What is ModSecurity?
ModSecurity is a free and open source web application that started as an Apache module and grew to become a complete web application firewall. It works by inspecting requests sent to the web server in real time against a set of predefined rules, preventing typical attacks on web applications such as XSS and SQL Injection.
Prerequisites and requirements
To install and configure ModSecurity, you must have a Linux server with the following services running:
For instructions, see our guide on How to Install Apache Web Server on Ubuntu 18.04 LTS. Installation instructions for several other Linux distributions are also accessible from this guide.
ModSecurity ModSecurity can be installed by running the following
command in your terminal
:sudo apt install libapache2-mod-security2 -y
can also compile ModSecurity manually by cloning the official ModSecurity Github repository.
After installing ModSecurity, enable the Apache 2 headers module by running the following command:
sudo a2enmod headers
After installing ModSecurity and enabling the header module, you need to restart the apache2 service, this can be done by running the following command: sudo systemctl restart apache2
You should now have ModSecurity installed. The next steps involve enabling and configuring ModSecurity and OWASP-CRS.
ModSecurity is a firewall and therefore requires rules to function. This section shows how to implement the OWASP core rule set. First of all, you need to prepare the ModSecurity configuration file.
Remove the .recommended
extension from the name of the ModSecurity configuration file with the following command
Using a text editor such as vim, open /etc/modsecurity/modsecurity.conf and change the value of SecRuleEngine to On:File: /etc/modsecurity/modsecurity.conf
Restart Apache to apply changes:
sudo systemctl restart apache2
: sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
ModSecurity should now be configured to run. The next step in the process is to set up a set of rules to actively prevent your web server from being attacked.
OWASP ModSecurity Core Rule Set The
OWASP ModSecurity (CRS) Core Rule Set is a set of generic attack detection rules for use with ModSecurity or supported web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. CRS provides protection against many common attack categories, such as SQL injection, cross-site scripting, and local file inclusion.
To configure the OWASP-CRS, follow the procedures below.
First, delete the current rule set that comes prepackaged with ModSecurity by running the following command
Clone the OWASP-CRS GitHub repository in the
/usr/share/modsecurity-crs directory:sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs Rename crs-setup.conf.example
:sudo rm -rf /usr/share/modsecurity-crs Make sure git is installed:sudo apt install git
crs-setup.conf: sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf Rename the default request exclusion rule file:sudo mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /
You should now have the OWASP-CRS configuration ready to be used in your Apache configuration.
ModSecurity in Apache 2
To start using ModSecurity, enable it in the Apache configuration file by following the steps below
:Using a text editor such as vim, edit the /etc/apache2/mods-available/security2.conf file
to include the OWASP-CRS files you downloaded
etc/apache2/sites-enabled/000-default.conf VirtualHost block, include the SecRuleEngine directive set to On.
If you are running a website that uses SSL, also add the SecRuleEngine directive to the configuration file for that website. See our guide on SSL certificates with Apache on Debian and Ubuntu for more information.
service to apply the settings:
sudo systemctl restart apache2
/etc/apache2/mods-available/security2.conf In the file /
Restart the apache2
ModSecurity must now be configured and run to protect your web server from attacks. You can now perform a quick test to verify that ModSecurity is running.
ModSecurity Test Test
by performing a simple local file inclusion attack by running
the following command:curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash
If ModSecurity has been configured correctly and is actively blocking attacks, the following error is returned:
<! DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don’t have permission to access this resource.</p> <hr> <address>Apache/2.4.25 (Debian) Server at 220.127.116.11 Port 80</address> </body></html>