• Domains
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • Cloud VPS
  • Dedicated Servers
  • Domains
  • Web Hosting
  • WordPress Hosting
  • Reseller Hosting
  • Cloud VPS
  • Dedicated Servers
home/Knowledge Base/Web Servers/ModSecurity and OWASP on CentOS 6 and Apache 2
Popular Search:Dedicated Server, CentOS, Web Hosting

ModSecurity and OWASP on CentOS 6 and Apache 2

50 views 0 December 6, 2019 Updated on December 27, 2019 aklwebhost

ModSecurity is a web application layer firewall designed to work with IIS, Apache2 and Nginx. It is free, open-source software released under the Apache license 2.0. ModSecurity helps to secure your web server by monitoring and analyzing your website traffic. It does this in real-time to detect and block attacks from most known exploits using regular expressions. On its own, ModSecurity gives limited protection and relies on rulesets to maximize protection.

The Open Web Application Security Project (OWASP) Core Rule Set (CRS) is a set of generic attack detection rules that provide a base level of protection for any web application. The ruleset is free, open-source, and currently sponsored by Spider Labs.

OWASP CRS provides:

  • HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
  • Real-time Blacklist Lookups – utilizes 3rd Party IP reputation.
  • HTTP Denial of Service Protection – defense against HTTP flooding and slow HTTP DoS attacks.
  • Common Web Attacks Protection – detecting common web application security attacks.
  • Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
  • Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
  • Tracking Sensitive Data – Tracks credit card usage and blocks leakages.
  • Trojan Protection – Detects trojan horses.
  • Identification of Application Defects – alerts on application mis-configurations.
  • Error Detection and Hiding – Disguising error messages sent by the server.

Installation

This guide shows you how to install ModSecurity and OWASP ruleset on CentOS 6 running Apache 2.

First, you need to ensure that your system is up to date.

 yum -y update

If you have not installed Apache 2, then install it now.

 yum -y install httpd

You now need to install some dependencies for ModSecurity to work. Depending on your server configuration, some or all of these packages may already be installed. Yum will install the packages you do not have and inform you if any of the packages are already installed.

 yum -y install httpd-devel git gcc make libxml2 pcre-devel libxml2-devel curl-devel

Change directory and download the source code from the ModSecuity website. The current stable version is 2.8.

 cd /opt/
 wget https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz

Extract the package and change to its directory.

 tar xzfv modsecurity-2.8.0.tar.gz 
 cd modsecurity-2.8.0

Configure and compile the source code.

 ./configure
 make
 make install

Copy the default ModSecurity configuration and unicode mapping file to the Apache directory.

 cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
 cp unicode.mapping /etc/httpd/conf.d/

Configure Apache to use ModSecurity. There are 2 ways that you can do this.

 echo LoadModule security2_module modules/mod_security2.so >> /etc/httpd/conf/httpd.conf

or use a text editor like nano:

 nano /etc/httpd/conf/httpd.conf

At the bottom of that file, on a separate line add this:

 LoadModule security2_module modules/mod_security2.so

You can now start Apache and configure it to start at boot.

 service httpd start
 chkconfig httpd on

If you had Apache installed prior to using this guide, then you just need to restart it.

 service httpd restart

You can now download the OWASP core rule set.

 cd /etc/httpd
 git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

Now configure the OWASP ruleset.

 cd modsecurity-crs
 cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Next, you need to add the ruleset to the Apache configuration. Again we can do this in two ways.

 echo Include modsecurity-crs/modsecurity_crs_10_config.conf >> /etc/httpd/conf/httpd.conf
 echo Include modsecurity-crs/base_rules/*.conf >> /etc/httpd/conf/httpd.conf

or with a text editor:

 nano /etc/httpd/conf/httpd.conf

At the bottom of the file on separate lines add this:

 Include modsecurity-crs/modsecurity_crs_10_config.conf
 Include modsecurity-crs/base_rules/*.conf

Now restart Apache.

 service httpd restart

Finally, delete the installation files.

 yum erase /opt/modsecurity-2.8.0
 yum erase /opt/modsecurity-2.8.0.tar.gz

Using ModSecurity

By default, ModSecurity runs in detection-only mode, which means it will log all rule breaks but will take no action. This is recommended for new installations so you can watch the events generated in the Apache error log. After reviewing the log, you can decide if any modification to the ruleset or disabling the rule (see below) should be made before moving to protection mode.

To view the Apache error log:

 cat /var/log/httpd/error_log

The ModSecurity line in the Apache error log is broken into nine elements. Each element provides information about why the event was triggered.

  • The first part tells what rule file triggered this event.
  • The second part tells what line in the rule file the rule starts on.
  • The third element tells you what rule was triggered.
  • The fourth element tells you the revision of the rule.
  • The fifth element contains special data for debugging purposes.
  • The sixth element defines the logging severity of this event severity.
  • The seventh section describes what action occurred and in what phase it occurred.

Note that some elements may be absent depending on the configuration of your server.

To change ModSecurity to protection mode, open the conf file in a text editor:

 nano /etc/httpd/conf.d/modsecurity.conf

and change:

 SecRuleEngine DetectionOnly

to:

 SecRuleEngine On

If you encounter any blocks when ModSecurity is running, then you need to identify the rule in the HTTP error log. The “tail” command allows you to watch the logs in real-time:

 tail -f /var/log/httpd/error_log

Repeat the action which caused the block whilst watching the log.

Modifying a Ruleset/Disabling a Rule ID

Modifying a ruleset is beyond the scope of this tutorial.

To disable a specific rule, you identify the rule id which is in the third element (for example [id=200000]) and then disable it in the Apache configuration file:

 nano /etc/httpd/conf/httpd.conf

by adding the following to the bottom of the file with the rule id:

<IfModule mod_security2.c>
SecRuleRemoveById 200000
</IfModule>

If you find ModSecurity is blocking all actions on your website(s), then “Core Rule Set” is probably in “Self-Contained” mode. You need to change this to “Collaborative Detection”, which detects and blocks anomalies only. At the same time, you can look at the “Self-Contained” options and change them if you wish to do so.

 nano /etc/httpd/modsecurity-crs/modsecurity_crs_10_config.conf

Change “detection” to “Self-Contained”.

You can also configure ModSecurity to allow your IP through the web application firewall (WAF) without logging:

 SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" phase:1,nolog,allow,ctl:ruleEngine=Off

or with logging:

 SecRule REMOTE_ADDR "@ipMatch xxx.xxx.xxx.xxx" phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly
Tags:ModSecurity and OWASP on CentOS 6 and Apache 2

Was this helpful?

Yes  No
Related Articles
  • Setup Spigot Server on Arch Linux
  • How To Install OSSEC HIDS on a CentOS 7 Server
  • Initial Setup of a CentOS 7 Server
  • Using StrongSwan for IPSec VPN on CentOS 7
  • Hot Backups with Percona XtraBackup on the One-Click WordPress App
  • Installing Rust on Ubuntu 14.04
Leave A Comment Cancel reply

Web Servers
  • ModSecurity and OWASP on CentOS 6 and Apache 2
  • How To Setup Apache on Windows Server
  • Setting up IIS on Windows Server
  • Setup NGINX, PHP-FPM, and MariaDB on Debian 8
  • Apache Virtual Hosts on Ubuntu 14.04 LTS
  • Install Lighttpd with PHP5 and MySQL (LLMP Stack) on Ubuntu 14.04
View All 37  
Popular Articles
  • Using StrongSwan for IPSec VPN on CentOS 7
  • Disabling SSDP (Linux / Windows)
  • Can I pay by Western Union?
  • Can a Coupon Code Discount Be Carried Forward While I Upgrade My VPS Account
  • Can I pay multiple due invoices using a single transaction?
KB Categories
  • Billing
  • Cloud Hosting
  • CMS Hosting
  • cPanel/WHM Control Panel Guide
  • Dedicated Servers
    • AMD Opteron 6272
    • Arch
    • Backup Storage
    • Bandwidth
    • Basic Security
    • BSD
    • CentOS
    • Containers
    • CoreOS
    • DDoS Protection
    • Debian
    • Dedicated Server Control Panel
    • Intel Core i5 3550
    • Intel Core i5 4570
    • Intel Core i7 3770
    • Intel Core i7 4770
    • Intel Xeon E3 1230 V3
    • Intel Xeon E3 1245 V2
    • IP Space
    • Linux Guides
    • Minecraft
    • Networking
    • Server Apps
    • Server Troubleshooting
    • Ubuntu
    • Windows Guides
    • Windows Server 2008
    • Windows Server 2012
  • Domain Names
  • Email Support Documentation
    • Setup IMAP or POP
    • User Features – How To
    • Webmail – How To
  • FTP (File Transfer Protocol
    • CuteFTP Guide
    • FileZilla Guide
  • Game Servers
  • MySQL and MariaDB
  • Node.js
  • Plesk Web Hosting Guide
  • VPS Server
  • Web Servers

  Installing Teamspeak on CentOS 7

Multicraft (Minecraft Panel) on CentOS 6  

  • Privacy Policy
  • Terms of Use
  • © 2022 AKLWEB HOST LLC, All Rights Reserved.

Popular Search:Dedicated Server, CentOS, Web Hosting