ModSecurity also known as Modsec is a robust Open-source firewall application for Apache web server. A firewall is a utility that protects a network or a software application from abuse and unauthorized access by filtering requests.
Modsec offers security features to HTTP (Hypertext Transfer Protocol). Since it is free to use, it has been widely adopted for monitoring, logging and filtering requests on Apache web servers.
The utility has been a success in fighting common vulnerabilities using the OWASP ModSecurity Core Rule Set.
In this guide, we will take you through the steps of setting up and securing your Apache web server with ModSecurity on Ubuntu 18.04 VPS.
Prerequisite
- A VPS plan running Ubuntu 18.04 server
- A non root user that can perform sudo tasks
Step 1: Installing Apache Web server
First, you need to install Apache if it is not installed on your Ubuntu 18.04 server. First update the Ubuntu package index.
$ sudo apt-get update
Then, install Apache:
$ sudo apt-get install Apache2
Press Y and hit Enter when prompted to confirm the installation
If Apache is already installed, you should get the error message below:
apache2 is already the newest version
Step 2: Installing ModSecurity
Once you have installed Apache, the next step is installing ModSecurity. Run the command below:
$ sudo apt-get install libapache2-mod-security2
Restart Apache
$ sudo service apache2 restart
You can check if the module is enabled by running the command below:
$ sudo apachectl -M | grep security
You should get the below output:
security2_module (shared)
Step 3: Configuring ModSecurity
ModSecurity engine needs rules to work. The rules decide how communication is handled on the web server. Depending on the configuration, ModSecurity can pass, drop, redirect, execute a script or even display a status code during a session.
There is a default configuration file /etc/modsecurity/modsecurity.conf-recommended which you should copy to /etc/modsecurity/modsecurity.conf to enable and configure ModSecurity. To do this, run the command below:
$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then, edit the file that you have copied using a nano editor:
$ sudo nano /etc/modsecurity/modsecurity.conf
Change the value of SecRuleEngine
from DetectionOnly
to On.
$ SecRuleEngine = on
Press >CTRL +X then Y and Enter to save the file.
Restart Apache for the changes to take effect.
$ sudo systemctl restart apache2
ModSecurity has default rules set located at /usr/share/modsecurity-crs directory. However, it is always recommended to download the rules set from GitHub:
Before, you do this, rename the default rules directory:
$ sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bk
Then, download new rule set from GitHub using the command below:
$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
Copy the sample configuration file from the downloaded rules using the command below:
$ sudo cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
To get these rules working on Apache, you should edit the /etc/apache2/mods-enabled/security2.conf file using a nano editor
$ sudo nano /etc/apache2/mods-enabled/security2.conf
Add the following two lines at the end
$ IncludeOptional /usr/share/modsecurity-crs/*.conf $ IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
Save the file by pressing CTRL + X, Y and Enter
Restart Apache:
$ sudo systemctl restart apache2
Step 4: Testing ModSecurity
You can now try to execute malicious scripts on a browser and see if ModSecurity rules will be triggered. Enter the below URL on a browser. Remember to replace the IP address with the public IP address of your server or domain name
http://127.0.0.1/index.html?exec=/bin/bash
You should get a forbidden error message:
Forbidden You don’t have permission to access / on this server. Apache/2.4.29 (Ubuntu) Server at 127.0.0.1 Port 80
Conclusion
That’s it. Your Apache web server is now protected from malicious attackers. Please note ModSecurity protects against many known attacks including SQL injection. The module is a great arsenal when it comes to hardening your web server from hackers.
Check out these top 3 Linux hosting services
- Check the recommendations for the best VPS and get a suitable one.