• Joel

How to install ModSecurity for Apache

Updated: Jun 2, 2020


ModSecurity, or ModSec for short, is a web application firewall for the Apache web server. So if you're hosting a website using Apache, it is highly recommended that you use a web application firewall to secure your website and data from malicious attacks. If you already host a website using Apache, you only have to browse through the Apache access logs to become aware of the stark reality, of how often your website is under attack by bots and hackers.

ModSec works by using an arsenal of rule sets to prevent common and sophisticated attacks, such as SQL injections, remote code execution and cross site scripting, to name just a few.

This tutorial assumes that you already have Apache2 installed, along with some form of web application (such as Nextcloud, Wordpress, OpenVPN etc.) running.

It also assumes that you have some basic knowledge of the Linux OS, and therefore can comfortably connect to your Apache2 server and run basic commands, in order to navigate through the file system. You will also need the mod_headers extension enabled.

Let's get started...


Installing ModSec

First we need to update the APT package repository cache with the following command:

$ sudo apt update

Now, to install ModSec and its dependencies, run:

$ sudo apt install libapache2-mod-security2

Configuring ModSec configuration file

After installation is complete, you will need to copy and rename the ModSec configuration file. First browse to the modsecurity directory:

$ cd /etc/modsecurity

Now to copy and rename the config file:

$ sudo cp modsecurity.conf-recommended modsecurity.conf

By default ModSec is set to process and monitor requests only, saving requests to a log file. In addition temporary files are stored in the /tmp/ directory, which is pruged after reboot, so to ensure persistent storage of these temporary files, we'll need to change the location of these too. To change both of these options, edit the modsecurity.conf file by running the following:

$ sudo nano modsecurity.conf

Now set the following parameters to the following. Save the file by pressing <Ctrl> + x followed by Y and then press <Enter>:

SecRuleEngine On
SecTmpDir /var/cache/modsecurity
SecDataDir /var/cache/modsecurity

Download OWASP ModSec rules

If you have GIT already installed, you can skip installing it. To install GIT run:

$ sudo apt install git

Now download a copy of the OWASP CRS. (These are the rules that secure your secure your web application):

$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

This will have created a subdirectory called owasp-modsecurity-crs in your current location, change to that directory now:

$ cd owasp-modsecurity-crs

Move the CRS setup file into the /etc/modescurity directory:

$ sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf

Now move the rules directory into the /etc/modescurity directory:

$ sudo mv rules/ /etc/modsecurity

Some users report an error at this point. This is because the rules directory already exists in some cases. If you experience the same error, run the following commands:

$ sudo mkdir /etc/modsecurity/rules
$ cd rules
$ sudo cp *.* /etc/modsecurity/rules

Configure Apache to read from the correct directories

Run the following to edit the security2.conf file:

$ sudo nano /etc/apache2/mods-enabled/security2.conf

Ensure that the following entries are included. Save the file by pressing <Ctrl> + x followed by Y and then press <Enter>:

IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf
IncludeOptional /usr/share/modsecurity-crs/*.load

Enable Apache services

You will need to enable the headers and modsecurity modules to ensure Apache loads ModSec on startup:

$ sudo a2enmod headers
$ sudo a2enmod security2

Now restart the Apache service:

$ sudo systemctl restart apache2

Testing it works

We can run a simple Bash script to test whether this triggers one of the ModSec rules. Run the following:

$ sudo curl localhost/index.html?exec=/bin/bash

Disregard the output of this command, but view the Apache error log by running the folowing:

$ sudo nano /var/log/apache2/error.log

At the bottom of the log file you should see an entry similar to the below:


Some users report that when restarting Apache, at the Enable Apache services section, Apache doesn't start. In these cases I've found a loop within the owasp-crs.load file. To edit the file run the following:

$ sudo nano /usr/share/modsecurity/owasp-crs.load

Ensure that this file doesn't contain the below entries. If they exist remove, or comment them out, by preceding the lines with a single #. Save the file by pressing <Ctrl> + x followed by Y and then press <Enter>

Include /etc/modsecurity/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf

Now try restarting Apache:

$ sudo systemctl restart apache2

63 views0 comments

Recent Posts

See All