How To Set Up ModSecurity with Apache on Ubuntu 24.04 LTS
In today’s digital landscape, securing web applications is of utmost importance. One powerful tool that helps protect your website from common vulnerabilities like SQL injection and cross-site scripting (XSS) attacks is ModSecurity. As a robust Web Application Firewall (WAF), ModSecurity integrates seamlessly with the Apache web server, providing an additional layer of security. In this comprehensive guide, we’ll walk you through the process of setting up ModSecurity with Apache on Ubuntu 24.04 LTS, ensuring your web applications are well-protected.
Prerequisites
Before we dive into the installation and configuration process, ensure that you have the following prerequisites in place:
- A server running Ubuntu 24.04 LTS
- Basic knowledge of Linux command-line operations
- SSH access to the server with sudo privileges
Step 1: Update and Upgrade the System
To begin, it’s crucial to ensure your Ubuntu server is up to date with the latest security patches and software updates. Open your terminal and run the following commands:
sudo apt update
sudo apt upgrade -y
These commands will refresh the package list and upgrade any outdated packages to their latest versions, providing a stable and secure foundation for your server.
Step 2: Install Apache Web Server
Next, we’ll install the Apache web server, which will host your web applications. If you haven’t already installed Apache, you can do so by running the following command:
sudo apt install apache2 -y
Once the installation is complete, you can verify that Apache is running by accessing your server’s IP address or domain name in a web browser. You should see the default Apache landing page, indicating a successful installation.
Step 3: Install ModSecurity Module
With Apache installed, it’s time to integrate the ModSecurity module. ModSecurity is an open-source WAF that helps protect your web applications from various attacks. To install ModSecurity, run the following command:
sudo apt install libapache2-mod-security2 -y
After the installation is complete, enable the ModSecurity module and restart Apache to apply the changes:
sudo a2enmod security2
sudo systemctl restart apache2
ModSecurity is now installed and ready to be configured to suit your specific security needs.
Step 4: Configure ModSecurity
To configure ModSecurity, we’ll start by copying the recommended configuration file:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Open the configuration file using a text editor like nano:
sudo nano /etc/modsecurity/modsecurity.conf
Locate the line that says SecRuleEngine DetectionOnly and change it to SecRuleEngine On. This enables ModSecurity’s blocking mode, allowing it to actively prevent malicious requests.
Save the changes and exit the text editor. Then, restart Apache to apply the new configuration:
sudo systemctl restart apache2
Step 5: Install OWASP Core Rule Set (CRS)
To enhance ModSecurity’s effectiveness, we’ll install the OWASP Core Rule Set (CRS). The CRS is a collection of pre-configured security rules that protect against common web application vulnerabilities. Download the latest CRS version using the following commands:
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.2.zip
unzip v3.3.2.zip
Move the CRS files to the appropriate directory and configure ModSecurity to use them:
mv coreruleset-3.3.2/crs-setup.conf.example /etc/modsecurity/crs-setup.conf
Include the CRS in your Apache configuration by editing the security2.conf file:
sudo nano /etc/apache2/mods-available/security2.conf
Add the following lines at the end of the file:
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional /etc/modsecurity/rules/*.conf
Save the changes and restart Apache:
sudo systemctl restart apache2
Your ModSecurity installation is now equipped with a robust set of security rules from the OWASP CRS.
Step 6: Fine-Tune ModSecurity Rules
While the default ModSecurity configuration provides a solid foundation, you may need to customize the rules based on your specific application requirements. For example, you might want to allow certain types of traffic or disable specific rules that generate false positives.
To customize the rules, you can create a new configuration file in the /etc/modsecurity/ directory and include it in the security2.conf file. For instance, to allow traffic from a trusted IP address, create a file named whitelist.conf:
sudo nano /etc/modsecurity/whitelist.conf
Add the following rule to the file, replacing TRUSTED_IP with the actual IP address:
SecRule REMOTE_ADDR "@ipMatch TRUSTED_IP" "id:1000,phase:1,nolog,allow,ctl:ruleEngine=Off"
Save the file and restart Apache for the changes to take effect.
Step 7: Testing ModSecurity Configuration
To ensure ModSecurity is correctly blocking malicious requests, you can perform some tests using sample HTTP requests. For example, you can use the curl command to send a request containing a common SQL injection payload:
curl -i -X GET "http://your-server-ip/?id=1' OR '1'='1"
If ModSecurity is properly configured, it should block the request and return a 403 Forbidden status code.
Step 8: Monitor ModSecurity Logs
Regularly monitoring ModSecurity logs is essential for gaining valuable security insights and identifying potential threats. To enable logging, open the ModSecurity configuration file:
sudo nano /etc/modsecurity/modsecurity.conf
Locate the following lines and uncomment them:
SecAuditEngine On
SecAuditLog /var/log/modsec_audit.log
Save the changes and restart Apache. ModSecurity will now log its activities to the specified file. Make sure to review the logs periodically to stay informed about any suspicious activities or blocked requests.
Congratulations! You have successfully installed ModSecurity with Apache. Thanks for using this tutorial for installing ModSecurity with Apache on Ubuntu 24.04 LTS system. For additional help or useful information, we recommend you check the official ModSecurity website.
