Install LibModsecurity with Apache on Fedora 30/29/CentOS 7

0
554

In this guide, we are going to learn how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Modsecurity, is an open source web application firewall (WAF) which provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc.

Install LibModsecurity with Apache on Fedora 30/29/CentOS 7

Update your system. YUM packages manager is used in this for package management since YUM can be used in both CentOS and Fedora.

yum update

If you are building a web application, ensure that you have a LAMP stack. You can see how to install LAMP stack by following the links below;

Install LAMP Stack on Fedora 30

Install LAMP (Linux, Apache, MySQL, PHP) Stack on Fedora 28/29

Install Required Build Tools and Dependencies

Since we are going to install LibModsecurity from the source, a number of build tools dependencies are required. Run the command below to install them.

yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config

Download LibModsecurity Source Code

To install LibModSecurity with Apache on Fedora 30/29/CentOS 7, you need to download the source code for compilation.

Therefore, create a temporary directory to store the LibModSecurity source tarball.

mkdir ~/modsec

You can choose to use /opt instead.

Navigate to ModSecurity releases page and download ModSecurity source code. You can simply use wget to pull it.

cd ~/modsec
wget -P ~/modsec https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gz

Extract the ModSecurity source code.

cd ~/modsec
tar xzf modsecurity-v3.0.4.tar.gz

Compile and Install LibModsecurity on Fedora 30/29/CentOS 7

Navigate to the LibModsecurity source directory, configure, compile and install it

cd modsecurity-v3.0.4

Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.

./build.sh

You can safely ignore the fatal: No names found, cannot describe anything messages.

./configure

Fix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on CentOS

Compile and install LibModSecurity.

make
make install

Install ModSecurity-Apache Connector

The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.

Clone the git repository for the ModSecurity Apache connector.

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-apache

Navigate to ModSecurity-apache directory and run the following commands to compile and install it.

cd ModSecurity-apache
./autogen.sh
./configure --with-libmodsecurity=/usr/local/modsecurity/
make
sudo make install

Configure Apache with LibModsecurity

To begin with, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.

echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

Next, create ModSecurity configuration directory under /etc/httpd/conf.d

sudo mkdir /etc/httpd/conf.d/modsecurity.d

Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.

sudo cp ~/ModSecurity/modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Also copy the unicode.mapping file from ModSecurity source directory to Apache Modsecurity configuration directory.

sudo cp ~/ModSecurity/unicode.mapping /etc/httpd/conf.d/modsecurity.d/

Turn on ModSecurity by changing the value of SecRuleEngine to On.

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Change the default log directory for Modsecurity

sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Next, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include.

sudo vim /etc/httpd/conf.d/modsecurity.d/rules.conf
Include "/etc/httpd/conf.d/modsecurity.d/modsecurity.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/*.conf"

Since we have included the OWASP Rules, proceed to install them.

Install OWASP ModSecurity Core Rule Set (CRS)

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

Clone the CRS from GitHub repository to /etc/httpd/conf.d/modsecurity.d/ as shown below;

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/httpd/conf.d/modsecurity.d/owasp-crs

Next, rename crs-setup.conf.example to crs-setup.conf.

sudo cp /etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf{.example,}

Activate ModSecurity

After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.

Note that you have to enable ModSecurity per directory context.

vim /etc/httpd/conf/httpd.conf

See our below the changes made on the default web root directory on the default Apache configuration;

...
<Directory "/var/www/html">
    modsecurity on
    modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
...

The lines;

 modsecurity on
 modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf

Turns on Modsecurity and specifies the location of the Modsecurity rules.

Check Apache for configuration errors and restart it.

httpd -t
Syntax OK
systemctl restart httpd

Testing Modsecurity

Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;

curl localhost/index.html?exec=/bin/bash
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>

If you see, 403 Forbidden then it means you have nailed it.

You can as well check Modsecurity logs;

tail /var/log/httpd/modsec_audit.log
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]

Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Feel free to set up more rules as you wish and protect your web application.

Reference:

ModSecurity Wiki

ModSecurity-apache connector

Related Guides

Configure LibModsecurity with Nginx on CentOS 8

Install LibModsecurity with Apache on Ubuntu 18.04

LEAVE A REPLY

Please enter your comment!
Please enter your name here