ModSecurity
ModSecurity is a web application firewall. I'll say up front that caution must be exercised with ModSecurity. Many of the OWASP rules interfere with scripts and break websites. Unless you use it sparingly and judiciously, you're better off without it. (The Fail2Ban hacker script I presented earlier can block a lot of bad actors without interfering with your website.)
Here is how to go about implementing ModSecurity for a Linux site running Apache.
Install the software:
Restart Apache:
Make new copies of the .conf file and the mapping file with usable names:
Pull up the ModSecurity configuration file for edit:
Make the following changes to the ModSecurity config file (the first change is to turn ModSecurity to
Enable the ModSecurity
Perform an Apache config test to make everything is OK:
Restart Apache:
Download the OWASP Core Rule Set to your home directory:
Unzip the file:
Look through the rules folder for those rules that interest you:
You don't want to use all the rules. They will break your website.
If you see a rule that you want to try, copy it to /etc/modsecurity:
The ModSecurity
The module contains this line of code that shows the folder(s) containing the active rules:
The security2 module is saying that .conf rules in the /etc/modsecurity folder will be implemented. Active rules can be in any folder, as long as security2.conf module states the path. If rules reside in another directory that is not listed by security2, such as your home directory, these rules will not be implemented.
In my case, I'm only using the DOS Protection rule. I doubt that I use any more.
In case you want to know if ModSecurity is working, various sites have provided the following test. Go to your SSL config file. In my case:
Enter the following code before the VirtualHost close out line:
Perform an Apache config test to make everything is OK:
Restart Apache:
Go to your web browser and enter your site name with the following Get variable: In my case, webtracker.one/?testparam=test. If ModSecurity is working, you will receive a 403 error.
You can go back and delete the lines of code that you added to your SSL config file.
Here is how to go about implementing ModSecurity for a Linux site running Apache.
Install the software:
sudo apt install libapache2-mod-security2
Restart Apache:
sudo systemctl restart apache2
Make new copies of the .conf file and the mapping file with usable names:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo cp /etc/modsecurity/unicode.mapping.dpkg-dist/ etc/modsecurity/unicode.mapping
sudo cp /etc/modsecurity/unicode.mapping.dpkg-dist/ etc/modsecurity/unicode.mapping
Pull up the ModSecurity configuration file for edit:
sudo nano /etc/modsecurity/modsecurity.conf
Make the following changes to the ModSecurity config file (the first change is to turn ModSecurity to
onand the second change is to improve performance):
SecRuleEngine DetectionOnly to
SecRuleEngine on
SecResponseBodyAccess on to
SecResponseBodyAccess off
SecRuleEngine on
SecResponseBodyAccess on to
SecResponseBodyAccess off
Enable the ModSecurity
security2module for the Apache web server:
sudo a2enmod security2
Perform an Apache config test to make everything is OK:
sudo apache2ctl -t
Restart Apache:
sudo systemctl restart apache2
Download the OWASP Core Rule Set to your home directory:
wget https://github.com/coreruleset/coreruleset/archive/v3.3.2.zip
Unzip the file:
unzip FileName.zip
Look through the rules folder for those rules that interest you:
/home/your_name/coreruleset-3.3.0/rules
You don't want to use all the rules. They will break your website.
If you see a rule that you want to try, copy it to /etc/modsecurity:
cp /home/your_name/coreruleset-3.3.0/rules/REQUEST-912-DOS-PROTECTION.conf /etc/modsecurity/REQUEST-912-DOS-PROTECTION.conf
The ModSecurity
security2module tells the system which rules to implement:
/etc/apache2/mods-enabled/security2.conf
The module contains this line of code that shows the folder(s) containing the active rules:
IncludeOptional /etc/modsecurity/*.conf
The security2 module is saying that .conf rules in the /etc/modsecurity folder will be implemented. Active rules can be in any folder, as long as security2.conf module states the path. If rules reside in another directory that is not listed by security2, such as your home directory, these rules will not be implemented.
In my case, I'm only using the DOS Protection rule. I doubt that I use any more.
In case you want to know if ModSecurity is working, various sites have provided the following test. Go to your SSL config file. In my case:
/etc/apache2/sites-available/webtracker.one-le-ssl.conf
Enter the following code before the VirtualHost close out line:
SecRuleEngine On
SecRule ARGS:testparam '@contains test' 'id:999,deny,status:403,msg:'Test Successful''
SecRule ARGS:testparam '@contains test' 'id:999,deny,status:403,msg:'Test Successful''
Perform an Apache config test to make everything is OK:
sudo apache2ctl -t
Restart Apache:
sudo systemctl restart apache2
Go to your web browser and enter your site name with the following Get variable: In my case, webtracker.one/?testparam=test. If ModSecurity is working, you will receive a 403 error.
You can go back and delete the lines of code that you added to your SSL config file.
* posted by Robert on Sun, Jul 17, 2022
ModSecurity
Reply 1:
ModSecurity generates Apache audit log entries at the following location:
The logs record a series of events. Each event begins with an audit log header that shows the following information:
Here is an example:
The mackerel.toolbar.netcraft.com originating at port 41180 from IP address 52.30.171.229 is connecting to my site at port 443.
The information following the audit log header varies per event. In the case of Netcraft, they generated an HTTP/1.1 400 Bad Request error.
Looking through the logs, I see several entries that were generated by myself due to coding errors. For instance, I saw this message:
/var/log/apache2/modsec_audit.log
The logs record a series of events. Each event begins with an audit log header that shows the following information:
- Timestamp
- Unique transaction ID
- Source IP address
- Source port
- Destination IP address
- Destination port
Here is an example:
[20/Jul/2022:00:01:53.467058 -
-0400] Ytd-MfeOX4by2mlMs4VPngAAAAY 52.30.171.229 41180 104.236.122.237 443
The mackerel.toolbar.netcraft.com originating at port 41180 from IP address 52.30.171.229 is connecting to my site at port 443.
The information following the audit log header varies per event. In the case of Netcraft, they generated an HTTP/1.1 400 Bad Request error.
Looking through the logs, I see several entries that were generated by myself due to coding errors. For instance, I saw this message:
Apache-Error: [file
'./sapi/apache2handler/sapi_apache2.c'] [line 353] [level 3] PHP Parse error: syntax error, unexpected
token '<', expecting end of file in /var/www/webtracker.one/test.php on line 14
* posted by Robert on Wed, Jul 20, 2022
ModSecurity
Reply 2:
As a quick note, ModSecurity blocked me from importing SQL files into the MySQL database. So I turned it
off. As simple as this -
That was the end of my experiment with ModSecurity.
sudo a2dismod security2.
That was the end of my experiment with ModSecurity.
* posted by Robert on Tue, Jul 26, 2022