Atlantic.Net Blog

Securing Your Apache Web Server with Mod Security

Hitesh Jethva
by Atlantic.Net (76posts) under VPS Hosting
0 Comments

ModSecurity, also known as Modsec, is a free and open-source web application firewall for Apache webserver. ModSecurity is an Apache module that helps you to protect your web server from different types of attacks including SQL injection, XSS, trojans, bots, session capture/hijacking, and many more. ModSecurity provides powerful rule sets with real-time web monitoring, logging, and access control.

In this tutorial, we will show you how to install and configure Mod Security with Apache on Ubuntu 18.04.

Prerequisites

  • A fresh Ubuntu 18.04 VPS on the Atlantic.Net Cloud Platform.
  • A static IP address configured on your server.

Step 1 – Create an Atlantic.Net Cloud Server

First, log in to your Atlantic.Net Cloud Server.  Create a new server, choosing Ubuntu 18.04 as the operating system with at least 2GB RAM. Connect to your Cloud Server via SSH and log in using the credentials highlighted at the top of the page.

Once you are logged into your Ubuntu 18.04 server, run the following command to update your base system with the latest available packages.

apt-get update -y

Step 2 – Install LAMP Stack

First, you will need to install LAMP Stack on your server. You can install it by running the following command:

apt-get install apache2 mariadb-server php7.2-mysql php7.2 libapache2-mod-php7.2 unzip git -y

After installing LAMP, start the Apache service and enable it to start after system reboot with the following command:

systemctl start apache2
systemctl enable apache2

At this point, the Apache web server is installed and running on your server.

Step 3 – Install ModSecurity

By default, ModSecurity is available in the Ubuntu 18.04 default repository. You can install it using the following command:

apt-get install libapache2-mod-security2 -y

Once the installation has been completed, restart the Apache service to apply the changes.

systemctl restart apache2

Next, you can also check whether the module has been loaded or not by running the following command:

apachectl -M | grep security

You should get the following output:

security2_module (shared)

Step 4 – Configure ModSecurity

There are no security rules configured by default, so you will need to enable it first. To do so, rename the ModSecurity default configuration file /etc/modsecurity/modsecurity.conf-recommended to /etc/modsecurity/modsecurity.conf.

cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Next, edit the file using your preferred text editor:

nano /etc/modsecurity/modsecurity.conf

Find the following line:

SecRuleEngine DetectionOnly

Replace it with the following:

SecRuleEngine On

Save and close the file when you are finished. Then, restart the Apache service for the changes to take effect.

systemctl restart apache2

Step 5 – Download and Configure ModSecurity Core Rule

ModSecurity’s default set of rules is available inside /usr/share/modsecurity-crs directory, but it is recommended to download a new rule set from the GitHub.

First, remove the old rules with the following command:

rm -rf /usr/share/modsecurity-crs

Next, download the latest rule set with the following command:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Next, you will need to enable this rule set in apache configuration. You can enable it by editing the file /etc/apache2/mods-enabled/security2.conf:

nano /etc/apache2/mods-enabled/security2.conf

Add the following lines above the line “</IfModule>”

     IncludeOptional "/usr/share/modsecurity-crs/*.conf
     IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

Save and close the file. Then, restart the Apache service and enable the Apache header module to implement the changes.

a2enmod headers
systemctl restart apache2

At this point, ModSecurity is configured to work with Apache webserver.

Step 6 – Test ModSecurity

After configuring ModSecurity, you can try to execute malicious scripts on a web browser and check whether ModSecurity rules will be triggered.

Open your web browser and type the URL http://your-server-ip/index.html?exec=/bin/bash. You should get a forbidden error message in the following page:

To test ModSecurity’s rules for protecting against a simulated XSS attack, access the URL http://your-server-ip/?q=”><script>alert(1)</script> from your web browser. You should see the following screen:

To test ModSecurity’s rules against Nessus scans, use a curl command with Nessus scanners to send HTTP requests to the Apache server as shown below:

curl -i http://your-server-ip -A Nessus

You should get a 403 Forbidden response because ModSecurity has identified the User Agent as a Nessus scan:

HTTP/1.1 403 Forbidden
Date: Sat, 21 Dec 2019 04:17:24 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 278
Content-Type: text/html; charset=iso-8859-1

Step 7 – Exclude a Specific Domain from ModSecurity

In some cases, you need to exclude a specific domain from ModSecurity protection. To disable ModSecurity for a specific domain, open the Apache virtual host configuration file for a specific domain:

nano /etc/apache2/site-enabled/your-domain.conf

Add the following lines inside the <VirtualHost>…</VirtualHost> block:

<IfModule security2_module>
    SecRuleEngine Off
</IfModule>

Save and close the file. Then, restart the Apache service to apply the changes.

systemctl restart apache2

Conclusion

We have reviewed how to install and configure ModSecurity to protect your Apache webserver from malicious attacks. For more information, visit the ModSecurity documentation at ModSecurity.

Get A Free To Use Cloud VPS

Free Tier Includes:
G2.1GB Cloud VPS Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


Looking for a Hosting Solution?

We Provide Cloud, Dedicated, & Colocation.

  • Seven Global Data Center Locations.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now! Med Tech Award FTC
SOC Audit HIPAA Audit HITECH Audit

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G2.1GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year


New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Resources