ModSecurity is an opensource web application firewall. It is an Apache module that helps to provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing hardware infrastructure. The main engine of this application use regular expressions and set of rules to detect and block common web exploits.
High percentage of all web attacks happens in web application level, for example if you install a opensource application (like Phpnuke,phpbb, joomla &...) anytime soon might hackers find new vulnerability in that specific CMS and if you don't update your CMS on time your site might become victim of these hackers.By using Mod_Security it's possible to detect and block most of these common security attacks.
I had many problems as a beginner to install mod_security so after reading a lot of articles and documents and successfully implemented the mod_security decided to make this step by step tutorial for beginners.
All steps in this article are tested on a fresh install of Ubuntu desktop 12.04 and worked successfully.
_____________________________________________________________________
In this tutorial I'm going to teach you how to install mod_security on Apache web server and do a basic configuration to start it up and finally test it.
Requirements:
Ubuntu Desktop/Server ver: 12.04 or higher.
We assumed you don't have Apache installed. if you have Apache installed and configured skip to step 2.
1.Installing Apache,PHP
Press ctrl+alt+T to launch terminal and type in and run below commands:
sudo apt-get update
sudo apt-get install apache2
sudo apt-get install php5
sudo /etc/init.d/apache2 restart
now for testing, simply open the Firefox and type in http://localhost/ or http://127.0.0.1 .If you successfully installed the Apache you have to see a page similar to below:
2.Installing Mod Security on Apache
These commands will install dependencies:sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
If you are using 64 bit Ubuntu run this command:
sudo ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
This command will install mod security:
sudo apt-get install libapache-mod-security
3.Configuring ModSecurity Rules
In this section we just configure some basic default rules. For more information you can visit ModSecurity rule refrence.sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
now for configuring the modsecurity run the following command.
sudo gedit /etc/modsecurity/modsecurity.conf
Now find SecRuleEngine by searching in the file and change SecRuleEngine to On .
SecRuleEngine On
4.Install the latest OWASP Rule Set.
cd /tmp
sudo wget https://github.com/root25/MODSEC/raw/master/modsecurity-crs_2.2.5.tar.gz
sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz
sudo cp -R modsecurity-crs_2.2.5/* /etc/modsecurity/
sudo rm modsecurity-crs_2.2.5.tar.gz
sudo rm -R modsecurity-crs_2.2.5
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
Now we have to create symbolic links between base rules and activated rules directory.
cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
now we have to add this to apache mods:
sudo gedit /etc/apache2/mods-available/mod-security.conf
Add the following line before </IfModule> and save the file :
Include "/etc/modsecurity/activated_rules/*.conf"
Enable the headers module:
sudo a2enmod headers
Now restart the Apache to configuration take place :
5.Final Stages
Test if ModSecurity successfully enabled:
sudo a2enmod mod-security
Now restart the Apache to configuration take place :
sudo /etc/init.d/apache2 restart
6.Testing
For testing the Mod Security , simply open the firefox and enter http://localhost/?id=23' or '1'='1 in the address bar and press enter. This is a very basic SQL Injection attack , if you successfully configured your mod security you have to see this page "403 Forbidden". In the same time mod_Security also logged all details of this attack in the log file.
7.Checking the Log
For checking the mod_security log do the following steps:
cd /var/log/apache2/
sudo gedit modsec_audit.log
And this is a video of implementation of mod_security & reverse proxy project that i did.
Its also include the visualization of log of mod_security that i imported into MySQL and then draw some graphs from that data.
http://www.youtube.com/watch?v=o3-KDD7TSrA
My post about the same project but the reverse proxy configuration part:
http://www.root25.com/2012/12/how-to-impelement-reverse-proxy-with-modsecurity.html
My post about Light-MSLA (Mod Security Log Auditor) Project:
http://www.root25.com/2013/02/mod-security-log-auditor-application-in-PHP-free-analyse-draw-chart-from-modsecurity-log.html
Copyright Notice: This article is brought to you by root25.com . Feel free to use this article but please provide root25.com & Amir Sadeghian(i@root25.com) in your references list.Thank You.
sudo gedit modsec_audit.log
Its also include the visualization of log of mod_security that i imported into MySQL and then draw some graphs from that data.
http://www.youtube.com/watch?v=o3-KDD7TSrA
My post about the same project but the reverse proxy configuration part:
http://www.root25.com/2012/12/how-to-impelement-reverse-proxy-with-modsecurity.html
My post about Light-MSLA (Mod Security Log Auditor) Project:
http://www.root25.com/2013/02/mod-security-log-auditor-application-in-PHP-free-analyse-draw-chart-from-modsecurity-log.html
Copyright Notice: This article is brought to you by root25.com . Feel free to use this article but please provide root25.com & Amir Sadeghian(i@root25.com) in your references list.Thank You.
Thanks for the tutorial, haven't tried it yet but I'm really liking the way you've laid this page out, makes the commands simple to copy and paste :). Thanks.
ReplyDeleteYou're welcome , I hope you try and can use it successfully :)
Deletehttps://www.securitycamera-ny.com/ I like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... security camera installation
ReplyDeleteWow, What a Excellent post. I really found this to much informatics. It is what i was searching for.I would like to suggest you that please keep sharing such type of info.Thanks Serious Security Melbourne
ReplyDeleteI like your post. It is good to see you verbalize from the heart and clarity on this important subject can be easily observed... Hikvision
ReplyDeleteI think that thanks for the valuabe information and insights you have so provided here. CCTV camera
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... DS-2CD2165G0
ReplyDeleteThis is a great inspiring article.I am pretty much pleased with your good work.You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post. CCTV Installers Melbourne
ReplyDeleteThis particular papers fabulous, and My spouse and i enjoy each of the perform that you have placed into this. I’m sure that you will be making a really useful place. I has been additionally pleased. Good perform! Melbourne CCTV systems
ReplyDelete