How to Setup ModSecurity for Apache on Ubuntu 18.04

ModSecurity also known as Modsec is a robust Open-source firewall application for Apache web server.  A firewall is a utility that protects a network or a software application from abuse and unauthorized access by filtering requests.

Modsec offers security features to HTTP (Hypertext Transfer Protocol). Since it is free to use, it has been widely adopted for monitoring, logging and filtering requests on Apache web servers.

The utility has been a success in fighting common vulnerabilities using the OWASP ModSecurity Core Rule Set.

In this guide, we will take you through the steps of setting up and securing your Apache web server with ModSecurity on Ubuntu 18.04 VPS.

Prerequisite

  • A VPS plan running Ubuntu 18.04 server
  • A non root user that can perform sudo tasks

Step 1: Installing Apache Web server

First, you need to install Apache if it is not installed on your Ubuntu 18.04 server.  First update the Ubuntu package index.

$ sudo apt-get update

Then, install Apache:

$ sudo apt-get install Apache2

Press Y and hit Enter when prompted to confirm the installation

If Apache is already installed, you should get the error message below:

apache2 is already the newest version

Step 2: Installing ModSecurity

Once you have installed Apache, the next step is installing ModSecurity. Run the command below:

$ sudo apt-get install libapache2-mod-security2

Restart Apache

$ sudo service apache2 restart

You can check if the module is enabled by running the command below:

$ sudo apachectl -M | grep security

You should get the below output:

security2_module (shared)

Step 3: Configuring ModSecurity

ModSecurity engine needs rules to work. The rules decide how communication is handled on the web server. Depending on the configuration, ModSecurity can pass, drop, redirect, execute a script or even display a status code during a session.

There is a default configuration file /etc/modsecurity/modsecurity.conf-recommended which you should copy to /etc/modsecurity/modsecurity.conf to enable and configure ModSecurity. To do this, run the command below:

$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Then, edit the file that you have copied using a nano editor:

$ sudo nano /etc/modsecurity/modsecurity.conf

Change the value of SecRuleEngine from DetectionOnly to On.

$ SecRuleEngine = on

Press >CTRL +X then Y and Enter to save the file.

Restart Apache for the changes to take effect.

$ sudo systemctl restart apache2

ModSecurity has default rules set located at /usr/share/modsecurity-crs directory. However, it is always recommended to download the rules set from GitHub:

Before, you do this, rename the default rules directory:

$ sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bk

Then, download new rule set from GitHub using the command below:

$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Copy the sample configuration file from the downloaded rules using the command below:

$ sudo cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

To get these rules working on Apache, you should edit the /etc/apache2/mods-enabled/security2.conf file using a nano editor

$ sudo nano /etc/apache2/mods-enabled/security2.conf

Add the following two lines at the end

$ IncludeOptional /usr/share/modsecurity-crs/*.conf
$ IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

Save the file by pressing CTRL + X, Y and Enter

Restart Apache:

$ sudo systemctl restart apache2

Step 4: Testing ModSecurity

You can now try to execute malicious scripts on a browser and see if ModSecurity rules will be triggered. Enter the below URL on a browser. Remember to replace the IP address with the public IP address of your server or domain name

http://127.0.0.1/index.html?exec=/bin/bash

You should get a forbidden error message:

Forbidden You don't have permission to access / on this server. Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80

Conclusion

That’s it. Your Apache web server is now protected from malicious attackers. Please note ModSecurity protects against many known attacks including SQL injection. The module is a great arsenal when it comes to hardening your web server from hackers.

Check out these top 3 Linux hosting services

Was this article helpful?