ModSecurity is a web application layer firewall designed to work with IIS, Apache2, and Nginx. It is free, open-source software released under the Apache License 2.0. ModSecurity helps to secure your web server by monitoring and analyzing your website traffic. It does this in real-time to detect and block attacks from most known exploits using regular expressions. On its own, ModSecurity gives limited protection and relies on rulesets to maximize protection.
The Open Web Application Security Project (OWASP) Core Rule Set (CRS) is a set of generic attack detection rules that provide a base level of protection for any web application. The ruleset is free, open-source, and currently sponsored by Spider Labs.
HTTP Protection – detects violations of the HTTP protocol and a locally defined usage policy.
Real-time Blacklist Lookups – utilizes 3rd Party IP reputation.
HTTP Denial of Service Protection – defense against HTTP flooding and slow HTTP DoS attacks.
Common Web Attacks Protection – detects common web application security attacks.
Automation Detection – Detecting bots, crawlers, scanners, and other surface malicious activity.
Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
Tracking Sensitive Data – Tracks credit card usage and blocks leakages.
Trojan Protection – Detects Trojan horses.
Identification of Application Defects – alerts on application misconfigurations.
Error Detection and Hiding – Disguising error messages sent by the server.
This guide shows you how to install ModSecurity and OWASP ruleset on CentOS 6 running Apache 2.
First, you need to ensure that your system is up to date.
yum -y updateIf you have not installed Apache 2, then install it now.
yum -y install httpdYou now need to install some dependencies for ModSecurity to work. Depending on your server configuration, some or all of these packages may already be installed. Yum will install the packages you do not have and inform you if any of the packages are already installed.
yum -y install httpd-devel git gcc make libxml2 pcre-devel libxml2-devel curl-develChange the directory and download the source code from the ModSecuity website. The current stable version is 2.8.
cd /opt/
wget https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gzExtract the package and change to its directory.
tar xzfv modsecurity-2.8.0.tar.gz
cd modsecurity-2.8.0Configure and compile the source code.
./configure
make
make installCopy the default ModSecurity configuration and Unicode mapping file to the Apache directory.
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
cp unicode.mapping /etc/httpd/conf.d/Configure Apache to use ModSecurity. There are 2 ways that you can do this.
echo LoadModule security2_module modules/mod_security2.so >> /etc/httpd/conf/httpd.confor use a text editor like nano:
nano /etc/httpd/conf/httpd.confAt the bottom of that file, on a separate line, add this:
LoadModule security2_module modules/mod_security2.soYou can now start Apache and configure it to start at boot.
service httpd start
chkconfig httpd onIf you had Apache installed before using this guide, then you just need to restart it.
service httpd restartYou can now download the OWASP core rule set.
cd /etc/httpd
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.gitNow, configure the OWASP ruleset.
cd modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.confNext, you need to add the ruleset to the Apache configuration. Again, we can do this in two ways.
echo Include modsecurity-crs/modsecurity_crs_10_config.conf >> /etc/httpd/conf/httpd.conf
echo Include modsecurity-crs/base_rules/*.conf >> /etc/httpd/conf/httpd.confor with a text editor:
nano /etc/httpd/conf/httpd.confAt the bottom of the file, on separate lines, add this:
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/base_rules/*.confNow, restart Apache.
service httpd restartFinally, delete the installation files.
yum erase /opt/modsecurity-2.8.0
yum erase /opt/modsecurity-2.8.0.tar.gzBy default, ModSecurity runs in detection-only mode, which means it will log all rule breaks but will take no action. This is recommended for new installations, so you can watch the events generated in the Apache error log. After reviewing the log, you can decide if any modification to the ruleset or disabling the rule (see below) should be made before moving to protection mode.
To view the Apache error log:
cat /var/log/httpd/error_logThe ModSecurity line in the Apache error log is broken into nine elements. Each element provides information about why the event was triggered.
The first part tells what rule file triggered this event.
The second part tells what line in the rule file the rule starts on.
The third element tells you what rule was triggered.
The fourth element tells you the revision of the rule.
The fifth element contains special data for debugging purposes.
The sixth element defines the logging severity of this event.
The seventh section describes what action occurred and in what phase it occurred.
Note that some elements may be absent depending on the configuration of your server.
To change ModSecurity to protection mode, open the conf file in a text editor:
nano /etc/httpd/conf.d/modsecurity.confand change:
SecRuleEngine DetectionOnlyto:
SecRuleEngine OnIf you encounter any blocks when ModSecurity is running, then you need to identify the rule in the HTTP error log. The “tail” command allows you to watch the logs in real time:
tail -f /var/log/httpd/error_logRepeat the action that caused the block whilst watching the log.
Modifying a ruleset is beyond the scope of this tutorial.
To disable a specific rule, you identify the rule ID, which is in the third element (for example, [id=200000]), and then disable it in the Apache configuration file:
nano /etc/httpd/conf/httpd.confAdd the following to the bottom of the file with the rule ID:
<IfModule mod_security2.c>
SecRuleRemoveById 200000
</IfModule>If you find ModSecurity is blocking all actions on your website(s), then Core Rule Set it is probably in Self-Contained mode. You need to change this to Collaborative Detection, which detects and blocks anomalies only. At the same time, you can look at the Self-Contained options and change them if you wish to do so.
nano /etc/httpd/modsecurity-crs/modsecurity_crs_10_config.confChange “detection” to “Self-Contained”.
You can also configure ModSecurity to allow your IP through the web application firewall (WAF) without logging:
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" phase:1,nolog,allow,ctl:ruleEngine=Offor with logging:
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly