Did You Know?

How Can We Help?

Special Offer

Deploy your Cloud Server now and get $100 in Free Credits!

Get Started

How to Configure ModSecurity in Apache

Table of Content


ModSecurity is a web firewall application for an Apache web server. In addition to providing logging capabilities, ModSecurity can monitor HTTP traffic in real time to detect attacks. ModSecurity also operates as an intrusion detection tool that allows you to respond to suspicious events taking place on your web systems.

Install ModSecurity

You need Apache installed on your Microhost cloud before you install ModSecurity. The LAMP stack is used in this guide; see LAMP guidelines for installation.


[command]sudo apt install libapache2-modsecurity[/command]

Restart Apache:

[command]/etc/init.d/apache2 restart[/command]

Check the ModSecurity version is 2.8.0 or later:

[command]apt-cache show libapache2-modsecurity[/command]


When you list all mods using apachectl -M, ModSecurity is listed under the name security2_module.


[command]sudo apt-get install libapache2-mod-security2[/command]

Restart Apache:

[command]/etc/init.d/apache2 restart[/command]

Check the version of ModSecurity is 2.8.0 or higher:

[command]apt-cache show libapache2-mod-security2[/command]


[command]yum install mod_security[/command]

Restart Apache by entering the below command:

[command]/etc/init.d/httpd restart[/command]

Check the version of ModSecurity is 2.8.0 or higher:

[command]yum info mod_security[/command]

OWASP ModSecurity Core Rule Set

The following steps are for distributions based on Debian. The paths and commands for RHEL will differ slightly.

1. Move and update the default ModSecurity file name:

[command]mv /etc/modsecurity/modsecurity.conf-recommended modsecurity.conf[/command]

2. If needed, install git:

[command]sudo apt install git[/command]

3. OWASP ModSecurity CRS can be downloaded from Github:

[command]git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git[/command]

4. Navigate into the directory you are downloading. Switch to crs-setup.conf.example, and rename crs-setup.conf.  Then pass the rules/  likewise.

[command]cd owasp-modsecurity-crs
mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
mv rules/ /etc/modsecurity/[/command]

5. The config file should match the above path as specified in the IncludeOptional directive. Add a further Guideline that refers to the collection of rules:

[filecode file="etc/apache2/mods-available/security2.conf"]

# Default Debian dir for modsecurity's persistent data
SecDataDir /var/cache/modsecurity

    # Include all the *.conf files in /etc/modsecurity.
    # Keeping your local configuration in that directory
    # will allow for an easy upgrade of THIS file and
    # make your life easier
    IncludeOptional /etc/modsecurity/*.conf
    Include /etc/modsecurity/rules/*.conf


6. Restart Apache to give effect to changes:

[command]/etc/init.d/apache2 restart[/command]

ModSecurity Test

OWASP CRS builds on top of ModSecurity in order to extend existing rules.

1. Navigate to the default Apache configuration and use the default configuration as an example to add two additional directives:

[filecode file="/etc/apache2/sites-available/000-default.conf"]

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SecRuleEngine On
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"


2. Restart Apache and then curl the index page to intentionally trigger the alarms:

[command]curl localhost/index.html?testparam=test

The response code is set to be 403. A message that shows the given ModSecurity rule worked should be in the logs. Use : sudo tail -f /var/log/apache2/error.log

[console] ModSecurity: Access denied with code 403 (phase 2). String match “test” at ARGS:testparam. [file “/etc/apache2/sites-enabled/000-default.conf”] [line “24”] [id “1234”] [msg “Our test rule has triggered”] [hostname “localhost”] [uri “/index.html”] [unique_id “WfnEd38AAAEAAEnQyBAAAAAB”] [/console]

3. Verify the OWASP CRS is valid:

[command]curl localhost/index.html?exec=/bin/bash[/command]

Check the error logs again: attempted execution of an arbitrary bash script has been captured by statute.

[console] ModSecurity: Warning. Matched phrase “bin/bash” at ARGS:. [file “/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf”] [line “448”] [id “932160”] [rev “1”] [msg “Remote Command Execution: Unix Shell Code Found”] [data “Matched Data: bin/bash found within ARGS:: exec/bin/bash”] [severity “CRITICAL”] [ver “OWASP_CRS/3.0.0”] [maturity “1”] [accuracy “8”] [tag “application-multi”] [tag “language-shell”] [tag “platform-unix”] [tag “attack-rce”] [tag “OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION”] [tag “WASCTC/WASC-31”] [tag “OWASP_TOP_10/A1”] [tag “PCI/6.5.2”] [hostname “localhost”] [uri “/index.html”] [unique_id “WfnVf38AAAEAAEqya3YAAAAC”] [/console]


Special Offer

Deploy your Cloud Server now and get $100 in Free Credits!

Get Started
Table of Contents