How to Configure ModSecurity with Apache on Ubuntu Linux

Last updated at Fri, 20 Apr 2018 15:03:37 GMT

Synopsis

Apache web server is most widely used web server around the world. So web server security is crucial part for every system administrator. There are many tools and techniques are used to secure Apache web server. Among theme mod_security is one of the important Apache modules that provides intrusion detection and prevention for web servers.mod_security is used for real-time web application monitoring, logging, and access control. mod_security is used to protect web server from various types of attacks such as XSS, bots, SQL-injection, capture session, Trojans, session hijacking and many more.

In this article, we will learn how to install and configure mod_security on Ubuntu 16.04 server. We will also perform some stress test to test mod_security module.

System Requirements

• Newly deployed Ubuntu 16.04 server.
• A static IP address 192.168.1.10 is configured on your server.

Update the System

First, you will need to update your system with the latest stable version. You can do this with the following command:

apt-get update -y 
apt-get upgrade -y

Install LAMP Server

Before starting, you will need LAMP installed on your server, if not you can install it with the following command:

apt-get install apache2 mysql-server libapache2-mod-auth-mysql php5-mysql php5 libapache2-mod-php5 php5-mcrypt

Once the installation is complete, start apache service and enable it to start at boot:

systemctl start apache2 
systemctl enable apache2

Install mod_security

By default, mod_security is available in Ubuntu 16.04 repository. You can simply install it with the following command:

apt-get install libapache2-modsecurity

Once the installation is complete, you can test it with the following command:

apachectl -M | grep security

If everything is fine, you should see the following output:

security2_module (shared)

Configure mod_security

By default, mod_security doesn’t work because it needs rules to work. First, you will need to rename the example modsecurity.conf-recommended file located at /etc/modsecurity directory. You can do this with the following command:

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Next, you will need to enable mod_security rule engine.

nano /etc/modsecurity/modsecurity.conf

Change the following line:

SecRuleEngine on

Save the file and restart Apache for the changes to take effect.

systemctl restart apache2

By default, mod_security comes with core rule set (security rules) located at /usr/share/modsecurity-crs directory. But it is recommended to download the mod_security CRS from GitHub repository.

First, remove the default CRS with the following command:

rm -rf /usr/share/modsecurity-crs

Next, download the latest version of mod_security CRS with the following command:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Next, rename the example setup file with the following command:

cd /usr/share/modsecurity-crs 
mv crs-setup.conf.example crs-setup.conf

Next, you will need to enable these rules to get it working with Apache.

You can do this by configuring /etc/apache2/mods-enabled/security2.conf file:

nano /etc/apache2/mods-enabled/security2.conf

Change the file as shown below:

 <IfModule security2_module> 
     SecDataDir /var/cache/modsecurity 
     IncludeOptional /etc/modsecurity/*.conf 
     IncludeOptional "/usr/share/modsecurity-crs/*.conf 
     IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf 
 </IfModule>

Save and close the file, then restart apache service.

systemctl restart apache2

Test mod_security

Once everything is configured properly, we will test mod_security by sending some malicious requests to Apache web server and see if the requests are being blocked or not.

First, we will test how mod_security protects Apache web server from XSS attack.

On the remote machine, run the following command to test XSS attack:

curl 'http://192.168.1.10/?q="><script>alert(1)</script>'

You should see a 403 Forbidden response in the following output.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.10 Port 80</address>
</body></html>

Next, we will test mod_security against SQL Injection attack with the following command:

curl "http://192.168.1.10/?q='1 OR 1=1"

You should get 403 Forbidden response shown in the following output:

   <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /
on this server.<br />
</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at 192.168.1.10 Port 80</address>
</body></html>

References

• mod_security Manual