Easily Install ModSecurity with Apache on Rocky Linux 8

In this guide, we are going to learn how to install ModSecurity with Apache on Rocky Linux 8. This guide focusses on installing the LibMosecurity, also known as ModSecurity version 3. ModSecurity is an open source, cross platform web application firewall (WAF) engine which provides protection against a wide range of web application attacks.

Installing ModSecurity with Apache on Rocky Linux 8

Run System Update

Begin by updating your system packages.

dnf update

Install Required Build Tools and Dependencies

LibModsecurity are going to be compiled from the source and thus a number of build tools and dependencies are required.

Run the commands below to install them.

dnf config-manager --set-enabled powertools

Install additional repositories.

dnf install epel-release -y

dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y

dnf config-manager --set-enabled remi

Install the required dependencies.

dnf install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config git wget openssl openssl-devel vim GeoIP-devel doxygen yajl-devel libmaxminddb libmaxminddb-devel GeoIP-devel lmdb lmdb-devel ssdeep-devel lua-devel perl-File-Path -y

Download Modsecurity Source Code

Create a temporary directory to store the source tarballs.

mkdir ~/modsec

You can choose to use /opt instead.

Navigate to ModSecurity releases page and download ModSecurity source code. You can simply use wget to pull it.

cd ~/modsec

wget -P ~/modsec https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.5/modsecurity-v3.0.5.tar.gz

Extract the ModSecurity source code.

cd ~/modsec

tar xzf modsecurity-v3.0.5.tar.gz

Compile and Install Modsecurity on Rocky Linux

Navigate to the LibModsecurity source directory, configure, compile and install it

cd modsecurity-v3.0.5

Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.

./build.sh

You can safely ignore the fatal: * messages.

./configure --with-maxmind=no

Fix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on CentOS

Compile and install ModSecurity on Rocky Linux 8.

make

make install

Install ModSecurity-Apache Connector on Rocky Linux 8

Once the installation of LibModsecurity is done, proceed to install the ModSecurity-apache connector which provides a communication channel between Apache and libModsecurity. 

Clone the git repository for the ModSecurity Apache connector.

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-apache

Navigate to ModSecurity-apache directory and run the following commands to compile and install it.

cd ModSecurity-apache

./autogen.sh

./configure --with-libmodsecurity=/usr/local/modsecurity/

make

make install

Configure Apache with Modsecurity on Rocky Linux 8

Next, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.

echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

Create ModSecurity configuration directory under /etc/httpd/conf.d

mkdir /etc/httpd/conf.d/modsecurity.d

Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.

cp ~/modsec/modsecurity-v3.0.5/modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Also copy the unicode.mapping file from ModSecurity source directory to Apache Modsecurity configuration directory.

sudo cp ~/modsec/modsecurity-v3.0.5/unicode.mapping /etc/httpd/conf.d/modsecurity.d/

Activate ModSecurity by changing the value of SecRuleEngine to On.

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Change the default log directory for Modsecurity

sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Configure ModSecurity rules by creating a file where you can define the rules to include.

cat > /etc/httpd/conf.d/modsecurity.d/rules.conf << 'EOL'
Include "/etc/httpd/conf.d/modsecurity.d/modsecurity.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/*.conf"
EOL

Since we have included the OWASP Rules, proceed to install them.

Install OWASP ModSecurity Core Rule Set (CRS)

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

Clone the CRS from GitHub repository to /etc/apache2/modsecurity.d/ as shown below;

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/httpd/conf.d/modsecurity.d/owasp-crs

Next, rename crs-setup.conf.example to crs-setup.conf.

cp /etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf{.example,}

Activate ModSecurity 3 on Rocky Linux 8

After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.

Note that you have to enable ModSecurity per directory context.

vim /etc/httpd/conf/httpd.conf

See our below the changes made on the default web root directory on the default Apache configuration;

...
>Directory "/var/www/html"<
    modsecurity on
    modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
>/Directory<
...

The lines;

 modsecurity on
 modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf

Turns on Modsecurity and specifies the location of the Modsecurity rules respectively.

Check Apache for configuration errors and restart it.

httpd -t

Syntax OK

systemctl restart httpd

Testing Modsecurity

Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;

curl localhost/index.html?exec=/bin/bash

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>

If you see, 403 Forbidden then it means you have nailed it.

You can as well check Modsecurity logs;

tail /var/log/httpd/modsec_audit.log

---AzdMfmgc---B--
GET /index.html?exec=/bin/bash HTTP/1.1
Host: localhost
User-Agent: curl/7.61.1
Accept: */*

---AzdMfmgc---D--

---AzdMfmgc---F--
HTTP/1.1 403

---AzdMfmgc---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] 
[tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "rocky8.kifarunix-demo.com"] [uri "/index.html"] [unique_id "1629389313"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] 
[data ""] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "rocky8.kifarunix-demo.com"] [uri "/index.html"] [unique_id "1629389313"] [ref ""]

---AzdMfmgc---I--

---AzdMfmgc---J--

---AzdMfmgc---Z--

You will also find such logs on Apache error log files;

tail /var/log/httpd/error_log

...
[Thu Aug 19 19:08:33.445040 2021] [:error] [pid 1658:tid 140385787549440] [client ::1:58424] ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] 
[line "496"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] 
[tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "rocky8.kifarunix-demo.com"] [uri "/index.html"] [unique_id "1629389313"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
...

Well, there you go. ModSecurity 3 or LibModSeceurity is now installed, activated and protecting your site against web attacks.

Feel free to set up more rules as you wish and protect your web application.

Other Tutorials

Protect WordPress Against Brute force Attacks Using Fail2ban

Restrict Access to WordPress Login Page to Specific IPs with libModSecurity

Configure LDAP Based HTTP Basic Authentication