Use the ModSecurity Apache module on a cloud server with Ubuntu 16.04

ModSecurity is a free web application firewall (WAF) which is a simple, powerful way to protect a server against web-based malware and hacking attempts. Learn how to install ModSecurity and the officially-recommended OWASP Core Rule Set (CRS) which will protect a server against malware and hacking in the form of SQL injection, session hijacking, cross-site scripting, Trojans, and many other forms of web-based exploits.

    vServer (VPS) from IONOS

    Low-cost, powerful VPS hosting for running your custom applications, with a personal assistant and 24/7 support.

    100 % SSD storage
    Ready in 55 sec.
    SSL certificate

    Requirements

    • A Cloud Server running Linux (Ubuntu 16.04)
    • Apache installed and running.
    Note

    Apache is installed and running on a Standard installation by default. If your server was created with a Minimal installation, you will need to install and configure Apache before you proceed.

    Install ModSecurity

    Install the libapache2-modsecurity package:

    sudo apt-get install libapache2-modsecurity

    Use apachectl -M | grep security to verify that the package has been installed. The server will respond with:

    user@localhost:~# apachectl -M | grep security
    security2_module (shared)

    Create a directory for the ModSecurity rules:

    sudo mkdir /etc/modsecurity

    Create a file for ModSecurity rules and open the file for editing:

    sudo nano /etc/modsecurity/mod_security.conf

    Add the following to the file:

    <IfModule mod_security2.c>
        SecRuleEngine On
        SecRequestBodyAccess On
        SecResponseBodyAccess On 
        SecResponseBodyMimeType text/plain text/html text/xml application/octet-stream 
        SecDataDir /tmp
    </IfModule>

    Save and exit the file. Then restart Apache for the changes to take effect:

    sudo systemctl restart apache2

    Install and configure the OWASP Core Rule Set (CRS)

    The OWASP Core Rule Set (CRS) extends the functionality of ModSecurity by providing a set of security rules to protect your server.

    First, install the git package:

    sudo apt-get install git

    Go to the /etc/apache2 directory:

    cd /etc/apache2/

    Download the OWASP installation files:

    sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

    Move to the new OWASP directory:

    cd owasp-modsecurity-crs

    Create a copy of the example setup file and rename it:

    sudo cp crs-setup.conf.example crs-setup.conf

    Open the main Apache configuration file for editing:

    sudo nano /etc/apache2/apache2.conf

    Scroll down to the section which reads:

    # Include module configuration:
    IncludeOptional mods-enabled/*.load
    IncludeOptional mods-enabled/*.conf

    Add the following two lines:

    Include /etc/apache2/owasp-modsecurity-crs/crs-setup.conf
    Include /etc/apache2/owasp-modsecurity-crs/rules/*.conf

    Save and exit the file. Then restart Apache for the changes to take effect:

    systemctl restart apache2

    Web hosting with a personal consultant

    Fast and scalable, including a free domain for the first year and email address, trust web hosting from IONOS!

    Domain
    Wildcard SSL
    24/7 support

    Verify that ModSecurity is installed and the OWASP CRS is loaded

    You can test ModSecurity's OWASP CRS by visiting the URL:

    http://example.com/?param="><script>alert(1);</script>

    Where example.com is replaced with your server's domain name or IP address.

    You will be denied access with a 403: Forbidden error. Furthermore, this error will be noted in the /var/log/apache2/error.log file, with an entry similar to:

    [Tue Aug 01 21:28:41.118995 2017] [:error] [pid 59913] [client 79.196.255.255] ModSecurity: Warning. Pattern match "^[\\\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/apache2/owasp-modsecurity-crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "810"] [id "920350"] [rev "2"] [msg "Host header is a numeric IP address"] [data "50.21.182.126:80"] [severity "WARNING"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "50.21.182.126"] [uri "/phpmanager/"] [unique_id "WYDyiX8AAAEAAOoJ5qMAAAAA"]

    Update the OWASP Core Rule Set (CRS)

    The OWASP CRS comes with a script you can run to update the rules with the latest version. To update OWASP:

    sudo python /etc/apache2/owasp-modsecurity-crs/util/upgrade.py --crs

    If you run it now to test the command, it will respond with:

    crs:
    From https://github.com/SpiderLabs/owasp-modsecurity-crs
     * branch            HEAD       -> FETCH_HEAD
    Already up-to-date.

    We recommend that you periodically run this script to update the OWASP CRS for the latest security patches.


    Wait! We’ve got something for you!
    Discover our special deals at IONOS!
    Our most popular products, including cloud storage, hosting,
    domains and more - now on sale.