ModSecurity is a web application layer firewall designed<\/strong>\u00a0to work with\u00a0IIS<\/strong>,\u00a0Apache2 and Nginx<\/strong>. It is free,\u00a0open-source software released under the Apache license 2.0<\/strong>. ModSecurity helps to secure your web server by\u00a0monitoring and analyzing<\/strong>\u00a0your website traffic. It does this in real-time to detect and block attacks from most known exploits using regular expressions. On its own, ModSecurity gives limited protection and relies on rulesets to maximize protection.<\/p>\n The\u00a0Open Web Application Security Project (OWASP)<\/strong>\u00a0Core Rule Set (CRS)<\/strong>\u00a0is a set of generic attack detection rules that provide a base level of\u00a0protection for any web application<\/strong>. The ruleset is free, open-source, and currently sponsored by Spider Labs.<\/p>\n OWASP CRS provides:<\/strong><\/p>\n This guide shows you how to\u00a0install ModSecurity and OWASP ruleset on CentOS 6 running Apache 2.<\/strong><\/p>\n First, you need to ensure that your system is up to date.<\/strong><\/p>\n If you have not installed Apache 2, then install it now.<\/strong><\/p>\n You now need to\u00a0install some dependencies for ModSecurity to work<\/strong>. Depending on your server configuration, some or all of\u00a0these packages may already be installed<\/strong>. Yum will install the packages you do not have and inform you if any of the\u00a0packages are already installed.<\/strong><\/p>\n Change directory and download the source code from the ModSecuity website. The current stable version is 2.8.<\/strong><\/p>\n Extract the package and change to its directory.<\/strong><\/p>\n Configure and compile the source code.<\/strong><\/p>\n Copy the default ModSecurity configuration and unicode mapping file to the Apache directory.<\/strong><\/p>\n Configure Apache to use ModSecurity. There are 2 ways that you can do this.<\/strong><\/p>\n or use a text editor like nano:<\/strong><\/p>\n At the bottom of that file, on a separate line add this:<\/strong><\/p>\n You can now start Apache and configure it to start at boot.<\/strong><\/p>\n If you had Apache installed prior to using this guide, then you just need to restart it.<\/strong><\/p>\n You can now download the OWASP core rule set.<\/strong><\/p>\n Now configure the OWASP ruleset.<\/strong><\/p>\n Next, you need to add the ruleset to the Apache configuration. Again we can do this in two ways.<\/strong><\/p>\n or with a text editor:<\/strong><\/p>\n At the bottom of the file on separate lines add this:<\/strong><\/p>\n Now restart Apache.<\/strong><\/p>\n Finally, delete the installation files.<\/strong><\/p>\n By default,\u00a0ModSecurity runs in detection-only mode<\/strong>, which means it will log\u00a0all rule breaks<\/strong>\u00a0but will take no action.\u00a0This is recommended for new installations<\/strong>\u00a0so you can watch the events generated in the Apache error log. After reviewing the log,\u00a0you can decide if any modification<\/strong>\u00a0to the ruleset or disabling the rule (see below) should be made before moving to protection mode.<\/p>\n To view the Apache error log:<\/strong><\/p>\n The\u00a0ModSecurity line<\/strong>\u00a0in the\u00a0Apache error log<\/strong>\u00a0is broken into nine elements. Each element provides information about why the event was triggered.<\/p>\n Note that some elements may be absent depending on the configuration of your server.<\/strong><\/p>\n To change ModSecurity to protection mode, open the conf file in a text editor:<\/strong><\/p>\n and change:<\/strong><\/p>\n to:<\/strong><\/p>\n If you encounter any\u00a0blocks when ModSecurity<\/strong>\u00a0is running, then you need to identify the rule in the\u00a0HTTP error log.<\/strong>\u00a0The\u00a0“tail”<\/strong>\u00a0command allows you to watch the logs in real-time:<\/p>\n Repeat the action which caused the block whilst watching the log.<\/p>\n Modifying a ruleset is beyond the scope of this tutorial.<\/strong><\/p>\n To\u00a0disable a specific rule<\/strong>, you identify the rule id which is in the third element\u00a0(for example [id=200000])<\/strong>\u00a0and then disable it in the Apache configuration file:<\/p>\n by adding the following to the bottom of the file with the rule id:<\/strong><\/p>\n If you\u00a0find ModSecurity is blocking<\/strong>\u00a0all actions on your website(s), then\u00a0“Core Rule Set”<\/strong>\u00a0is probably in\u00a0“Self-Contained”<\/strong>\u00a0mode. You need to change this to\u00a0“Collaborative Detection”<\/strong>, which detects and blocks anomalies only. At the same time, you can look at the\u00a0“Self-Contained”<\/strong>\u00a0options and change them if you wish to do so.<\/p>\n Change “detection” to “Self-Contained”.<\/strong><\/p>\n You can also configure ModSecurity to allow your IP through the web application firewall (WAF) without logging:<\/strong><\/p>\n or with logging:<\/strong><\/p>\n\n
\nInstallation<\/strong><\/h3>\n
yum -y update\r\n<\/code><\/pre>\n
yum -y install httpd\r\n<\/code><\/pre>\n
yum -y install httpd-devel git gcc make libxml2 pcre-devel libxml2-devel curl-devel\r\n<\/code><\/pre>\n
cd \/opt\/\r\n wget https:\/\/www.modsecurity.org\/tarball\/2.8.0\/modsecurity-2.8.0.tar.gz\r\n<\/code><\/pre>\n
tar xzfv modsecurity-2.8.0.tar.gz \r\n cd modsecurity-2.8.0\r\n<\/code><\/pre>\n
.\/configure\r\n make\r\n make install\r\n<\/code><\/pre>\n
cp modsecurity.conf-recommended \/etc\/httpd\/conf.d\/modsecurity.conf\r\n cp unicode.mapping \/etc\/httpd\/conf.d\/\r\n<\/code><\/pre>\n
echo LoadModule security2_module modules\/mod_security2.so >> \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n
nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n
LoadModule security2_module modules\/mod_security2.so\r\n<\/code><\/pre>\n
service httpd start\r\n chkconfig httpd on\r\n<\/code><\/pre>\n
service httpd restart\r\n<\/code><\/pre>\n
cd \/etc\/httpd\r\n git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git\r\n<\/code><\/pre>\n
cd modsecurity-crs\r\n cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf\r\n<\/code><\/pre>\n
echo Include modsecurity-crs\/modsecurity_crs_10_config.conf >> \/etc\/httpd\/conf\/httpd.conf\r\n echo Include modsecurity-crs\/base_rules\/*.conf >> \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n
nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n
Include modsecurity-crs\/modsecurity_crs_10_config.conf\r\n Include modsecurity-crs\/base_rules\/*.conf\r\n<\/code><\/pre>\n
service httpd restart\r\n<\/code><\/pre>\n
yum erase \/opt\/modsecurity-2.8.0\r\n yum erase \/opt\/modsecurity-2.8.0.tar.gz\r\n<\/code><\/pre>\n
Using ModSecurity<\/strong><\/h3>\n
cat \/var\/log\/httpd\/error_log\r\n<\/code><\/pre>\n
\n
nano \/etc\/httpd\/conf.d\/modsecurity.conf\r\n<\/code><\/pre>\n
SecRuleEngine DetectionOnly\r\n<\/code><\/pre>\n
SecRuleEngine On\r\n<\/code><\/pre>\n
tail -f \/var\/log\/httpd\/error_log\r\n<\/code><\/pre>\n
Modifying a Ruleset\/Disabling a Rule ID<\/strong><\/h3>\n
nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\n
<IfModule mod_security2.c>\r\nSecRuleRemoveById 200000\r\n<\/IfModule>\r\n<\/code><\/pre>\n
nano \/etc\/httpd\/modsecurity-crs\/modsecurity_crs_10_config.conf\r\n<\/code><\/pre>\n
SecRule REMOTE_ADDR \"@ipMatch xxx.xxx.xxx.xxx\" phase:1,nolog,allow,ctl:ruleEngine=Off\r\n<\/code><\/pre>\n
SecRule REMOTE_ADDR \"@ipMatch xxx.xxx.xxx.xxx\" phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly<\/code><\/pre>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[109,231,242],"manual_kb_tag":[350],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2560"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2560"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2560\/revisions"}],"predecessor-version":[{"id":2561,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2560\/revisions\/2561"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2560"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2560"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}