ModSecurity is a free and open-source firewall tool supported by various web servers, such as Apache, Nginx, and IIS. It is a signature-based firewall that is capable to block several types of attacks including, cross-site scripting (XSS), brute force attacks, and known code injection attacks. It provides different rule sets that allow you to customize and configure your server security. It can also monitor web traffic in real time and help you detect and respond to intrusions.

In this tutorial, I will explain how to set up ModSecurity with Apache on Ubuntu 22.04.

Requirements

• A server running Ubuntu 22.04.
• A root password is configured on your server.

Install Apache Web Server

Before starting, you will need to install the latest version of the Apache web server package on your server. First, install all the required dependencies using the following command:

apt install gnupg2 software-properties-common curl wget git unzip -y

Once all the dependencies are installed, add the Apache repository with the following command:

add-apt-repository ppa:ondrej/apache2 -y

Next, update the repository cache and install the Apache package with the following command:

apt update -y

apt install apache2 -y

Once the Apache is installed, you can proceed to the next step.

Install ModSecurity

Next, run the following command to install the ModSecurity Apache module:

apt install libapache2-mod-security2 -y

Once the package is installed, enable the ModSecurity module with the following command:

a2enmod security2

Next, restart the Apache service to apply the changes:

systemctl restart apache2

You can also check the Apache status using the following command:

systemctl status apache2

You will get the following output:

? apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-10-18 10:49:42 UTC; 4s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 74445 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
   Main PID: 74449 (apache2)
      Tasks: 55 (limit: 2242)
     Memory: 29.7M
        CPU: 229ms
     CGroup: /system.slice/apache2.service
             ??74449 /usr/sbin/apache2 -k start
             ??74450 /usr/sbin/apache2 -k start
             ??74451 /usr/sbin/apache2 -k start

Oct 18 10:49:42 ubuntu2204 systemd[1]: Starting The Apache HTTP Server...

Configure ModSecurity

Next, edit the ModSecurity configuration file:

nano /etc/apache2/mods-enabled/security2.conf

Uncomment the following line:

IncludeOptional /etc/modsecurity/*.conf

Save and close the file then rename the ModSecurity configuration file:

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Next, edit the ModeSecurity configuration file:

nano /etc/modsecurity/modsecurity.conf

Change the following lines:

SecRuleEngine On
SecAuditLogParts ABCEFHJKZ

Save and close the file then restart the Apache service to apply the changes:

systemctl restart apache2

Install the OWASP Core Rule Set

In order to protect your web application from malicious attacks, you will need to download and install the OWASP core rule set to your server.

First, download the latest rule set with the following command:

wget https://github.com/coreruleset/coreruleset/archive/v3.3.0.tar.gz

Once the download is completed, extract the downloaded file using the following command:

tar xvf v3.3.0.tar.gz

Next, create a directory for rules and move the extracted ruls inside that directory:

mkdir /etc/apache2/modsecurity-crs/

mv coreruleset-3.3.0/ /etc/apache2/modsecurity-crs

Next, navigate to your OWASP rules directory and rename the configuration file:

cd /etc/apache2/modsecurity-crs/coreruleset-3.3.0/

mv crs-setup.conf.example crs-setup.conf

Next, edit the ModSecurity configuration file and define the path of your OWASP rule sets:

nano /etc/apache2/mods-enabled/security2.conf

Add the following lines:

IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/crs-setup.conf
IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.0/rules/*.conf

Save and close the file then verify the Apache for any syntax error with the following command:

apache2ctl -t

If everything is fine, you will get the following output:

Syntax OK

Finally, restart the Apache service to apply the configuration:

systemctl restart apache2

Verify ModSecurity

At this point, the Apache web server is configured with ModSecurity. Now, it’s time to test whether it works or not.

Open your command-line interface and run the following command:

curl http://localhost/index.html?exec=/bin/bash

You should get the 403 Forbidden error:

Forbidden
You don't have permission to access this resource.

Apache/2.4.52 (Ubuntu) Server at localhost Port 80

You can also test the ModSecurity using the following command:

curl localhost?doc=/bin/ls

You will get the following output:

Forbidden
You don't have permission to access this resource.

Apache/2.4.52 (Ubuntu) Server at localhost Port 80

You can also check the ModSecurity log for more information:

tail /var/log/apache2/modsec_audit.log

You will get the following output:

SecRule "TX:INBOUND_ANOMALY_SCORE" "@ge %{tx.inbound_anomaly_score_threshold}" "phase:5,id:980130,pass,t:none,log,noauditlog,msg:'Inbound Anomaly Score Exceeded (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.0"

SecAction "phase:5,id:980145,pass,t:none,nolog,noauditlog,ver:OWASP_CRS/3.3.0,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score= %{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score= %{tx.outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score= %{tx.outbound_anomaly_score_pl4}"

SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt %{tx.outbound_anomaly_score_threshold}" "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,ver:OWASP_CRS/3.3.0,chain"
#SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1"


--c2d93508-Z--

Configure Logrotate

If you are using ModSecurity on a high-traffic website. The ModSecurity audit log can get too large very quickly. In this case, you can configure the log rotation for the ModSecurity audit log. You can configure it with the following command:

nano /etc/logrotate.d/modsec

Add the following lines:

/var/log/apache2/modsec_audit.log
{
        rotate 31
        daily
        missingok
        compress
        delaycompress
        notifempty
}

Save and close the file when you are done. The above configuration file will rotate the log file every day and compress it.

Conclusion

In this post, we explained how to set up ModSecurity with Apache on Ubuntu 22.04. We also download and configure the OWASP rule set with ModSecurity. Your website is not fully protected from different types of attacks. Feel free to ask me if you have any questions.