This post documents how to add ModSecurity protection in Ubuntu's Apache. It has been tested on Ubuntu 11.04 but might work on earlier or latter issues with few modifications.
Installation of base packages
ModSecurity is a open source Web Application Firewall (WAF). It offers an array of request filtering and other security features to the Apache HTTP Server.
Fortunately, ModSecurity is already part of the Ubuntu package repositories. Therefore, installing the necessary stuff is rather straightforward:
apt-get install libapache2-mod-security mod-security-common
a2enmod mod-security
/etc/init.d/apache2 force-reload
Activation of the core rule set
The mod-security-common
-package contains the core rule set (crs) which will not be configured automatically. In order to activate the crs
, /etc/apache2/conf.d/mod-security.conf
has to be created with the following content:
Include /usr/share/doc/mod-security-common/examples/rules/*conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/*conf
Now the web server has to be restarted by the following line:
service apache2 restart
Testing the setup
In order to prove the setup is working, a test file called test.php
with the following content can be used:
It's supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php
. To run the actual test, the following address will do:
http://yourserver.tld/test.php?secret_file=/etc/passwd
If the content of /etc/passwd
is displayed, ModSecurity is not working. A working installation will show a "403 Forbidden" error message.
Thanks,
These instructions worked perfectly. I am running Debian, apache2/modsecurity and had been having problems getting crs to start.
Many Thanks,
BikerMike
Thanks for this! Have it running now. Any chances you can simulate another attack? Like SQL injection and see those in log files or so?
Thanks for the write-up.
Small update / correction: the apt-get command refers to an unavailable package repository. It should be:
apt-get install libapache2-mod-security2 mod-security2-common