How to Configure ModSecurity in Apache
Introduction
ModSecurity is a web firewall application for an Apache web server. In addition to providing logging capabilities, ModSecurity can monitor HTTP traffic in real time to detect attacks. ModSecurity also operates as an intrusion detection tool that allows you to respond to suspicious events taking place on your web systems.
Install ModSecurity
You need Apache installed on your Microhost cloud before you install ModSecurity. The LAMP stack is used in this guide; see LAMP guidelines for installation.
Debian
sudo apt install libapache2-modsecurity
Restart Apache:
/etc/init.d/apache2 restart
Check the ModSecurity version is 2.8.0 or later:
apt-cache show libapache2-modsecurity
[ht_message mstyle="alert" title="NOTE" " show_icon="true" id="" class=""style="" ]When you list all mods using apachectl -M, ModSecurity is listed under the name security2_module.[/ht_message]
Ubuntu
sudo apt-get install libapache2-mod-security2
Restart Apache:
/etc/init.d/apache2 restart
Check the version of ModSecurity is 2.8.0 or higher:
apt-cache show libapache2-mod-security2
CentOS
yum install mod_security
Restart Apache by entering the below command:
/etc/init.d/httpd restart
Check the version of ModSecurity is 2.8.0 or higher:
yum info mod_security
OWASP ModSecurity Core Rule Set
The following steps are for distributions based on Debian. The paths and commands for RHEL will differ slightly.
1. Move and update the default ModSecurity file name:
mv /etc/modsecurity/modsecurity.conf-recommended modsecurity.conf
2. If needed, install git:
sudo apt install git
3. OWASP ModSecurity CRS can be downloaded from Github:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
4. Navigate into the directory you are downloading. Switch to crs-setup.conf.example, and rename crs-setup.conf. Then pass the rules/ likewise.
cd owasp-modsecurity-crs mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf mv rules/ /etc/modsecurity/
5. The config file should match the above path as specified in the IncludeOptional directive. Add a further Guideline that refers to the collection of rules:
Default Debian dir for modsecurity's persistent data SecDataDir /var/cache/modsecurity
Include all the *.conf files in /etc/modsecurity.
Keeping your local configuration in that directory
will allow for an easy upgrade of THIS file and
make your life easier
IncludeOptional /etc/modsecurity/.conf Include /etc/modsecurity/rules/.conf
6. Restart Apache to give effect to changes:
/etc/init.d/apache2 restart
ModSecurity Test
OWASP CRS builds on top of ModSecurity in order to extend existing rules.
1. Navigate to the default Apache configuration and use the default configuration as an example to add two additional directives:
ServerAdmin webmaster@localhost DocumentRoot /var/www/html
SecRuleEngine On SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
2. Restart Apache and then curl the index page to intentionally trigger the alarms:
curl localhost/index.html?testparam=test
The response code is set to be 403. A message that shows the given ModSecurity rule worked should be in the logs. Use : sudo tail -f /var/log/apache2/error.log
ModSecurity: Access denied with code 403 (phase 2). String match “test” at ARGS:testparam. [file “/etc/apache2/sites-enabled/000-default.conf”] [line “24”] [id “1234”] [msg “Our test rule has triggered”] [hostname “localhost”] [uri “/index.html”] [unique_id “WfnEd38AAAEAAEnQyBAAAAAB”]
3. Verify the OWASP CRS is valid:
curl localhost/index.html?exec=/bin/bash
Check the error logs again: attempted execution of an arbitrary bash script has been captured by statute.
ModSecurity: Warning. Matched phrase “bin/bash” at ARGS:. [file “/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf”] [line “448”] [id “932160”] [rev “1”] [msg “Remote Command Execution: Unix Shell Code Found”] [data “Matched Data: bin/bash found within ARGS:: exec/bin/bash”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “8”] [tag “application-multi”] [tag “language-shell”] [tag “platform-unix”] [tag “attack-rce”] [tag “OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION”] [tag “WASCTC/WASC-31”] [tag “OWASP_TOP_10/A1”] [tag “PCI/6.5.2”] [hostname “localhost”] [uri “/index.html”] [unique_id “WfnVf38AAAEAAEqya3YAAAAC”]
Thankyou..