Modsecurity is a free Web Application Firewall (WAF) that works with Apache, Nginx and IIS. It supports a flexible rule engine to perform simple and complex operations and comes with The OWASP ModSecurity CRS.
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
The Core Rule Set provides protection against many common attack categories, including:
- SQL Injection (SQLi)
- Cross Site Scripting (XSS)
- Local File Inclusion (LFI)
- Remote File Inclusion (RFI)
- Remote Code Execution (RCE)
- PHP Code Injection
- HTTP Protocol Violations HTTPoxy
- Session Fixation
- Scanner Detection
- Metadata/Error Leakages
- Project Honey Pot Blacklist
- GeoIP Country Blocking
This tutorial will show you how to Install, configure Apache2 ModSecurity and install OWASP ModSecurity Core Rule Set .
Install and configure Apache2 ModSecurity on Ubuntu Server
1. Installing ModSecurity
– Method 1: Modsecurity is available in the Debian/Ubuntu repository:
Install the dependencies.
# sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev
# sudo apt-get install libapache2-mod-security2 # sudo /etc/init.d/apache2 force-reload
– Method 2: Download srouce code and install:
# git clone https://github.com/SpiderLabs/ModSecurity
Stop apache server: # sudo service apache2 stop
Install apache apxs: # sudo apt-get install apache2-threaded-dev Install libxml2-dev: # sudo apt-get install libxml2-dev Install libcurl4-gnutls-dev: # sudo apt-get install libcurl4-gnutls-dev
cd into the directory: # cd ModSecurity Run autogen.sh script: # ./autogen.sh Run configure script: # ./configure Run make: # make Run make install: # make install Copy the new mod_security2.so file into the proper Apache modules directory: # cp /usr/local/modsecurity/lib/mod_security2.so /usr/lib/apache2/modules/
2. Configuring ModSecurity
The default modsecurity configuration file is set to DetectionOnly which logs requests according to rule matches and doesn’t block anything. This can be changed by editing the modsecurity.conf file:
– Find this line “SecRuleEngine DetectionOnly” and change it to: SecRuleEngine On
Directive SecResponseBodyAccess is configures whether response bodies are buffered (i.e. read by modsecurity). This is only neccessary if data leakage detection and protection is required. Therefore, leaving it On will use up droplet resources and also increase the logfile size.
– Find this line SecResponseBodyAccess On and change it to: SecResponseBodyAccess Off
– Now we’ll limit the maximum data that can be posted to your web application. Two directives configure these:
– Set maximum POST data size SecRequestBodyLimit 13107200 this is 12.5MB. If anything greater than 12.5MB is sent by a client the server will respond with a 413 Request Entity Too Large error. If your web application doesn’t have any file uploads this value can be greatly reduced.
– Set maximum POST data size with SecRequestBodyNoFilesLimit directive similar to SecRequestBodyLimit, but no file uploads in POST data. SecRequestBodyNoFilesLimit 131072 this is 128KB.
– SecRequestBodyInMemoryLimit is a directive which affects server performance, it specifies how much of “request body” data (POSTed data) should be kept in the memory (RAM), anything more will be placed in the hard disk (just like swapping). Since droplets use SSDs, this is not much of an issue; however, this can be set a decent value if you have RAM to spare. SecRequestBodyInMemoryLimit 131072 This is the value (128KB) specified in the configuration file.
Install OWASP Core Rule Set.
– Clone the repository into the modsecurity.d folder using:
# git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
– Rename crs-setup.conf.example, rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example to remove the ‘.example’ extentsion.
# mv crs-setup.conf.example crs-setup.conf # mv rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf # mv rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf
– Add the following line to your /etc/apache2/apache2.conf file (the following
assumes you’ve cloned CRS into /mdsecurity/owasp-modsecurity-crs). You
can alternatively place these in any config file included by Apache:
<IfModule security2_module> Include /mdsecurity/owasp-modsecurity-crs/crs-setup.conf Include /mdsecurity/owasp-modsecurity-crs/rules/*.conf </IfModule>