How to Set up & Configure ModSecurity on

Apache
March 11, 2019 APACHE SERVER SECURITY

Home » Web Servers » How to Set up & Con gure ModSecurity on Apache

Introduction

ModSecurity is a plug-in module for Apache that works like a rewall. It functions through rule sets, which allow
you to customize and con gure your server security.

ModSecurity can also monitor web tra c in real time and help you detect and respond to intrusions. It can be
used with Apache, Nginx, and IIF and is compatible with Debian, Ubuntu, and CentOS.

This tutorial explains how to install and con gure ModSecurity on Apache web servers.

Prerequisites

The LAMP stack (Linux, Apache, MySQL, PHP) installed and con gured
Access to a user account with sudo or root privileges
A package manager (APT or YUM), included by default
A command line/terminal window (Ctrl-Alt-T, Ctrl-Alt-F1)
A text editor, like nano

Step 1: Update Software Repositories

Open a terminal window, and enter the following:

On Debian / Ubuntu

sudo apt update -y

On CentOS

sudo yum update -y

Step 2: Installing ModSecurity On Apache

Install ModSecurity on Debian
1. In a terminal window, enter the following:

sudo apt install libapache2-modsecurity

If prompted, pres y and hit Enter to allow the process to complete.

2. Restart the Apache service:

sudo systemctl restart apache2

There will be no output if Apache was restarted successfully.

3. Check the software version (it should be 2.8.0 or later):

apt-cache show libapache2-modsecurity

 Note: Ubuntu has a slightly different syntax for the ModSecurity package.

Install ModSecurity on Ubuntu 18.04

1. In a terminal window, enter:

sudo apt install libapache2-mod-security2

If prompted, pres y and hit Enter to allow the process to complete.

2. Restart the Apache service:

sudo systemctl restart apache2

There will be no output if Apache was restarted successfully.

3. Check the software version (should be 2.8.0 or later):

apt-cache show libapache2-mod-security2

Install ModSecurity on CentOS 7

1. Enter the following into a terminal window:

sudo yum install mod_security

If prompted, pres y and hit Enter to allow the process to complete.

2. Restart the Apache service:

sudo systemctl restart httpd.service

3. Check the software version (should be 2.8.0 or later):

yum info mod_security

Step: 3 Configure ModSecurity

Upon installation, ModSecurity is set to log events according to default rules. You’ll need to edit the
con guration le to adjust the rules to detect and block tra c.

The default con guration le is /etc/modsecurity/modsecurity.conf-recommended.

1. Copy and rename the le:

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.c

onf

2. Next, change the ModSecurity detection mode. First, move into the /etc/modsecurity folder:

sudo cd /etc/modsecurity

3. Open the con guration le in a text editor (we will be using nano):

sudo nano modsecurity.conf

Near the top, you should see an entry labeled:

SecRuleEngine DetectionOnly

Change this to read as follows:

SecRuleEngine On

4. Use CTRL+X to exit, then press y then Enter to save the changes.

5. Navigate away from the /etc/modsecurity folder:

cd

6. Restart Apache:

On Debian/Ubuntu

sudo systemctl restart apache2

On CentOS

sudo systemctl restart httpd.service

This will turn on ModSecurity using the basic default rules. In some versions of Linux, this includes the OWASP
Core Rule Set. However, this might differ from the latest version maintained by the developers.

Step 4: Download Latest OWASP ModSecurity

Rules
The latest Core Rule Set (CRS) for ModSecurity is maintained on GitHub.

1. Install Git if it’s not already included on your system.

Install Git on Debian/Ubuntu:

sudo apt install git

Install Git on CentOS:

sudo yum install git

2. Download a copy of the CRS:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

This places a copy of the directory as a subdirectory of your current working location.

3. Open a new directory:

cd owasp-modsecurity-crs

4. Move the crs-setup le:

sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf

5. Then move the rules/ directory:

sudo mv rules/ /etc/modsecurity

If you encounter an error trying to move this directory, enter:

sudo mkdir /etc/modsecurity/rules

cd rules
sudo cp *.* /etc/modsecurity/rules

6. Next, check your security2.conf le to verify it’s set to load the ModSecurity rules:

sudo nano /etc/apache2/mods-enabled/security2.conf

Verify you have the following lines included and uncommented:

IncludeOptional /etc/modsecurity/*.conf
Include /etc/modsecurity/rules/*.conf

If they are not there, add them. Do not duplicate them, or you risk disabling your Apache service.

7. Restart the Apache service:

On Debian/Ubuntu

sudo systemctl restart apache2

On CentOS

sudo systemctl restart httpd.service

Step 5: Test Apache Configuration

1. Open the default Apache con guration le:

sudo nano /etc/apache2/sites-available/000-default.conf

2. Locate the </VirtualHost> tag at the bottom and add the following lines:

SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'phoenixNAP tes
t rule was triggered'"

You can change the msg to whatever you prefer.

Save and quit the le (CTRL+X > y > Enter).

3. Restart the Apache service:

On Debian/Ubuntu

sudo systemctl restart apache2

On CentOS

sudo systemctl restart httpd.service

4. Then, enter the following command:

curl localhost/index.html?testparam=test

The system responds by attempting to display the default webpage. Instead of the content, it generates error
codes and messages inside the tags:

5. You can con rm that ModSecurity worked by looking for code 403 at the Apache error logs with the
command:

sudo tail -f /var/log/apache2/error.log

One of the entries towards the bottom should be the ModSecurity error code:

Test ModSecurity and OWASP CRS With Bash Script

Another method you can use to test ModSecurity is to use a Bash script.

