ModSecurity install on Ubuntu also requires to enable Core Rule Set to handle the malicious activities.
As part of our Server Management Services here at Ibmi Media, we regularly help our Customers to perform ModSecurity related tasks.
In this context, we shall look into the steps to install and configure ModSecurity on Ubuntu 16.04.
The importance of ModSecurity on Ubuntu?
Modsecurity, a powerful Web Application Firewall integrates directly into Apache's module system. It allows the module to intercept traffic at the earliest stages of a request.
Early detection is crucial to block malicious requests as it prevents them from passing to web applications hosted by Apache web sites.
Now we shall proceed with the steps to install ModSecurity on Ubuntu.
How to install ModSecurity on Ubuntu?
Before we proceed to install Mod_security, we need to make sure that we are running on Apache 2.4, and mod_security is not installed on the system. We can certainly cross-check it with the commands below:
Check Apache’s Version
$ sudo apache2ctl -v
Check if the Security Module is Active
$ apache2ctl -M | grep security
This command returns nothing if mod_security is not installed and returns security2_module, mod_security if is installed.
After the pre-checks, we can proceed with the installation. We can use the apt package manager to install the libpache2-modseurity plugin.
$ sudo apt install libapache2-modsecurity -y
After installation, we could use the same command that we used earlier to confirm if the Mod_security module is active.
How to configure Mod_Security on Ubuntu ?
Now as the base module is installed, we need to configure and enable it. It includes a series of steps.
The first step is to copy the recommended config over as the live config.There is a default configuration file /etc/modsecurity/modsecurity.conf-recommended which you should copy to "/etc/modsecurity/modsecurity.conf" to enable and configure ModSecurity.
To do this, execute the command;
$ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then modify the live config and change “SecRuleEngine DetectionOnly” to “SecRuleEngine On” with any of the available text editors.
Third step is to check Apache’s config syntax and restart Apache if OK
$ sudo apache2ctl -t && sudo apache2ctl restart
How to enable Core Rule Set and Base Rules ?
A good security module requires an equally good ruleset. The libapache2-modsecurity package comes with a companion package (modsecurity-crs). This package contains the Core Rule Set or CRS that handle the most common malicious activities like:
i. SQL Injections (SQLi)
ii. Remote Code Execution (RCE)
iii. Cross Site Scripting (XSS)
Let us now discuss the steps to enable CRS and its Base Rules.
First, add the following lines to modsecurity.conf with any available editor;
# ModSecurity Core Rule Set (CRS)
Now, create a symlink in the activated_rules directory for all *.conf files in the base_rules directory;
CSRD=/usr/share/modsecurity-crs; for e in $CSRD/base_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; done
Thus, we could now confirm symlinks are in the activated_rules directory with the command below:
$ sudo ls /usr/share/modsecurity-crs/activated_rules/*.conf
Finally, we can check Apache’s config syntax and restart Apache if OK as we have done earlier.
Though the server is now actively using the base_rules from the CRS, there are additional rules provided by the CRS package as well.
Each time after changing one or more mod_security rules, it is necessary to verify syntax and restart Apache.
The Core Rule Set includes many additional rules. For instance, it includes experimental_rules, optional_rules, and slr_rules. Each category’s rules are present within their directory of the same name.
Activating these rules is the same process as enabling the base_rules. Create a symlink to the desired rule from the activated_rules directory.
The additional rules, especially experimental_rules, are more likely to encounter false positives, blocking legitimate traffic.
To disable rules, delete the symlink within the activated_rules directory that pertains to the rule in question. Once deleted, a quick restart of Apache services is necessary to make the change active.
For instance to delete the application_defects rule use the command below and then restart Apache.
$ sudo rm -rf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_55_application_defects.conf
$ sudo apache2ctl restart