Use the ModSecurity Apache Module on a Cloud Server with Ubuntu 16.04

Leave your reply

Introduction

ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

Note: For any Cloud Server with Plesk, Apache modules should always be added and managed through the Plesk interface. See our article Use the ModSecurity Apache Module on a Cloud Server with Plesk for step-by-step instructions.

Requirements

  • A Cloud Server running Linux (Ubuntu 16.04)
  • Apache installed and running.

Note: Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

Install ModSecurity

Install the libapache2-modsecurity package:

sudo apt-get install libapache2-modsecurity

Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

user@localhost:~# apachectl -M | grep security
security2_module (shared)

Create a directory for the ModSecurity rules:

sudo mkdir /etc/modsecurity

Create a file for ModSecurity rules and open the file for editing:

sudo nano /etc/modsecurity/mod_security.conf

Add the following to the file:

<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess On 
    SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
    SecDataDir /tmp
</IfModule>

Save and exit the file. Then restart Apache for the changes to take effect:

sudo systemctl restart apache2

Install and Configure the OWASP Core Rule Set (CRS)

The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

First, install the git package:

sudo apt-get install git

Go to the /etc/apache2 directory:

cd /etc/apache2/

Download the OWASP installation files:

 sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Move to the new OWASP directory:

cd owasp-modsecurity-crs

Create a copy of the example setup file and rename it:

sudo cp crs-setup.conf.example crs-setup.conf

Open the main Apache configuration file for editing:

sudo nano /etc/apache2/apache2.conf

Scroll down to the section which reads:

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf

Add the following two lines:

Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

Save and exit the file. Then restart Apache for the changes to take effect:

systemctl restart apache2

Verify that ModSecurity is Installed and the OWASP CRS is Loaded

You can test ModSecurity's OWASP CRS by visiting the URL:

http://example.com/?param="><script>alert(1);</script>

Where example.com is replaced with your server's domain name or IP address.

You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

[Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client 79.196.255.255] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "50.21.182.126:80"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "50.21.182.126"] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

Update the OWASP Core Rule Set (CRS)

The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs

If you run it now to test the command, it will respond with:

crs:
From https://github.com/SpiderLabs/owasp-modsecurity-crs
 * branch            HEAD       -> FETCH_HEAD
Already up-to-date.

We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.