Modsec the short form for Mod_security, is a powerful WAF (Web Application Firewall) that integrates directly into Apache’s module system. Due to this direct integration the security module can intercept traffic at the initial stages of a request. It is important to detect the security flaw at an early stage so that one can block malicious requests before they get passed to web applications hosted by Apache websites. This creates an extra layer of security against common threats that a server faces. In this article you will get to see the installation of mod_security along with the CRS (Core Rule Set) in Ubuntu 16.04 LTS Server running Apache 2.4.
Prerequisites
Ensure your system environment comprises of following things:
• Ubuntu 16.04 LTS Server.
• Baseline Apache 2.4 pre-installed.
• Pre-configured Network & Internet Connection.
• Root user shell access (console or SSH).
Additionally, you should also know the below system administration concepts:
• How to basically navigate via the Linux command line shell?
• Ways to modify files in your chosen system editor (vim, nano, emacs, etc.).
Pre-Flight Checks
Many Apache-based OS images comprise of mod-security as a standard module and might be already installed on the target system. Prior to continuing, it is important to ensure, that you are running Apache 2.4 and mod-security isn’t pre-installed. You can do this by running the below two commands:
Check Apache’s Version
sudo apache2ctl -v
Example Output:
Server version: Apache/2.4.18 (Ubuntu) Server built: 2018-06-07T19:43:03
Check if the Security Module is Active
apache2ctl -M | grep security
– If you don’t get an output with this command, mod_security is not installed so proceed to the Installation Section.
– If you get the output as security2_module, mod_security is installed so proceed to the Configuration Section.
Installation Section
Installation is done in a quick and painless way with the apt package manager in all Debian-based system (like Ubuntu). In this case, offer the correct package name, libapache-modsecurity, to the apt command and confirm the installation.
Use Apt to Install the libpache2-modsecurity Plugin
sudo apt install libapache2-modsecurity -y
Example Output:
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libapache2-mod-security2 libyajl2 modsecurity-crs Suggested packages: lua geoip-database-contrib ruby The following NEW packages will be installed: libapache2-mod-security2 libapache2-modsecurity libyajl2 modsecurity-crs 0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded. Need to get 545 kB of archives. After this operation, 3,960 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libyajl2 amd64 2.1.0-2 [19.6 kB] Get:2 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 libapache2-mod-security2 amd64 2.9.0-1 [314 kB] Get:3 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 libapache2-modsecurity all 2.9.0-1 [2,006 B] Get:4 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 modsecurity-crs all 2.2.9-1 [210 kB] Fetched 545 kB in 0s (1,659 kB/s) Selecting previously unselected package libyajl2:amd64. (Reading database ... 92965 files and directories currently installed.) Preparing to unpack .../libyajl2_2.1.0-2_amd64.deb ... Unpacking libyajl2:amd64 (2.1.0-2) ... Selecting previously unselected package libapache2-mod-security2. Preparing to unpack .../libapache2-mod-security2_2.9.0-1_amd64.deb ... Unpacking libapache2-mod-security2 (2.9.0-1) ... Selecting previously unselected package libapache2-modsecurity. Preparing to unpack .../libapache2-modsecurity_2.9.0-1_all.deb ... Unpacking libapache2-modsecurity (2.9.0-1) ... Selecting previously unselected package modsecurity-crs. Preparing to unpack .../modsecurity-crs_2.2.9-1_all.deb ... Unpacking modsecurity-crs (2.2.9-1) ... Setting up libyajl2:amd64 (2.1.0-2) ... Setting up libapache2-mod-security2 (2.9.0-1) ... apache2_invoke: Enable module security2 Setting up libapache2-modsecurity (2.9.0-1) ... Setting up modsecurity-crs (2.2.9-1) ... Processing triggers for libc-bin (2.23-0ubuntu11) ...
After installation, you need to confirm if the security module is being loaded by Apache:
Check if the Security Module is Active
apache2ctl -M | grep security
Example Output:
security2_module (shared)
Configuration Section
Now as the base module is installed, you will need to configure and enable it. This requires a few steps:
Step 1) Use the below command to copy the recommended config over as the live config
sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}
Step 2)With the below command, modify the live config and change “SecRuleEngine DetectionOnly” to “SecRuleEngine On”
sudo sed -i -e 's/DetectionOnly$/On/i' /etc/modsecurity/modsecurity.conf
Step 3) Check Apache’s config syntax & restart Apache if all is fine
sudo apache2ctl -t && sudo apache2ctl restart
Example output:
Syntax OK
You will find Apache running actively with mod_security in place. But, you won’t find rules in place for it. In the next section, you will learn to configure these rules.
Enable Core Rule Set & Base Rules
You will find the security module appears to be good only because of the rules governing it. In order to start, the libapache2-modsecurity package comes with a companion package (modsecurity-crs). In this package you get the Core Rule Set or CRS, a basic set of rules that manages some of the most common malicious activity on the Internet today. Many dangerous types of traffic include are protected by the CRS, but not limited to:
• SQL Injections (SQLi)
• Remote Code Execution (RCE)
• Cross Site Scripting (XSS)
• And many other common malicious behavior
The installation of CRS is done along with the security module. Follow the below steps to enable CRS & its Base Rules.
Step 1) Using your preferred editor include the below lines to modsecurity.conf
# ModSecurity Core Rule Set (CRS) IncludeOptional /usr/share/modsecurity-crs/*.conf IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf
Step 2) In the activated_rules directory, create a symlink for all *.conf files in the base_rules directory
CSRD=/usr/share/modsecurity-crs; for e in $CSRD/base_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; done
Step 3) Confirm symlinks are in the activated_rules directory (this is optional)
sudo ls /usr/share/modsecurity-crs/activated_rules/*.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_23_request_limits.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_35_bad_robots.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_40_generic_attacks.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_42_tight_security.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_45_trojans.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_47_common_exceptions.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_50_outbound.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_59_outbound_blocking.conf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf
Step 4) Verify Apache’s config syntax & restart Apache if all is fine:
sudo apache2ctl -t && sudo apache2ctl restart
Example output:
Syntax OK
You will now find that the server configured and actively using the base_rules from the CRS. The CRS package provides additional rules. These rules are discussed in more detail in the next section.
You should verify syntax and restart Apache, anytime changes are made to one or more mod_security rules.
Enable Additional Rules [Optional]
Many additional rules are included in the Core Rule Set. These rules are divided into three distinct categories: experimental_rules, optional_rules, and slr_rules. Each category’s rules are included within their own directory of the same name. In order to activate these rules you need to follow the same process as to enable the base_rules.
From the activated_rules directory, create a symlink to the desired rule from the activated_rules directory. You can use the below commands to quickly enable these rules if required.
It is important to judge while you enable the additional rules after those in the base_rules set. In additional rules, experimental_rules might encounter false positives, blocking legitimate traffic. The commands are given below for easing the process and isn’t a support of enabling all rules by chance.
experimental_rules
CSRD=/usr/share/modsecurity-crs; for e in $CSRD/experimental_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; done
optional_rules
CSRD=/usr/share/modsecurity-crs; for e in $CSRD/optional_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; done
slr_rules
CSRD=/usr/share/modsecurity-crs; for e in $CSRD/slr_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; done
Disable Rules
For disabling rules, delete the symlink within the activated_rules directory that relates to the rule in question. After deleting it, you need a quick restart of Apache services for making the change active.
Example: Delete the application_defects rule then restart Apache.
sudo rm -rf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_55_application_defects.conf sudo apache2ctl restart
That’s it! You have now learned to install and configure mod_security on Ubuntu 16.04 server.
