ModSecurity is an opensource web application firewall. It is an Apache module that helps to provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing hardware infrastructure. The main engine of this application use regular expressions and set of rules to detect and block common web exploits.
High percentage of all web attacks happens in web application level, for example if you install a opensource application (like Phpnuke,phpbb, joomla &...) anytime soon might hackers find new vulnerability in that specific CMS and if you don't update your CMS on time your site might become victim of these hackers.By using Mod_Security it's possible to detect and block most of these common security attacks.
I had many problems as a beginner to install mod_security so after reading a lot of articles and documents and successfully implemented the mod_security decided to make this step by step tutorial for beginners.
All steps in this article are tested on a fresh install of Ubuntu desktop 12.04 and worked successfully.
_____________________________________________________________________
In this tutorial I'm going to teach you how to install mod_security on Apache web server and do a basic configuration to start it up and finally test it.
Requirements:
Ubuntu Desktop/Server ver: 12.04 or higher.
We assumed you don't have Apache installed. if you have Apache installed and configured skip to step 2.
1.Installing Apache,PHP
Press ctrl+alt+T to launch terminal and type in and run below commands:
sudo apt-get update
sudo apt-get install apache2
sudo apt-get install php5
sudo /etc/init.d/apache2 restart
now for testing, simply open the Firefox and type in http://localhost/ or http://127.0.0.1 .If you successfully installed the Apache you have to see a page similar to below:
2.Installing Mod Security on Apache
These commands will install dependencies:sudo apt-get install libxml2 libxml2-dev libxml2-utils
sudo apt-get install libaprutil1 libaprutil1-dev
If you are using 64 bit Ubuntu run this command:
sudo ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
This command will install mod security:
sudo apt-get install libapache-mod-security
3.Configuring ModSecurity Rules
In this section we just configure some basic default rules. For more information you can visit ModSecurity rule refrence.sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
now for configuring the modsecurity run the following command.
sudo gedit /etc/modsecurity/modsecurity.conf
Now find SecRuleEngine by searching in the file and change SecRuleEngine to On .
SecRuleEngine On
4.Install the latest OWASP Rule Set.
cd /tmp
sudo wget https://github.com/root25/MODSEC/raw/master/modsecurity-crs_2.2.5.tar.gz
sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz
sudo cp -R modsecurity-crs_2.2.5/* /etc/modsecurity/
sudo rm modsecurity-crs_2.2.5.tar.gz
sudo rm -R modsecurity-crs_2.2.5
sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
Now we have to create symbolic links between base rules and activated rules directory.
cd /etc/modsecurity/base_rules
for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done
now we have to add this to apache mods:
sudo gedit /etc/apache2/mods-available/mod-security.conf
Add the following line before </IfModule> and save the file :
Include "/etc/modsecurity/activated_rules/*.conf"
Enable the headers module:
sudo a2enmod headers
Now restart the Apache to configuration take place :
5.Final Stages
Test if ModSecurity successfully enabled:
sudo a2enmod mod-security
Now restart the Apache to configuration take place :
sudo /etc/init.d/apache2 restart
6.Testing
For testing the Mod Security , simply open the firefox and enter http://localhost/?id=23' or '1'='1 in the address bar and press enter. This is a very basic SQL Injection attack , if you successfully configured your mod security you have to see this page "403 Forbidden". In the same time mod_Security also logged all details of this attack in the log file.
7.Checking the Log
For checking the mod_security log do the following steps:
cd /var/log/apache2/
sudo gedit modsec_audit.log
And this is a video of implementation of mod_security & reverse proxy project that i did.
Its also include the visualization of log of mod_security that i imported into MySQL and then draw some graphs from that data.
http://www.youtube.com/watch?v=o3-KDD7TSrA
My post about the same project but the reverse proxy configuration part:
http://www.root25.com/2012/12/how-to-impelement-reverse-proxy-with-modsecurity.html
My post about Light-MSLA (Mod Security Log Auditor) Project:
http://www.root25.com/2013/02/mod-security-log-auditor-application-in-PHP-free-analyse-draw-chart-from-modsecurity-log.html
Copyright Notice: This article is brought to you by root25.com . Feel free to use this article but please provide root25.com & Amir Sadeghian(i@root25.com) in your references list.Thank You.
sudo gedit modsec_audit.log
Its also include the visualization of log of mod_security that i imported into MySQL and then draw some graphs from that data.
http://www.youtube.com/watch?v=o3-KDD7TSrA
My post about the same project but the reverse proxy configuration part:
http://www.root25.com/2012/12/how-to-impelement-reverse-proxy-with-modsecurity.html
My post about Light-MSLA (Mod Security Log Auditor) Project:
http://www.root25.com/2013/02/mod-security-log-auditor-application-in-PHP-free-analyse-draw-chart-from-modsecurity-log.html
Copyright Notice: This article is brought to you by root25.com . Feel free to use this article but please provide root25.com & Amir Sadeghian(i@root25.com) in your references list.Thank You.
