ModSecurity is a web application layer firewall designed to work with IIS, Apache2 and Nginx. It is free, open-source software released under the Apache license 2.0. ModSecurity helps to secure your web server by monitoring and analyzing your website traffic. It does this in real-time to detect and block attacks from most known exploits using regular expressions. On its own, ModSecurity gives limited protection and relies on rulesets to maximize protection.
The Open Web Application Security Project (OWASP) Core Rule Set (CRS) is a set of generic attack detection rules that provide a base level of protection for any web application. The ruleset is free, open-source, and currently sponsored by Spider Labs.
OWASP CRS provides:
- HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
- Real-time Blacklist Lookups – utilizes 3rd Party IP reputation.
- HTTP Denial of Service Protection – defense against HTTP flooding and slow HTTP DoS attacks.
- Common Web Attacks Protection – detecting common web application security attacks.
- Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
- Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
- Tracking Sensitive Data – Tracks credit card usage and blocks leakages.
- Trojan Protection – Detects trojan horses.
- Identification of Application Defects – alerts on application mis-configurations.
- Error Detection and Hiding – Disguising error messages sent by the server.
Installation
This guide shows you how to install ModSecurity and OWASP ruleset on CentOS 6 running Apache 2.
First, you need to ensure that your system is up to date.
yum -y update
If you have not installed Apache 2, then install it now.
yum -y install httpd
You now need to install some dependencies for ModSecurity to work. Depending on your server configuration, some or all of these packages may already be installed. Yum will install the packages you do not have and inform you if any of the packages are already installed.
yum -y install httpd-devel git gcc make libxml2 pcre-devel libxml2-devel curl-devel
Change directory and download the source code from the ModSecuity website. The current stable version is 2.8.
cd /opt/
wget https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
Extract the package and change to its directory.
tar xzfv modsecurity-2.8.0.tar.gz
cd modsecurity-2.8.0
Configure and compile the source code.
./configure
make
make install
Copy the default ModSecurity configuration and unicode mapping file to the Apache directory.
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
cp unicode.mapping /etc/httpd/conf.d/
Configure Apache to use ModSecurity. There are 2 ways that you can do this.
echo LoadModule security2_module modules/mod_security2.so >> /etc/httpd/conf/httpd.conf
or use a text editor like nano:
nano /etc/httpd/conf/httpd.conf
At the bottom of that file, on a separate line add this:
LoadModule security2_module modules/mod_security2.so
You can now start Apache and configure it to start at boot.
service httpd start
chkconfig httpd on
If you had Apache installed prior to using this guide, then you just need to restart it.
service httpd restart
You can now download the OWASP core rule set.
cd /etc/httpd
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
Now configure the OWASP ruleset.
cd modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
Next, you need to add the ruleset to the Apache configuration. Again we can do this in two ways.
echo Include modsecurity-crs/modsecurity_crs_10_config.conf >> /etc/httpd/conf/httpd.conf
echo Include modsecurity-crs/base_rules/*.conf >> /etc/httpd/conf/httpd.conf
or with a text editor:
nano /etc/httpd/conf/httpd.conf
At the bottom of the file on separate lines add this:
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/base_rules/*.conf
Now restart Apache.
service httpd restart
Finally, delete the installation files.
yum erase /opt/modsecurity-2.8.0
yum erase /opt/modsecurity-2.8.0.tar.gz
Using ModSecurity
By default, ModSecurity runs in detection-only mode, which means it will log all rule breaks but will take no action. This is recommended for new installations so you can watch the events generated in the Apache error log. After reviewing the log, you can decide if any modification to the ruleset or disabling the rule (see below) should be made before moving to protection mode.
To view the Apache error log:
cat /var/log/httpd/error_log
The ModSecurity line in the Apache error log is broken into nine elements. Each element provides information about why the event was triggered.
- The first part tells what rule file triggered this event.
- The second part tells what line in the rule file the rule starts on.
- The third element tells you what rule was triggered.
- The fourth element tells you the revision of the rule.
- The fifth element contains special data for debugging purposes.
- The sixth element defines the logging severity of this event severity.
- The seventh section describes what action occurred and in what phase it occurred.
Note that some elements may be absent depending on the configuration of your server.
To change ModSecurity to protection mode, open the conf file in a text editor:
nano /etc/httpd/conf.d/modsecurity.conf
and change:
SecRuleEngine DetectionOnly
to:
SecRuleEngine On
If you encounter any blocks when ModSecurity is running, then you need to identify the rule in the HTTP error log. The “tail” command allows you to watch the logs in real-time:
tail -f /var/log/httpd/error_log
Repeat the action which caused the block whilst watching the log.
Modifying a Ruleset/Disabling a Rule ID
Modifying a ruleset is beyond the scope of this tutorial.
To disable a specific rule, you identify the rule id which is in the third element (for example [id=200000]) and then disable it in the Apache configuration file:
nano /etc/httpd/conf/httpd.conf
by adding the following to the bottom of the file with the rule id:
<IfModule mod_security2.c>
SecRuleRemoveById 200000
</IfModule>
If you find ModSecurity is blocking all actions on your website(s), then “Core Rule Set” is probably in “Self-Contained” mode. You need to change this to “Collaborative Detection”, which detects and blocks anomalies only. At the same time, you can look at the “Self-Contained” options and change them if you wish to do so.
nano /etc/httpd/modsecurity-crs/modsecurity_crs_10_config.conf
Change “detection” to “Self-Contained”.
You can also configure ModSecurity to allow your IP through the web application firewall (WAF) without logging:
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" phase:1,nolog,allow,ctl:ruleEngine=Off
or with logging:
SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly