Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: preg_match(): Unknown modifier '-' in /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php on line 783

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794

Warning: Cannot modify header information - headers already sent by (output started at /home/akl1986/public_html/support/wp-content/plugins/redux-framework/redux-core/inc/extensions/metaboxes/class-redux-extension-metaboxes.php:783) in /home/akl1986/public_html/support/wp-includes/rest-api/class-wp-rest-server.php on line 1794
{"id":2560,"date":"2019-12-06T14:24:48","date_gmt":"2019-12-06T14:24:48","guid":{"rendered":"https:\/\/support.aklwebhost.com\/?post_type=manual_kb&p=2560"},"modified":"2019-12-27T07:13:21","modified_gmt":"2019-12-27T07:13:21","slug":"modsecurity-and-owasp-on-centos-6-and-apache-2","status":"publish","type":"manual_kb","link":"https:\/\/support.aklwebhost.com\/knowledgebase\/modsecurity-and-owasp-on-centos-6-and-apache-2\/","title":{"rendered":"ModSecurity and OWASP on CentOS 6 and Apache 2"},"content":{"rendered":"

ModSecurity is a web application layer firewall designed<\/strong>\u00a0to work with\u00a0IIS<\/strong>,\u00a0Apache2 and Nginx<\/strong>. It is free,\u00a0open-source software released under the Apache license 2.0<\/strong>. ModSecurity helps to secure your web server by\u00a0monitoring and analyzing<\/strong>\u00a0your website traffic. It does this in real-time to detect and block attacks from most known exploits using regular expressions. On its own, ModSecurity gives limited protection and relies on rulesets to maximize protection.<\/p>\n

The\u00a0Open Web Application Security Project (OWASP)<\/strong>\u00a0Core Rule Set (CRS)<\/strong>\u00a0is a set of generic attack detection rules that provide a base level of\u00a0protection for any web application<\/strong>. The ruleset is free, open-source, and currently sponsored by Spider Labs.<\/p>\n

OWASP CRS provides:<\/strong><\/p>\n

\n
HTTP Protection<\/strong>\u00a0– detecting violations of the HTTP protocol and a locally defined usage policy.<\/li>\n
Real-time Blacklist Lookups<\/strong>\u00a0– utilizes 3rd Party IP reputation.<\/li>\n
HTTP Denial of Service Protection<\/strong>\u00a0– defense against HTTP flooding and slow HTTP DoS attacks.<\/li>\n
Common Web Attacks Protection<\/strong>\u00a0– detecting common web application security attacks.<\/li>\n
Automation Detection<\/strong>\u00a0– Detecting bots, crawlers, scanners and other surface malicious activity.<\/li>\n
Integration with AV Scanning for File Uploads<\/strong>\u00a0– detects malicious files uploaded through the web application.<\/li>\n
Tracking Sensitive Data<\/strong>\u00a0– Tracks credit card usage and blocks leakages.<\/li>\n
Trojan Protection<\/strong>\u00a0– Detects trojan horses.<\/li>\n
Identification of Application Defects<\/strong>\u00a0– alerts on application mis-configurations.<\/li>\n
Error Detection and Hiding<\/strong>\u00a0– Disguising error messages sent by the server.<\/li>\n<\/ul>\n
\n
Installation<\/strong><\/h3>\n
This guide shows you how to\u00a0install ModSecurity and OWASP ruleset on CentOS 6 running Apache 2.<\/strong><\/p>\n
First, you need to ensure that your system is up to date.<\/strong><\/p>\n
yum -y update\r\n<\/code><\/pre>\nIf you have not installed Apache 2, then install it now.<\/strong><\/p>\n yum -y install httpd\r\n<\/code><\/pre>\nYou now need to\u00a0install some dependencies for ModSecurity to work<\/strong>. Depending on your server configuration, some or all of\u00a0these packages may already be installed<\/strong>. Yum will install the packages you do not have and inform you if any of the\u00a0packages are already installed.<\/strong><\/p>\n yum -y install httpd-devel git gcc make libxml2 pcre-devel libxml2-devel curl-devel\r\n<\/code><\/pre>\nChange directory and download the source code from the ModSecuity website. The current stable version is 2.8.<\/strong><\/p>\n cd \/opt\/\r\n wget https:\/\/www.modsecurity.org\/tarball\/2.8.0\/modsecurity-2.8.0.tar.gz\r\n<\/code><\/pre>\nExtract the package and change to its directory.<\/strong><\/p>\n tar xzfv modsecurity-2.8.0.tar.gz \r\n cd modsecurity-2.8.0\r\n<\/code><\/pre>\nConfigure and compile the source code.<\/strong><\/p>\n .\/configure\r\n make\r\n make install\r\n<\/code><\/pre>\nCopy the default ModSecurity configuration and unicode mapping file to the Apache directory.<\/strong><\/p>\n cp modsecurity.conf-recommended \/etc\/httpd\/conf.d\/modsecurity.conf\r\n cp unicode.mapping \/etc\/httpd\/conf.d\/\r\n<\/code><\/pre>\nConfigure Apache to use ModSecurity. There are 2 ways that you can do this.<\/strong><\/p>\n echo LoadModule security2_module modules\/mod_security2.so >> \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nor use a text editor like nano:<\/strong><\/p>\n nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nAt the bottom of that file, on a separate line add this:<\/strong><\/p>\n LoadModule security2_module modules\/mod_security2.so\r\n<\/code><\/pre>\nYou can now start Apache and configure it to start at boot.<\/strong><\/p>\n service httpd start\r\n chkconfig httpd on\r\n<\/code><\/pre>\nIf you had Apache installed prior to using this guide, then you just need to restart it.<\/strong><\/p>\n service httpd restart\r\n<\/code><\/pre>\nYou can now download the OWASP core rule set.<\/strong><\/p>\n cd \/etc\/httpd\r\n git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git\r\n<\/code><\/pre>\nNow configure the OWASP ruleset.<\/strong><\/p>\n cd modsecurity-crs\r\n cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf\r\n<\/code><\/pre>\nNext, you need to add the ruleset to the Apache configuration. Again we can do this in two ways.<\/strong><\/p>\n echo Include modsecurity-crs\/modsecurity_crs_10_config.conf >> \/etc\/httpd\/conf\/httpd.conf\r\n echo Include modsecurity-crs\/base_rules\/*.conf >> \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nor with a text editor:<\/strong><\/p>\n nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nAt the bottom of the file on separate lines add this:<\/strong><\/p>\n Include modsecurity-crs\/modsecurity_crs_10_config.conf\r\n Include modsecurity-crs\/base_rules\/*.conf\r\n<\/code><\/pre>\nNow restart Apache.<\/strong><\/p>\n service httpd restart\r\n<\/code><\/pre>\nFinally, delete the installation files.<\/strong><\/p>\n yum erase \/opt\/modsecurity-2.8.0\r\n yum erase \/opt\/modsecurity-2.8.0.tar.gz\r\n<\/code><\/pre>\nUsing ModSecurity<\/strong><\/h3>\nBy default,\u00a0ModSecurity runs in detection-only mode<\/strong>, which means it will log\u00a0all rule breaks<\/strong>\u00a0but will take no action.\u00a0This is recommended for new installations<\/strong>\u00a0so you can watch the events generated in the Apache error log. After reviewing the log,\u00a0you can decide if any modification<\/strong>\u00a0to the ruleset or disabling the rule (see below) should be made before moving to protection mode.<\/p>\n To view the Apache error log:<\/strong><\/p>\n cat \/var\/log\/httpd\/error_log\r\n<\/code><\/pre>\nThe\u00a0ModSecurity line<\/strong>\u00a0in the\u00a0Apache error log<\/strong>\u00a0is broken into nine elements. Each element provides information about why the event was triggered.<\/p>\n \nThe first part tells what rule file triggered this event.<\/li>\n The second part tells what line in the rule file the rule starts on.<\/li>\n The third element tells you what rule was triggered.<\/li>\n The fourth element tells you the revision of the rule.<\/li>\n The fifth element contains special data for debugging purposes.<\/li>\n The sixth element defines the logging severity of this event severity.<\/li>\n The seventh section describes what action occurred and in what phase it occurred.<\/li>\n<\/ul>\nNote that some elements may be absent depending on the configuration of your server.<\/strong><\/p>\n To change ModSecurity to protection mode, open the conf file in a text editor:<\/strong><\/p>\n nano \/etc\/httpd\/conf.d\/modsecurity.conf\r\n<\/code><\/pre>\nand change:<\/strong><\/p>\n SecRuleEngine DetectionOnly\r\n<\/code><\/pre>\nto:<\/strong><\/p>\n SecRuleEngine On\r\n<\/code><\/pre>\nIf you encounter any\u00a0blocks when ModSecurity<\/strong>\u00a0is running, then you need to identify the rule in the\u00a0HTTP error log.<\/strong>\u00a0The\u00a0“tail”<\/strong>\u00a0command allows you to watch the logs in real-time:<\/p>\n tail -f \/var\/log\/httpd\/error_log\r\n<\/code><\/pre>\nRepeat the action which caused the block whilst watching the log.<\/p>\n Modifying a Ruleset\/Disabling a Rule ID<\/strong><\/h3>\nModifying a ruleset is beyond the scope of this tutorial.<\/strong><\/p>\n To\u00a0disable a specific rule<\/strong>, you identify the rule id which is in the third element\u00a0(for example [id=200000])<\/strong>\u00a0and then disable it in the Apache configuration file:<\/p>\n nano \/etc\/httpd\/conf\/httpd.conf\r\n<\/code><\/pre>\nby adding the following to the bottom of the file with the rule id:<\/strong><\/p>\n <IfModule mod_security2.c>\r\nSecRuleRemoveById 200000\r\n<\/IfModule>\r\n<\/code><\/pre>\nIf you\u00a0find ModSecurity is blocking<\/strong>\u00a0all actions on your website(s), then\u00a0“Core Rule Set”<\/strong>\u00a0is probably in\u00a0“Self-Contained”<\/strong>\u00a0mode. You need to change this to\u00a0“Collaborative Detection”<\/strong>, which detects and blocks anomalies only. At the same time, you can look at the\u00a0“Self-Contained”<\/strong>\u00a0options and change them if you wish to do so.<\/p>\n nano \/etc\/httpd\/modsecurity-crs\/modsecurity_crs_10_config.conf\r\n<\/code><\/pre>\nChange “detection” to “Self-Contained”.<\/strong><\/p>\n You can also configure ModSecurity to allow your IP through the web application firewall (WAF) without logging:<\/strong><\/p>\n SecRule REMOTE_ADDR \"@ipMatch xxx.xxx.xxx.xxx\" phase:1,nolog,allow,ctl:ruleEngine=Off\r\n<\/code><\/pre>\nor with logging:<\/strong><\/p>\n SecRule REMOTE_ADDR \"@ipMatch xxx.xxx.xxx.xxx\" phase:1,nolog,allow,ctl:ruleEngine=DetectionOnly<\/code><\/pre>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","manualknowledgebasecat":[109,231,242],"manual_kb_tag":[350],"_links":{"self":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2560"}],"collection":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb"}],"about":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/types\/manual_kb"}],"author":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/comments?post=2560"}],"version-history":[{"count":1,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2560\/revisions"}],"predecessor-version":[{"id":2561,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb\/2560\/revisions\/2561"}],"wp:attachment":[{"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/media?parent=2560"}],"wp:term":[{"taxonomy":"manualknowledgebasecat","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manualknowledgebasecat?post=2560"},{"taxonomy":"manual_kb_tag","embeddable":true,"href":"https:\/\/support.aklwebhost.com\/wp-json\/wp\/v2\/manual_kb_tag?post=2560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}