1. Enter the following command in the terminal:

curl localhost/index.html?exec=/bin/bash

The output shows the same error messages as the last time.

2. View the Apache error.log le again and you will nd that the the rule kicked in:

sudo tail -f /var/log/apache2/error.log

The output displays the OWASP-related ModSecurity error message.

Step 6: Create ModSecurity Rules

Below is a test example how you can use ModSecurity to block speci c keywords on a PHP form.

1. Create a PHP le inside the html directory with the command:

sudo nano /var/www//html/test.php

2. Enter the following code into the le:

<html>
<body>
<?php
if(isset($_POST['data']))
echo $_POST['data'];
else
{
?>
<form method="post" action="">
Enter text here:<textarea name="data"></textarea>
<input type="submit"/>
</form>
<?php
}
?>
</body>
</html>

Save the le and exit.

3. Next, create a new ModSecurity custom rules le:

sudo nano /etc/modsecurity/modsecurity_custom_rules.conf

Add the following lines:

SecRule REQUEST_FILENAME "test.php" "id:'400001',chain,deny,log,msg:'Spam detected'"

SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(enlarge|Nigerian|gold))"

Of course, change the keywords in the last line to anything you want.

Save the le and exit.

4. Reload the Apache service:

On Debian/Ubuntu

sudo systemctl restart apache2

On CentOS

sudo systemctl restart httpd.service

5. Launch the form in a web browser

localhost/test.php

6. Type one of the keywords from the rule into the form. In this example: enlarge, Nigerian, or gold.

You should receive a 403 Forbidden error message.

You can also check the /var/log/apache2/error.log le to verify ModSecurity’s action.

Note: We don’t need to add this custom_rules le to the security2.conf le, because we
 speci ed a wildcard (IncludeOptional /etc/modsecurity/*.conf). If we had speci ed an
individual .conf le, we would need to add this custom_rules le to the security2.conf le.

Conclusion

You should now have a solid understanding of how to install, set up, and con gure ModSecurity on Apache.
Make sure you installed the LAMP stack properly before following the steps in this guide.

Was this article helpful? Yes No

Twitter Facebook LinkedIn Email

Goran Jevtic
Goran combines his leadership skills and passion for research, writing, and technology as a
Technical Writing Team Lead at phoenixNAP. Working with multiple departments and on various
projects, he has developed an extraordinary understanding of cloud and virtualization
technology trends and best practices.

Next you should read

Security, SysAdmin Security, Web Servers Networking, Security Networking, SysAdmin,

How to Setup and Defend Against How to Scan & Web Servers

Enable Automatic DoS & DDoS on Find All Open How to Set up &
Security Updates Apache With Ports with Nmap Use NGINX as a
on Ubuntu mod_evasive February 16, 2019 Reverse Proxy
January 8, 2019
May 2, 2019 March 5, 2019

The Nmap hosted

If you do not keep your The mod_evasive tool security tool can help Nginx is a reverse

Ubuntu operating is an Apache web you determine how proxy application. A

system up-to-date, you services module that well your rewall and standard proxy server

run the risk of helps your server stay security con guration works on behalf of ...

compromising overall running in the event of is ... READ MORE

READ MORE
system... an...
READ MORE READ MORE

RECENT COLOCATION SERVERS CLOUD INDUSTRIES COMPANY

POSTS Phoenix Dedicated Servers SERVICES Web Hosting About Us
IaaS API Explained Ashburn Database Servers Data Security Cloud Providers GitHub

Amsterdam Virtualization Servers VPDC Legal Blog

Linux adduser
Atlanta High Performance Managed Private MSPs & VARs RFP Template
Command with
Examples Belgrade Computing (HPC) Cloud Media Hosting Careers
Servers Object Storage Online Gaming
Linux ifcon g Singapore
Dedicated Streaming SaaS Hosting CONNECT
Command With Servers
PROMOTIONS SERVERS Solutions Events
Examples
Dedicated Game Disaster Recovery Ecommerce Hosting Press
How to Install Rust Servers
Web Hosting Reseller Solutions Contact Us
on Ubuntu Dedicated Storage
SaaS Hosting
Servers COMPLIANCE
How to PrettyPrint a
SQL Server Hosting HIPAA Ready Hosting
JSON File with
Dedicated Servers in PCI Compliant
Python?
Amsterdam Hosting

CATEGORIES Cloud Servers in

SysAdmin
Europe NEEDS
Big Memory Disaster Recovery
Virtualization
Infrastructure Solutions
DevOps and
High Availability
Development
BUY NOW Solutions
Security
Cloud Evaluation
Backup and
Recovery

Bare Metal Servers

Web Servers

Networking

Databases

PhoenixNAP Home Blog Resources Glossary GitHub RFP Template

 Live Chat  Get a Quote  Support | 1-855-330-1509  Sales | 1-877-588-5918

Contact Leg Privacy Terms of DMC GDP Sitem © 2022 Copyright phoenixNAP | Global IT Services. All Rights
Us al Policy Use A R ap Reserved.