How to Install ModSecurity for Apache2 on Ubuntu 18.04

Requirements

To get started, This guide shows you step process on how to install ModSecurity for Apache2 on Ubuntu 18.04 within Amazon EC2 instance.

Step 1. Install Apache2 Web Server

SSH remote into your Ubuntu server using your favorite terminal console. Below, you need to install an Apache2 web server for you to enable the Modsecurity module and configuring the security rules set.

sudo add-apt-repository ppa:ondrej/apache2
sudo apt update
sudo apt-get install apache2 -y

See: Learn how to install Apache2 Web Server on EC2 Ubuntu 18.04

We assume that you have already installed Apache2 Web Server in your Ubuntu server.

Step 2. Install Modsecurity

To install modsecurity on EC2 Ubuntu instance, run the command:

sudo apt-get install libapache2-mod-security2

After installation completes, restart the Apache2 service.

sudo service apache2 restart

Now verify the modsecurity module if properly installed on your environment, run the command:

sudo apachectl -M | grep security

The output should be the same as below:

security2_module (shared)

Step 3. Configure Modsecurity

After installing Modsecurity, there is a default configuration file that you need to enable and configure. Run the command:

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Modify the file that you have copied using the vim editor.

sudo vim /etc/modsecurity/modsecurity.conf

Find for SecRuleEngine DetectionOnly and replace with SecRuleEngine On.

# SecRuleEngine DetectionOnly
SecRuleEngine On

Save and close the file.

Restart the Apache2 service to effect the changes.

sudo service apache2 restart

Step 4. Setup Rules for Modsecurity

ModSecurity has default rules set located at /usr/share/modsecurity-crs directory. Well, do not recognize these rules as we need to download the recommended latest version from Coreruleset.org

Create a new folder under the Apache directory, use the command:

sudo mkdir /etc/apache2/modsecurity.d

Now, download the Modsecurity core rule set from Github using:

sudo git clone https://github.com/coreruleset/coreruleset.git /etc/apache2/modsecurity.d/owasp-modsecurity-crs

After downloads completed, open the modsecurity folder under apache2 directory.

cd /etc/apache2/modsecurity.d/owasp-modsecurity-crs

Next, copy the sample configuration file from the downloaded rules set, type command:

sudo cp crs-setup.conf.example crs-setup.conf

Edit the Apache2 configuration file using:

sudo vim /etc/apache2/apache2.conf

Add the lines below:

<IfModule security2_module>
Include modsecurity.d/owasp-modsecurity-crs/crs-setup.conf
Include modsecurity.d/owasp-modsecurity-crs/rules/*.conf
</IfModule>

Save and close the file.

Next, open the file at /etc/apache2/mods-available/security2.conf and comment the line:

# IncludeOptional /usr/share/modsecurity-crs/owasp-crs.load

Save and close the file.

Next, verify your Apache2 configuration using:

sudo apache2ctl configtest

If all goes well, begin to restart your Apache2 service.

sudo service apache2 restart

Make sure to check your website to see if it’s still running properly.

Step 5. Testing Modsecurity

You can now try to execute a malicious URL in a browser or terminal console and see if the ModSecurity rules are triggered.

Browser

https://linuxbeast.com/index.html?exec=/bin/bash

After running the URL on the browser, you should get a Forbidden error message like this:

browser forbidden modsecurity

Terminal Console

curl -I https://linuxbeast.com/index.html?exec=/bin/bash

After running command in the terminal console, this would be the forbidden error message looks like:

terminal forbidden modsecurity

To learn more about Modsecurity:

See: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)

Extra Tips

If you want to excludes directories or removing rules set from match URI, use the guides below:

Execution error – PCRE limits exceeded (Error)

Solutions: Increase the limits

SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000

Modify this file:

sudo vim /etc/modsecurity/modsecurity.conf

See: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/656#issuecomment-262780221

MULTIPART_UNMATCHED_BOUNDARY (Error)

Solution: Modify SecRule

From:

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

To:

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200004',phase:2,t:none,nolog,allow,msg:'Multipart parser detected a possible unmatched boundary.'"

