Install LibModsecurity with Apache on Ubuntu 18.04

0
428

Welcome to our guide on how to install LibModsecurity with Apache on Ubuntu 18.04. Libmodsecurity (Modsecurity v3), is an open source, cross platform web application firewall (WAF) developed by Trustwave’s SpiderLabs. It is a complete rewrite of ModSecurity v2 and it provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc. It also allows for HTTP traffic monitoring, logging and real-time analysis.

Install LibModsecurity with Apache on Ubuntu 18.04

Prerequisites

Run System Update

Resynchronize your system packages to their latest versions.

apt update
apt upgrade

Install LAMP Stack

Before you can install and configure LibModsecurity with Apache on Ubuntu 18.04, you need to have LAMP Stack installed and running your server. Follow the link below to setup LAMP stack on Ubuntu 18.04.

How to install LAMP Stack on Ubuntu 18.04

Install Required Build Tools and Dependencies

To install Libmodsecurity or Modsecurity v3 on Ubuntu 18.04, we are going to build it from source. Hence, you need to install some required build tools and dependencies for a successful build.

sudo apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git

Compile and Install LibModsecurity on Ubuntu 18.04

Once your system is setup, you can proceed to install Modsecurity v3. To install the latest stable version of LibModsecurity, you need to compile it from the source.

However, if you would like to install Modsecurity v2.9, it is available on Ubuntu repositories and can just be installed by running the command below;

sudo apt install libapache2-mod-security2

To install LibModsecurity, you need to clone its latest GitHub repository by running the command;

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity

LibModsecurity also requires libInjection code. As such, navigate to cloned source code directory and download the libInjection by running the commands;

cd ModSecurity/
git submodule init
git submodule update

Next, configure LibModsecurity to adapt it to your system.

./build.sh
./configure

Ignore the error, fatal: No names found, cannot describe anything.

Compile LibModsec by running the make command.

make

Once the compilation is done, install the libModSecurity by running the command;

sudo make install

Install ModSecurity-Apache Connector

The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.

Clone the git repository for the ModSecurity Apache connector.

cd ~
git clone https://github.com/SpiderLabs/ModSecurity-apache

Navigate to ModSecurity-apache directory and run the following commands to compile and install it.

cd ModSecurity-apache
./autogen.sh
./configure --with-libmodsecurity=/usr/local/modsecurity/
make
sudo make install

Configure Apache with LibModsecurity

Load the Apache ModSecurity Connector Module

Configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.

echo "LoadModule security3_module /usr/lib/apache2/modules/mod_security3.so" | sudo tee -a /etc/apache2/apache2.conf

Configure ModSecurity

Create ModSecurity configuration directory under /etc/apache2

sudo mkdir /etc/apache2/modsecurity.d

Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.

sudo cp ~/ModSecurity/modsecurity.conf-recommended /etc/apache2/modsecurity.d/modsecurity.conf

Also copy the unicode.mapping file from ModSecurity source directory to Apache Modsecurity configuration directory.

sudo cp ~/ModSecurity/unicode.mapping /etc/apache2/modsecurity.d/

Turn on ModSecurity by changing the value of SecRuleEngine to On.

sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/apache2/modsecurity.d/modsecurity.conf

Next, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include, say, /etc/apache2/modsecurity.d/modsec_rules.conf.

sudo vim /etc/apache2/modsecurity.d/modsec_rules.conf
Include "/etc/apache2/modsecurity.d/modsecurity.conf"
Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf"
Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf"

Since we have included the OWASP Rules, proceed to install them.

Install OWASP ModSecurity Core Rule Set (CRS)

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

Clone the CRS from GitHub repository to /etc/apache2/modsecurity.d/ as shown below;

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/apache2/modsecurity.d/owasp-crs

Next, rename crs-setup.conf.example to crs-setup.conf.

sudo cp /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf{.example,}

Activate ModSecurity

After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.

vim /etc/apache2/sites-available/000-default.conf

See our sample default site virtual host configuration with no comments;

<VirtualHost *:80>
	modsecurity on
	modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf 
	ServerAdmin [email protected]
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

The lines;

	modsecurity on
	modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf 

Turns on Modsecurity and specifies the location of the Modsecurity rules.

Check Apache for configuration errors and restart it.

apachectl configtest
Syntax OK
systemctl restart apache2

Testing Modsecurity

Next, test the effectiveness of Modsecurity, for example, command injection. Run the command below;

curl localhost?doc=/bin/ls
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at localhost Port 80</address>
</body></html>

Check Modsecurity logs;

tail /var/log/modsec_audit.log
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `/bin/ls' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "488"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/ls found within ARGS:doc: /bin/ls"] [severity "2"] [ver "OWASP_CRS/3.2.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "web-01.kifarunix-demo.com"] [uri "/"] [unique_id "156976184572.128853"] [ref "o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "79"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "web-01.kifarunix-demo.com"] [uri "/"] [unique_id "156976184572.128853"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "web-01.kifarunix-demo.com"] [uri "/"] [unique_id "156976184572.128853"] [ref ""]

As a result, this confirms that the Modsecurity is functioning as expected and that is just about it on our guide on how to install LibModsecurity with Apache on Ubuntu 18.04.

Reference:

ModSecurity-apache

ModSecurity

Related Guides

Configure LibModsecurity with Nginx on CentOS 8

Install LibModsecurity with Apache on Fedora 30/29/CentOS 7

LEAVE A REPLY

Please enter your comment!
Please enter your name here