Use the ModSecurity Apache module on a cloud server with Ubuntu 16.04
ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.
vServer (VPS) from IONOS
Low-cost, powerful VPS hosting for running your custom applications, with a personal assistant and 24/7 support.
Requirements
- A Cloud Server running Linux (Ubuntu 16.04)
- Apache installed and running.
Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.
Install ModSecurity
Install the libapache2-modsecurity package:
sudo apt-get install libapache2-modsecurity
Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:
user@localhost:~# apachectl -M | grep security
security2_module (shared)
Create a directory for the ModSecurity rules:
sudo mkdir /etc/modsecurity
Create a file for ModSecurity rules and open the file for editing:
sudo nano /etc/modsecurity/mod_security.conf
Add the following to the file:
<IfModule mod_security2.c>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream
SecDataDir /tmp
</IfModule>
Save and exit the file. Then restart Apache for the changes to take effect:
sudo systemctl restart apache2
Install and configure the OWASP Core Rule Set (CRS)
The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.
First, install the git package:
sudo apt-get install git
Go to the /etc/apache2 directory:
cd /etc/apache2/
Download the OWASP installation files:
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
Move to the new OWASP directory:
cd owasp-modsecurity-crs
Create a copy of the example setup file and rename it:
sudo cp crs-setup.conf.example crs-setup.conf
Open the main Apache configuration file for editing:
sudo nano /etc/apache2/apache2.conf
Scroll down to the section which reads:
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Add the following two lines:
Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf
Save and exit the file. Then restart Apache for the changes to take effect:
systemctl restart apache2
Web hosting with a personal consultant!
The host with the most: fast and scalable, including a free domain for one year and an email address. Trust web hosting from IONOS!
Verify that ModSecurity is installed and the OWASP CRS is loaded
You can test ModSecurity's OWASP CRS by visiting the URL:
http://example.com/?param="><script>alert(1);</script>
Where example.com is replaced with your server's domain name or IP address.
You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:
[Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client 79.196.255.255] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "50.21.182.126:80"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "50.21.182.126"] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]
Update the OWASP Core Rule Set (CRS)
The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:
sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs
If you run it now to test the command, it will respond with:
crs:
From https://github.com/SpiderLabs/owasp-modsecurity-crs
* branch HEAD -> FETCH_HEAD
Already up-to-date.
We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.