How To Install and Configure ModSecurity On Ubuntu 20.04

We can install and configure ModSecurity on Ubuntu 20.04 /19.10. This is also known as WAF(Web Application Firewall) which protects your application and web server from the hacker. Let’s see, how to install ModSecurity on ubuntu. o

ModSecurity is an open-source, cross-platform web application firewall developed by Trustwave’s SpiderLabs. It has a robust event-based programming language that protects the several attacks against web applications and allows for HTTP traffic monitoring, logging, and real-time analysis. so

How To Install and Configure ModSecurity On Ubuntu 20.04

You should have an apache installed on the ubuntu machine. we can install apache on ubuntu using the sudo apt install apache2 command. so

Check Out: How To Install Tmux and Use On Ubuntu and CentOS 8

Once it’s installed, we need to start and enable the apache service using the below command. so

sudo systemctl start apache2 && systemctl enable apache2

Create an index.html file inside the /var/www/html folder with the below command. so

sudo echo "testing website" > index.html

Test the website is running with the below command. you should receive the “testing website” message. 

sudo curl 192.168.185.146

Install the ModSecurity On Ubuntu:

You will have to install the mod security package on the ubuntu machine using the below command. 

apt-get install libapache2-mod-security2

Check Out: How To Install Fedora 32 Workstation Server On Vmware

Restart the apache service. We can check the module if it’s running or enabled using the below command. 

root@ubuntu:/etc/apache2# apachectl -M | grep security
security2_module (shared)

Configuration of ModSecurity:

We’ve to start the configure of mod security. you can find the location at /etc/modsecurity/ and go to the security folder then take a backup of the original file before making any changes. 

cd /etc/modsecurity/
cp modsecurity.conf-recommended modsecurity.conf

Then, we need to edit the file modsecurity.conf and we will change the value SecRuleEngine from DetectionOnly to “on” then save the file and restart the apache service. 

SecRuleEngine On

Or

sed -i -e 's/DetectionOnly$/On/i' /etc/modsecurity/modsecurity.conf

Now, apache is actively running the mod security but there’s no rule active.

Check Out: How To Boot Windows 10/7 Machine In Safe Mode

How To Enable Core rule Set and Base Rules on Mod Security:

The libapache2-modsecurity package comes with a companion package(modsecurity-crs). This package contains the Core rule set or CRS which is a set of rules that handle the most common malicious attack from the internet. 

  • SQL Injections (SQLi)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS) 

You can find the see the CRS rules location at /usr/share/modsecurity-crs/ and we need to enable it in the modsecurity.conf file.

This is always recommended to download the set of rules from GitHub using the below link. 

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
mv /usr/share/owasp-modsecurity-crs/ /usr/share/modsecurity-crs/
cd /usr/share/modsecurity-crs/
cp crs-setup.conf.example crs-setup.conf

To work these settings, we need to enable it using the below command.

vim /etc/apache2/mods-enabled/security2.conf

Add these two lines in the file. This will include all the files which are inside the security module.

IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

Save the file using:wq! and check the apache config file before restarting the apache service.

sudo apache2ctl -t
sudo systemctl restart apache2

Check Out: Configure MySQL Load Balancing With HAProxy On Linux

Check the status of the apache service with sudo systemctl status apache2 command. 

● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-08-19 10:45:54 PDT; 46s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 6708 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 6731 (apache2)
Tasks: 55 (limit: 3282)
Memory: 27.8M
CGroup: /system.slice/apache2.service
├─6731 /usr/sbin/apache2 -k start
├─6732 /usr/sbin/apache2 -k start
└─6733 /usr/sbin/apache2 -k start

Test The Mod Security Configuration:

We can also test the mod security configuration with the malicious script and you should get the “forbidden” message. Hit the URL in the browser or hit it on the server with the curl command. 

curl http://192.168.185.146/index.html?exec=/bin/bash

install modsecurity ubuntu

Check Out: Configuration of Mod Security in Apache Web Server

You can test the XSS attack on the remote machine using the below command. Don’t forget to change the IP address with your public or domain name. you will get the same result “Forbidden“.

http://192.168.185.146/?q="><script>alert(1)</script>

That’s it.

Share on:

I'm the founder of Curious Viral. I hope this blog will provide you complete information about Linux Technology & I would like to share my technical knowledge with you which I have learned during this period.

Other Posts You May Like...

Leave a comment