ModSecurity is one of the best web application level firewall, it can stop most of the common web attacks before even they reach your web application. If your website is vulnerable to an XSS attack, and ModSecurity is installed in your server than it can easily prevent that attack from reaching your web application, that does not means you should stop securing your web application, but its another layer of security for your web applications. In this article we will see how to install modsecurity in apache server.
We will manually compile it from source, so that we can have all the options available for us to modify and make good use of modsecurity.
Note: This article applies to Ubuntu, but installation is similar with Centos as well.
How does mod_security works?
ModSecurity works by parsing each request made to a web server, and than scan each request against the rules (We will see how we can set rules later), and if any rule is matched than the action specified by that rule is taken. For example :
If a web request contains following string <script>, and you have a rule against this string to serve a 503 Service Unavailable page, than it will be served as a response to this web request. So that this request does not reach your web application.
Step 1: Install Apache Web Server
Since this article is not related to apache installation, I’ve listed the commands below that you can use to install apache
# install per-requisites
yum install pcre-devel -y
yum install gcc
tar zxf httpd-2.4.23.tar.gz
tar zxf apr-1.5.2.tar.gz
tar zxf apr-util-1.5.4.tar.gz
mv apr-1.5.2 apr
mv apr-util-1.5.4 apr-util
# install apache
./configure --prefix=/usr/local/apache --enable-so
sudo make install
# Start apache using
Once apache is installed, you can view the default ‘It works’ page at http://localhost (if you have installed it on your machine), else replace it with the IP you have installed it on.
Step 2: Get and Install ModSecurity
You need to download the modsecurity source code and install it, to get the source code run:
# get source code
tar xzf modsecurity-2.9.1.tar.gz
Configure and compile modsecurity using :
./configure --with-apxs=/usr/local/apache/bin/apxs --with-apr=/usr/local/apache/bin/apr-1-config --with-apu=/usr/local/apache/bin/apu-1-config
sudo make install
Now you need to add following two lines too your httpd.conf file, so that it can load modsecurity module.
httpd.conf would be located at : /usr/local/apache/conf
- LoadModule security2_module modules/mod_security2.so
- LoadModule unique_id_module modules/mod_unique_id.so
Also include the modsecurity configuration files, that we will use later to define modsecurity configurations and add rules.
And than create two empty files under /usr/local/apache named:
At this stage we’ve completed the installation part of modsecurity, its time we should configure and make use of our web application firewall.
Step 3: Configure ModSecurity
Just like apache directives, modsecurity have its own directives to make use of, one of the most important directive is : SecRuleEngine, it can have three parameters:
- DetectionOnly : Only detect and log the attacks, so that we can analyze the logs later.
- Off : Turn off the modsecurity.
- On : In this mode, modsecurity will not only log the attack but also stop it from reaching your web application.
You might think that we only need the On parameter, but some times our web application may not behave normally with modsecurity On, so in that case we’ve to switch to DetectionOnly mode and see the logs to make sure every thing is on right track.
So in your main.conf file enter the following line:
Step 3.1: Configurations inside main.conf
First we will have to define some parameters inside main.conf for proper usage of modsecurity so that we can later add rules.
Directives that deals with request body
- SecRequestBodyAccess On – So that modsecurity will be able to look into the body of HTTP requests.
- SecRequestBodyLimit 1510720 – Request Body size limit.
- SecRequestBodyNoFilesLimit 151072 – Body without files.
- SecRequestBodyInMemoryLimit 231072 – How much of the request body is stored in ram.
Directives that deals with folder locations
Inside your apache installation folders, you need to create three folders to deal with modsecurity filesystem needs.
Now use following directives to use these folders to store modsecurity data.
- SecTmpDir /usr/local/apache/tmpdata
- SecDataDir /usr/local/apache/data
- SecUploadDir /usr/local/apache/uploads
- SecUploadKeepFiles Off
- SecUploadFileMode 0600
- SecUploadFileLimit 32
Debug and Audit Log Directives
These are one of the most important part of modsecurity configurations, because without these logs modsecurity is of no use.
- SecDebugLog /usr/local/apache/logs/debug.log
- SecAuditEngine RelevantOnly
- SecAuditLogRelevantStatus ^5
- SecAuditLogParts ABDEFHIJKZ
- SecAuditLogType Serial
- SecAuditLog /usr/local/apache/logs/audit.log
This is how your main.conf finally looks like:
Restart apache to make sure everything is correct:
/usr/local/apache/bin/httpd -k stop
/usr/local/apache/bin/httpd -k start
Step 4: Insert your first Rule
If everything works fine until now, you are ready to insert first rule inside rule.conf and see if it logs the attack.
Open your rule.conf file and add the following line:
SecRule ARGS script “phase:2,log,deny,id:’1234′,status:503”
Restart your apache and visit : http://localhost/?test=script
After vising this url, you can open the audit.log and debug.log to see if this attack has been logged.
In our rule we said if we find the string ‘script’ inside a request , than it must be logged. Than in our url we set the test parameter=script, which alerts our rule and adds the following entries to our debug.log
[25/Sep/2016:21:09:37 +0500] [localhost/sid#b8cb38][rid#7f0484002970][/] Warning. Pattern match “script” at ARGS:test. [file “/usr/local/apache/rules.conf”] [line “1”] [id “1234”]
That means modsecurity is working fine and detecting the attack vectors already. Since the entry inside audit.log is very long, I am not pasting it here, but you can open and look at it. Audit.log file will give you a complete information about the malicious HTTP request.
Step 5: Download Rules
As you can see that modsecurity deals and works with rules, so if their are no rules modsecurity will be of no use, if you don’t know how to write good rules, you can download the set of rule already made by experts in this field. Some urls to download rules are:
If you need my help setting up ModSecurity you can reach me at my twitter @ranausmannasir, or you can also order hosting from 9xvps and let them set up ModSecurity for you.