In this guide, we are going to learn how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Modsecurity, is an open source web application firewall (WAF) which provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc.
Install LibModsecurity with Apache on Fedora 30/29/CentOS 7
Update your system. YUM packages manager is used in this for package management since YUM can be used in both CentOS and Fedora.
yum updateIf you are building a web application, ensure that you have a LAMP stack. You can see how to install LAMP stack by following the links below;
Install LAMP Stack on Fedora 30
Install LAMP (Linux, Apache, MySQL, PHP) Stack on Fedora 28/29
Install Required Build Tools and Dependencies
Since we are going to install LibModsecurity from the source, a number of build tools dependencies are required. Run the command below to install them.
yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-configDownload LibModsecurity Source Code
To install LibModSecurity with Apache on Fedora 30/29/CentOS 7, you need to download the source code for compilation.
Therefore, create a temporary directory to store the LibModSecurity source tarball.
mkdir ~/modsecYou can choose to use /opt instead.
Navigate to ModSecurity releases page and download ModSecurity source code. You can simply use wget to pull it.
cd ~/modsecwget -P ~/modsec https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.4/modsecurity-v3.0.4.tar.gzExtract the ModSecurity source code.
cd ~/modsectar xzf modsecurity-v3.0.4.tar.gzCompile and Install LibModsecurity on Fedora 30/29/CentOS 7
Navigate to the LibModsecurity source directory, configure, compile and install it
cd modsecurity-v3.0.4Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.
./build.shYou can safely ignore the fatal: No names found, cannot describe anything messages.
./configureFix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on CentOS
Compile and install LibModSecurity.
makemake installInstall ModSecurity-Apache Connector
The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.
Clone the git repository for the ModSecurity Apache connector.
cd ~
git clone https://github.com/SpiderLabs/ModSecurity-apacheNavigate to ModSecurity-apache directory and run the following commands to compile and install it.
cd ModSecurity-apache
./autogen.sh
./configure --with-libmodsecurity=/usr/local/modsecurity/
make
sudo make installConfigure Apache with LibModsecurity
To begin with, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.
echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.confNext, create ModSecurity configuration directory under /etc/httpd/conf.d
sudo mkdir /etc/httpd/conf.d/modsecurity.dCopy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.
sudo cp ~/ModSecurity/modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.d/modsecurity.confAlso copy the unicode.mapping file from ModSecurity source directory to Apache Modsecurity configuration directory.
sudo cp ~/ModSecurity/unicode.mapping /etc/httpd/conf.d/modsecurity.d/Turn on ModSecurity by changing the value of SecRuleEngine to On.
sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.confChange the default log directory for Modsecurity
sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.confNext, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include.
sudo vim /etc/httpd/conf.d/modsecurity.d/rules.confInclude "/etc/httpd/conf.d/modsecurity.d/modsecurity.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf"
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/*.conf"Since we have included the OWASP Rules, proceed to install them.
Install OWASP ModSecurity Core Rule Set (CRS)
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.
Clone the CRS from GitHub repository to /etc/httpd/conf.d/modsecurity.d/ as shown below;
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/httpd/conf.d/modsecurity.d/owasp-crsNext, rename crs-setup.conf.example to crs-setup.conf.
sudo cp /etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf{.example,}Activate ModSecurity
After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.
Note that you have to enable ModSecurity per directory context.
vim /etc/httpd/conf/httpd.confSee our below the changes made on the default web root directory on the default Apache configuration;
...
<Directory "/var/www/html">
modsecurity on
modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
...The lines;
modsecurity on
modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.confTurns on Modsecurity and specifies the location of the Modsecurity rules.
Check Apache for configuration errors and restart it.
httpd -t
Syntax OKsystemctl restart httpdTesting Modsecurity
Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;
curl localhost/index.html?exec=/bin/bash<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>If you see, 403 Forbidden then it means you have nailed it.
You can as well check Modsecurity logs;
tail /var/log/httpd/modsec_audit.logModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `/bin/bash' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:exec: /bin/bash"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref "o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "cent7.example.com"] [uri "/index.html"] [unique_id "156978926276.295922"] [ref ""]Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30/29/CentOS 7. Feel free to set up more rules as you wish and protect your web application.
Reference:
