngine DetectionOnly
Configuration allows ModSecurity to log HTTP transactions but takes no action when the attack is detecting. ModSecurity detects and blocks web attacks by entering the following command:
SecRuleEngine On
The following line tells ModSecurity what information should be included in the audit report. You should find it:
SecAuditLogParts ABDEFHIJZ
The default settings should changed as follows:
SecAuditLogParts ABCEFHJKZ
Finally, save and close the file. You should restart Apache to apply the changes by entering the following command:
sudo systemctl restart apache2
ModSecurity can protect your web applications by setting rules to detect and block malicious agents. Also, install existing rule sets and get start quickly. There are several free rules for ModSecurity. The OWASP Core Rule Set (CRS) is a standard set of rules using with ModSecurity.
The OWASP Core Rule Set is free, community-maintained, and the most widely used rule set that provides the default configuration sold for ModSecurity. It can be integrated with the Honeypot project and contains rules that help stop command attack vectors, including SQL injection (SQLi), cross-site scripting (XSS), and many others that can be used to detect bots and Identification of scanners used. Adjusted through wide exposure to have very few false positives.
By installing ModSecurity from the default Ubuntu repository, the modsecurity-crs package is also installing, which includes the OWASP core rule set version 3.x. You can download the latest CRS OWASP from GitHub, and execute the following command:
wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz
Then you should extract the file with the following command:
tar xvf v3.3.0.tar.gz
Now you need to create a directory to store CRS files. To do this, enter the following command:
sudo mkdir /etc/apache2/modsecurity-crs/
Then you need to move the extracted directory to the desired folder in the following command:
sudo mv coreruleset-3.3.0/ /etc/apache2/modsecurity-crs/
Navigate to that directory by entering the following command:
cd/etc/apache2/modsecurity-crs/coreruleset-3.3.0/
Then Remember to rename the crs-setup.conf.example file:
sudo mv crs-setup.conf.example crs-setup.conf
Now you need to edit the desired file with the following command:
sudo nano /etc/apache2/mods-enabled/security2.conf
The following line loads the default CRS files. You should find it:
IncludeOptional /usr/share/modsecurity-crs/*.load
Now change the above line as shown below:
IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/crs-setup.conf IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/*.conf
Remember to save the file and close it. Then test the Apache configuration by executing the following command:
sudo apache2ctl -t
Finally, restart Apache with the following command:
sudo systemctl restart apache2
In the last step, you should test that ModSecurity can detect and block suspicious HTTP traffic. To do this you need to edit the default virtual host file with the following command:
sudo nano /etc/apache2/sites-available/000-default.conf
Now In this step, create a blocking rule that blocks access to a specific URL when accessing a web browser. You should append these lines at the end before closing the ‘Virtualhost’ tag. To do this, enter the following command:
SecRuleEngine On SecRule ARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"
Now you need to set the “id” and “msg” tags to any desired value. Then you should restart the Apache webserver to apply the changes to the host configuration file by executing the following command:
sudo systemctl restart apache2
You need to visit the URL shown ?testparam=test at the end:
http://server-ip/?testparam=test
If you get a “403 Forbidden error“, it indicates that access to the resource is blocked. In this step, you should check the error logs by entering the following command. This will confirm that the client is blocked:
cat /var/log/apache2/error.log | grep "Test successful"
ModSecurity is using to detect and block unwanted traffic. In this article, you learned how to configure ModSecurity for Apache on Ubuntu. By following our step-by-step tutorial, you can easily install and configure it on your Ubuntu system. We hope this educational article was useful for you. Share your comments with us through the form below.
Mode security is a vital piece of PCI DSS compliance and helps to shield your site against external threats.
If you installed Modesecurity, you can find it under your plugins.
How useful was this post?
Click on a star to rate it!
Average rating 5 / 5. Vote count: 1
No votes so far! Be the first to rate this post.
Chrony is a versatile and lightweight network time synchronization software available for various Li...
PGP is used to encrypt and decrypt data. Methods such as hashing, public key encryption, and data co...
What is your opinion about this Blog?