Disable/Enable ModSecurity Per Directory

<Directory /usr/share/phpmyadmin>
     SecRuleEngine Off
</Directory>
<Directory /var/www/wordpress>
     SecRuleEngine On
</Directory>

Removing Rules Set from WordPress match URI

<VirtualHost *:80>
<LocationMatch “/wp-admin”>
SecRuleRemoveById 950109 950901 950117 958030 960024 970903 973300 973301 973304 973332 973333 973338 981143 981172 981173 981245 950007 950120 981231
</LocationMatch>
<LocationMatch “/wp-admin/nav-menus.php”>
SecRuleRemoveById 960335
</LocationMatch>
<LocationMatch “/wp-login.php”>
SecRuleRemoveById 950007 950109 950117 950120 950901 981143 981172 981173 970901 970903
</LocationMatch>
<LocationMatch “/wp-content”>
SecRuleRemoveById 950007 950120 958231 970903 981172
</LocationMatch>
<LocationMatch “(/wp-admin/options.php|/wp-admin/theme-editor.php|/wp-content/plugins/)”>
SecRuleRemoveById 950005 950006 950907 958009 959006 959070 960008 960011 960904 973334 973335 973344 973347 981231 981317
SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
SecRuleRemoveById phpids-21 # Detects very basic XSS probings
SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
<LocationMatch “/wp-admin/options-general.php”>
SecRuleRemoveById 960335
</LocationMatch>
<LocationMatch “/wp-includes”>
SecRuleRemoveById 950006 950007 950120 959006 960010 960012 970903 981172
SecRuleRemoveById phpids-17 # Detects JavaScript object properties and methods
SecRuleRemoveById phpids-20 # Detects JavaScript language constructs
SecRuleRemoveById phpids-21 # Detects very basic XSS probings
SecRuleRemoveById phpids-30 # Detects common XSS concatenation patterns 1/2
SecRuleRemoveById phpids-61 # Detects url injections and RFE attempts
</LocationMatch>
<LocationMatch “/wp-admin/post.php|/wp-admin/edit.php”>
SecRuleRemoveById 980140 950001 950007 950120 958977 959070 959072 959073 960335 970901 973306 973316 973334 973335 973343 973344 973347 981231 981243 981244 981246 981249 981257 981318 970903 981172 981256
</LocationMatch>
<LocationMatch “/wp-admin/admin-ajax.php”>
SecRuleRemoveById 950911 970901 973306 973316 973334 973335 973344 973347 981231 981257 981318 970903 950007 950120 981172 981242 981244 2100081
</LocationMatch>
<LocationMatch “/wp-admin/async-upload.php|/wp-admin/media-new.php”>
SecRuleRemoveById 200004
</LocationMatch>
<LocationMatch “/favicon.ico”>
SecRuleRemoveById 950007 950120 981172 981243 970903
</LocationMatch>
<LocationMatch “/feed”>
SecRuleRemoveById 970901
</LocationMatch>
<LocationMatch “/xmlrpc.php”>
SecRuleRemoveById 950001 959070 959071 959073 973302 973332 973333 973334 973335 973344 973347 981244 981248 981249 981256 981317 981320
</LocationMatch>
</VirtualHost>
Posted on: July 12, 2023, by :  | 52 views
https://serang.ut.ac.id/css/css/slot88/ https://tinjut.bagkeu.dikdasmen.kemdikbud.go.id/slot-maxwin/ https://dpm.polinema.ac.id/slot-gacor/ https://akademik.ft.unm.ac.id/slot-dana/ https://ppdb.probolinggokab.go.id/slot-5000/ https://bkad.sulselprov.go.id/assets/ https://ojs.balidwipa.ac.id/docs/slot-gacor/ http://korpri.pekalongankab.go.id/api/slot-gacor/ https://elang.umpp.ac.id/foto/farmasi/-/asset/ http://rsud-kelet.jatengprov.go.id/wp-content/-/asset/ https://kusdhianto-fe.staff.ugm.ac.id/slot88/ http://ppdb.probolinggokab.go.id/judi-bola/ https://bapenda.labuhanbatukab.go.id/racikan-sbobet/ http://rsud-kelet.jatengprov.go.id/wp-content/-/data/ https://agenda.riau.go.id/-/judi-bola/ https://balapan.padang.go.id/sbobet88/ http://jdih.wakatobikab.go.id/sbobet88/ http://kph.menlhk.go.id/sbobet88/ https://bkad.sulselprov.go.id/data/ https://dpm.polinema.ac.id/slot-gacor/ https://dinkes.jemberkab.go.id/storage/attachments/