Tutorial News Comments FAQ Related Articles

How to Make Use of ModSecurity in apache

{{postValue.id}}

ModSecurity in apache

Mod security is a free Apache module used to protect your web server from various attacks like SQL injection, cross site scripting, session hijacking, brute force and a lot of other exploits. It also allows you to monitor traffic on a real-time basis.

Installation

You can install mod security using the following command:

linuxhelp ~ # apt-get install libapache2-modsecurity -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libapache2-mod-security2
Recommended packages:
  modsecurity-crs
The following NEW packages will be installed:
  libapache2-mod-security2 libapache2-modsecurity
0 upgraded, 2 newly installed, 0 to remove and 402 not upgraded.
Need to get 316 kB of archives.
After this operation, 1,263 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libapache2-mod-security2 amd64 2.9.0-1 [314 kB]
Get:2 http://archive.ubuntu.com/ubuntu xenial/universe amd64 libapache2-modsecurity all 2.9.0-1 [2,006 B]
Fetched 316 kB in 1s (215 kB/s)              
Selecting previously unselected package libapache2-mod-security2.
(Reading database ... 220633 files and directories currently installed.)
Preparing to unpack .../libapache2-mod-security2_2.9.0-1_amd64.deb ...
Unpacking libapache2-mod-security2 (2.9.0-1) ...
Selecting previously unselected package libapache2-modsecurity.
Preparing to unpack .../libapache2-modsecurity_2.9.0-1_all.deb ...
Unpacking libapache2-modsecurity (2.9.0-1) ...
Setting up libapache2-mod-security2 (2.9.0-1) ...
apache2_invoke: Enable module security2
Setting up libapache2-modsecurity (2.9.0-1) ...

check if the mod_security module is running, use the following command You should see a module named security2_module (shared) which indicates that the module was loaded.

linuxhelp ~ # apachectl -M | grep --color security
AH00557: apache2: apr_sockaddr_info_get() failed for linuxhelp
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
 security2_module (shared)

enable the mod_security rules, you need to rename and edit the mod security recommended configuration file and set the SecRuleEngine option to On For this run the following command:

linuxhelp ~ # mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
linuxhelp ~ # vim /etc/modsecurity/modsecurity.conf 
Add/edit the following line:
SecRuleEngine On

Now restart Apache for the changes to take effect.

linuxhelp ~ # systemctl restart apache2

There are lot of security rules that come with Modesecurity (called the Core Rule Set) that are located in the “/usr/share/modsecurity-crs” directory. Now you need to enable these rules to get it working with Apache.

linuxhelp ~ # vim /etc/apache2/mods-enabled/security2.conf 
Add/edit the following line:
        IncludeOptional "/usr/share/modsecurity-crs/*.conf"
        IncludeOptional "/usr/share/modsecurity-crs/base_rules/*.conf

Save the file and restart the Apache service.

linuxhelp ~ # systemctl restart apache2

With this, the method to Make Use of ModSecurity in apache comes to an end

Tags:
Author: 

Comments ( 0 )

No comments available

Frequently asked questions ( 5 )

Q

What is meant by ModSecurity?

A

ModSecurity is an open source Web Application Firewall (WAF). It can be installed as a module inside the Apache, Nginx or IIS web servers.

Q

What is the difference between ModSecurity and CRS?

A

ModSecurity is a firewall engine which can inspect traffic on your web server. It can log and block requests. However, an engine does nothing without a certain policy. The CRS delivers a policy where requests to your web applications are inspected for various attacks, and malicious traffic is blocked.

Q

What is a Virtual Patch and why should I care?

A

Fixing identified vulnerabilities in web applications always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time.

Q

What attacks do the Core Rules protect against?

A

In order to provide generic web applications protection, the Core Rules use the following techniques:

HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy. Common Web Attacks Protection - detecting common web application security attack. Automation detection - Detecting bots, crawlers, scanners, and another surface malicious activity.

Q

What's new in ModSecurity and why should I upgrade if I am already using ModSecurity 1.x?

A

In order to use the OWASP ModSecurity Core Rules, you must use the 2.x version of ModSecurity as it takes advantage of specific features not available in previous versions.

Back To Top!