We can install and configure ModSecurity on Ubuntu 20.04 /19.10. This is also known as WAF(Web Application Firewall) which protects your application and web server from the hacker. Let’s see, how to install ModSecurity on ubuntu. o
ModSecurity is an open-source, cross-platform web application firewall developed by Trustwave’s SpiderLabs. It has a robust event-based programming language that protects the several attacks against web applications and allows for HTTP traffic monitoring, logging, and real-time analysis. so
How To Install and Configure ModSecurity On Ubuntu 20.04
You should have an apache installed on the ubuntu machine. we can install apache on ubuntu using the sudo apt install apache2 command. so
Once it’s installed, we need to start and enable the apache service using the below command. so
sudo systemctl start apache2 && systemctl enable apache2
Create an index.html file inside the /var/www/html folder with the below command. so
sudo echo "testing website" > index.html
Test the website is running with the below command. you should receive the “testing website” message.
sudo curl 192.168.185.146
Install the ModSecurity On Ubuntu:
You will have to install the mod security package on the ubuntu machine using the below command.
apt-get install libapache2-mod-security2
Restart the apache service. We can check the module if it’s running or enabled using the below command.
root@ubuntu:/etc/apache2# apachectl -M | grep security security2_module (shared)
Configuration of ModSecurity:
We’ve to start the configure of mod security. you can find the location at /etc/modsecurity/ and go to the security folder then take a backup of the original file before making any changes.
cd /etc/modsecurity/ cp modsecurity.conf-recommended modsecurity.conf
Then, we need to edit the file modsecurity.conf and we will change the value SecRuleEngine from DetectionOnly to “on” then save the file and restart the apache service.
sed -i -e 's/DetectionOnly$/On/i' /etc/modsecurity/modsecurity.conf
Now, apache is actively running the mod security but there’s no rule active.
How To Enable Core rule Set and Base Rules on Mod Security:
The libapache2-modsecurity package comes with a companion package(modsecurity-crs). This package contains the Core rule set or CRS which is a set of rules that handle the most common malicious attack from the internet.
- SQL Injections (SQLi)
- Remote Code Execution (RCE)
- Cross-Site Scripting (XSS)
You can find the see the CRS rules location at /usr/share/modsecurity-crs/ and we need to enable it in the modsecurity.conf file.
This is always recommended to download the set of rules from GitHub using the below link.
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git mv /usr/share/owasp-modsecurity-crs/ /usr/share/modsecurity-crs/ cd /usr/share/modsecurity-crs/ cp crs-setup.conf.example crs-setup.conf
To work these settings, we need to enable it using the below command.
Add these two lines in the file. This will include all the files which are inside the security module.
IncludeOptional /usr/share/modsecurity-crs/*.conf IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
Save the file using:wq! and check the apache config file before restarting the apache service.
sudo apache2ctl -t sudo systemctl restart apache2
Check the status of the apache service with sudo systemctl status apache2 command.
● apache2.service - The Apache HTTP Server Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-08-19 10:45:54 PDT; 46s ago Docs: https://httpd.apache.org/docs/2.4/ Process: 6708 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS) Main PID: 6731 (apache2) Tasks: 55 (limit: 3282) Memory: 27.8M CGroup: /system.slice/apache2.service ├─6731 /usr/sbin/apache2 -k start ├─6732 /usr/sbin/apache2 -k start └─6733 /usr/sbin/apache2 -k start
Test The Mod Security Configuration:
We can also test the mod security configuration with the malicious script and you should get the “forbidden” message. Hit the URL in the browser or hit it on the server with the curl command.
You can test the XSS attack on the remote machine using the below command. Don’t forget to change the IP address with your public or domain name. you will get the same result “Forbidden“.