How To Install Mod_Security On Apache(Ubuntu 12.10) Step By Step Tutorial For Beginners

ModSecurity is an opensource web application firewall. It is an Apache module that helps to provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing hardware infrastructure. The main engine of this application use regular expressions and set of rules to detect and block common web exploits.
High percentage of all web attacks happens in web application level, for example if you install a opensource application (like Phpnuke,phpbb, joomla &...) anytime soon might hackers find new vulnerability in that specific CMS and if you don't update your CMS on time your site might become victim of these hackers.By using Mod_Security it's possible to detect and block most of these common security attacks.

I had many problems as a beginner to install mod_security so after reading a lot of articles and documents and successfully implemented the mod_security decided to make this step by step tutorial for beginners.

All steps in this article are tested on a fresh install of Ubuntu desktop 12.04 and worked successfully.

_____________________________________________________________________

In this tutorial I'm going to teach you how to install mod_security on Apache web server and do a basic configuration to start it up and finally test it.

Requirements:
Ubuntu Desktop/Server ver: 12.04 or higher.

We assumed you don't have Apache installed. if you have Apache installed and configured skip to step 2.

1.Installing Apache,PHP

Press ctrl+alt+T to launch terminal and type in and run below commands:

sudo apt-get update

sudo apt-get install apache2

sudo apt-get install php5

sudo /etc/init.d/apache2 restart

now for testing, simply open the Firefox and type in http://localhost/ or http://127.0.0.1 .If you successfully installed the Apache you have to see a page similar to below:

2.Installing Mod Security on Apache

These commands will install dependencies:

sudo apt-get install libxml2 libxml2-dev libxml2-utils

sudo apt-get install libaprutil1 libaprutil1-dev

If you are using 64 bit Ubuntu run this command:
sudo ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2

This command will install mod security:
sudo apt-get install libapache-mod-security

3.Configuring ModSecurity Rules

In this section we just configure some basic default rules. For more information you can visit ModSecurity rule refrence.
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

now for configuring the modsecurity run the following command.
sudo gedit /etc/modsecurity/modsecurity.conf
Now find  SecRuleEngine  by searching in the file and change SecRuleEngine to On .
SecRuleEngine On

4.Install the latest OWASP Rule Set.

cd /tmp

sudo wget https://github.com/root25/MODSEC/raw/master/modsecurity-crs_2.2.5.tar.gz

sudo tar -zxvf modsecurity-crs_2.2.5.tar.gz

sudo cp -R modsecurity-crs_2.2.5/* /etc/modsecurity/

sudo rm modsecurity-crs_2.2.5.tar.gz

sudo rm -R modsecurity-crs_2.2.5

sudo mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example  /etc/modsecurity/modsecurity_crs_10_setup.conf

Now we have to create symbolic links between base rules and activated rules directory. 

cd /etc/modsecurity/base_rules

for f in * ; do sudo ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done

cd /etc/modsecurity/optional_rules

for f in * ; do sudo ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done 

now we have to add this to apache mods:

sudo gedit /etc/apache2/mods-available/mod-security.conf

Add the following line before </IfModule> and save the file :

Include "/etc/modsecurity/activated_rules/*.conf"

Enable the headers module:

sudo a2enmod headers

5.Final Stages

Test if ModSecurity successfully enabled:

sudo a2enmod mod-security

Now restart the Apache to configuration take place :

sudo /etc/init.d/apache2 restart

6.Testing

For testing the Mod Security , simply open the firefox and enter http://localhost/?id=23' or '1'='1 in the address bar and press enter. This is a very basic SQL Injection attack , if you successfully configured your mod security you have to see this page "403 Forbidden". In the same time mod_Security also logged all details of this attack in the log file.

7.Checking the Log

For checking the mod_security log do the following steps:

cd /var/log/apache2/

sudo gedit modsec_audit.log

And this is a video of implementation of mod_security & reverse proxy project that i did.
Its also include the visualization of log of mod_security that i imported into MySQL and then draw some graphs from that data.

http://www.youtube.com/watch?v=o3-KDD7TSrA

My post about the same project but the reverse proxy configuration part:
http://www.root25.com/2012/12/how-to-impelement-reverse-proxy-with-modsecurity.html

My post about Light-MSLA (Mod Security Log Auditor) Project:
http://www.root25.com/2013/02/mod-security-log-auditor-application-in-PHP-free-analyse-draw-chart-from-modsecurity-log.html



Copyright Notice: This article is brought to you by root25.com . Feel free to use this article but please provide root25.com & Amir Sadeghian(i@root25.com) in your references list.Thank You.