Use the ModSecurity Apache Module on a Cloud Server with Ubuntu 16.04

ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

    vServer (VPS) from IONOS

    Low-cost, powerful VPS hosting for running your custom applications, with a personal assistant and 24/7 support.

    100 % SSD storage
    Ready in 55 sec.
    SSL certificate

    Requirements

    • A Cloud Server running Linux (Ubuntu 16.04)
    • Apache installed and running.
    Note

    Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

    Install ModSecurity

    Install the libapache2-modsecurity package:

    sudo apt-get install libapache2-modsecurity

    Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

    user@localhost:~# apachectl -M | grep security
    security2_module (shared)

    Create a directory for the ModSecurity rules:

    sudo mkdir /etc/modsecurity

    Create a file for ModSecurity rules and open the file for editing:

    sudo nano /etc/modsecurity/mod_security.conf

    Add the following to the file:

    <IfModule mod_security2.c>
        SecRuleEngine On
        SecRequestBodyAccess On
        SecResponseBodyAccess On 
        SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
        SecDataDir /tmp
    </IfModule>

    Save and exit the file. Then restart Apache for the changes to take effect:

    sudo systemctl restart apache2

    Install and Configure the OWASP Core Rule Set (CRS)

    The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

    First, install the git package:

    sudo apt-get install git

    Go to the /etc/apache2 directory:

    cd /etc/apache2/

    Download the OWASP installation files:

    sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

    Move to the new OWASP directory:

    cd owasp-modsecurity-crs

    Create a copy of the example setup file and rename it:

    sudo cp crs-setup.conf.example crs-setup.conf

    Open the main Apache configuration file for editing:

    sudo nano /etc/apache2/apache2.conf

    Scroll down to the section which reads:

    # Include module configuration:
    IncludeOptional mods-enabled/*.load
    IncludeOptional mods-enabled/*.conf

    Add the following two lines:

    Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
    Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

    Save and exit the file. Then restart Apache for the changes to take effect:

    systemctl restart apache2

    Web hosting with a personal consultant

    Fast and scalable, including a free domain for the first year and email address, trust web hosting from IONOS!

    Domain
    Wildcard SSL
    24/7 support

    Verify that ModSecurity is Installed and the OWASP CRS is Loaded

    You can test ModSecurity's OWASP CRS by visiting the URL:

    http://example.com/?param="><script>alert(1);</script>

    Where example.com is replaced with your server's domain name or IP address.

    You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

    [Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client 79.196.255.255] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "50.21.182.126:80"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "50.21.182.126"] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

    Update the OWASP Core Rule Set (CRS)

    The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

    sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs

    If you run it now to test the command, it will respond with:

    crs:
    From https://github.com/SpiderLabs/owasp-modsecurity-crs
     * branch            HEAD       -> FETCH_HEAD
    Already up-to-date.

    We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.


    Wait! We’ve got something for you!
    Have a look at our great prices for different domain extensions.


    Enter the web address of your choice in the search bar to check its availability.
    .org
    $1/1st year
    then $20/year
    .com
    $1/1st year
    then $15/year
    .info
    $1/1st year
    then $20/year
    .me
    $1/1st year
    then $20/year