Install LibModsecurity with Apache on Fedora 30/29/CentOS 7

0
239

In this guide, we are going to learn how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Modsecurity, is an open source web application firewall (WAF) which provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc.

Install LibModsecurity with Apache on Fedora 30/29/CentOS 7

Update your system. YUM packages manager is used in this for package management since YUM can be used in both CentOS and Fedora.

yum update

If you are building a web application, ensure that you have a LAMP stack. You can see how to install LAMP stack by following the links below;

Install LAMP Stack on Fedora 30

Install LAMP (Linux, Apache, MySQL, PHP) Stack on Fedora 28/29

Install Required Build Tools and Dependencies

Since we are going to install LibModsecurity from the source, a number of build tools dependencies are required. Run the command below to install them.

yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config

Download LibModsecurity Source Code

Run the command below to  clone the latest GitHub repository of LibModsecurity.

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

Compile and Install LibModsecurity

Once you have cloned the ModSecurity repository, navigate to the source directory, configure, compile and install ModSecurity 3.

cd ModSecurity

Download libInjection code which is available as part of ModSecurity source code in a format of a git-submodule

git submodule init
git submodule update

Next, configure Modsecurity to adapt it to your system and determine any missing dependency.

./build.sh
./configure

Ignore the error, fatal: No names found, cannot describe anything.

Once the configuration completes with no error, proceed to compile and install ModSecurity. Please fix any dependency error, if any, before you proceed.

make
make install

Install ModSecurity-Apache Connector

The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.

Clone the git repository for the ModSecurity Apache connector.

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-apache

Navigate to ModSecurity-apache directory and run the following commands to compile and install it.

cd ModSecurity-apache
./autogen.sh
./configure --with-libmodsecurity=/usr/local/modsecurity/
make
sudo make install

Configure Apache with LibModsecurity

To begin with, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.

echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

Next, create ModSecurity configuration directory under /etc/httpd/conf.d

sudo mkdir /etc/httpd/conf.d/modsecurity.d

Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.

sudo cp ~/ModSecurity/modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Also copy the unicode.mapping file from ModSecurity source directory to Apache Modsecurity configuration directory.

sudo cp ~/ModSecurity/unicode.mapping /etc/httpd/conf.d/modsecurity.d/

Turn on ModSecurity by changing the value of SecRuleEngine to On.

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Change the default log directory for Modsecurity

sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Next, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include.

sudo vim /etc/httpd/conf.d/modsecurity.d/rules.conf
Include "/etc/httpd/conf.d/modsecurity.d/modsecurity.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/*.conf"

Since we have included the OWASP Rules, proceed to install them.

Install OWASP ModSecurity Core Rule Set (CRS)

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

Clone the CRS from GitHub repository to /etc/apache2/modsecurity.d/ as shown below;

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/httpd/conf.d/modsecurity.d/owasp-crs

Next, rename crs-setup.conf.example to crs-setup.conf.

sudo cp /etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf{.example,}

Activate ModSecurity

After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.

Note that you have to enable ModSecurity per directory context.

vim /etc/httpd/conf/httpd.conf

See our below the changes made on the default web root directory on the default Apache configuration;

...
<Directory "/var/www/html">
    modsecurity on
    modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
...

The lines;

 modsecurity on
 modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf

Turns on Modsecurity and specifies the location of the Modsecurity rules.

Check Apache for configuration errors and restart it.

httpd -t
Syntax OK
systemctl restart httpd

Testing Modsecurity

Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;

curl localhost/index.html?exec=/bin/bash
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>

If you see, 403 Forbidden then it means you have nailed it.

You can as well check Modsecurity logs;

tail /var/log/httpd/modsec_audit.log
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Feel free to set up more rules as you wish and protect your web application.

Reference:

ModSecurity Wiki

ModSecurity-apache connector

Related Guides

Configure LibModsecurity with Nginx on CentOS 8

Install LibModsecurity with Apache on Ubuntu 18.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here