{"id":10092,"date":"2021-08-19T19:27:53","date_gmt":"2021-08-19T16:27:53","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10092"},"modified":"2024-03-18T18:50:23","modified_gmt":"2024-03-18T15:50:23","slug":"easily-install-modsecurity-with-apache-on-rocky-linux-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/easily-install-modsecurity-with-apache-on-rocky-linux-8\/","title":{"rendered":"Easily Install ModSecurity with Apache on Rocky Linux 8"},"content":{"rendered":"\n

In this guide, we are going to learn how to install ModSecurity with Apache on Rocky Linux 8. This guide focusses on installing the LibMosecurity<\/a>, also known as ModSecurity version 3. ModSecurity is an open source, cross platform web application firewall (WAF) engine which provides protection against a wide range of web application attacks.<\/p>\n\n\n\n

Installing ModSecurity with Apache on Rocky Linux 8<\/h2>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Begin by updating your system packages.<\/p>\n\n\n\n

dnf update<\/code><\/pre>\n\n\n\n
Install Required Build Tools and Dependencies<\/h3>\n\n\n\n
LibModsecurity are going to be compiled from the source and thus a number of build tools and dependencies are required.<\/p>\n\n\n\n
Run the commands below to install them.<\/p>\n\n\n\n
dnf config-manager --set-enabled powertools<\/code><\/pre>\n\n\n\n
Install additional repositories.<\/p>\n\n\n\n
dnf install epel-release -y<\/code><\/pre>\n\n\n\n
dnf install https:\/\/rpms.remirepo.net\/enterprise\/remi-release-8.rpm -y<\/code><\/pre>\n\n\n\n
dnf config-manager --set-enabled remi<\/code><\/pre>\n\n\n\n
Install the required dependencies.<\/p>\n\n\n\n
dnf install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config git wget openssl openssl-devel vim GeoIP-devel doxygen yajl-devel libmaxminddb libmaxminddb-devel GeoIP-devel lmdb lmdb-devel ssdeep-devel lua-devel perl-File-Path -y<\/code><\/pre>\n\n\n\n
Download Modsecurity Source Code<\/h3>\n\n\n\n
Create a temporary directory to store the source tarballs.<\/p>\n\n\n\n
mkdir ~\/modsec<\/code><\/pre>\n\n\n\n
You can choose to use \/opt<\/code> instead.<\/p>\n\n\n\n
Navigate to ModSecurity releases page<\/a> and download ModSecurity source code. You can simply use wget to pull it.<\/p>\n\n\n\n
cd ~\/modsec<\/code><\/pre>\n\n\n\n
wget -P ~\/modsec https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.5\/modsecurity-v3.0.5.tar.gz<\/code><\/pre>\n\n\n\n
Extract the ModSecurity source code.<\/p>\n\n\n\n
cd ~\/modsec<\/code><\/pre>\n\n\n\n
tar xzf modsecurity-v3.0.5.tar.gz<\/code><\/pre>\n\n\n\n
Compile and Install Modsecurity on Rocky Linux<\/h3>\n\n\n\n
Navigate to the LibModsecurity source directory, configure, compile and install it<\/p>\n\n\n\n
cd modsecurity-v3.0.5<\/code><\/pre>\n\n\n\n
Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n
.\/build.sh<\/code><\/pre>\n\n\n\n
You can safely ignore the fatal: *<\/strong> messages.<\/p>\n\n\n\n
.\/configure --with-maxmind=no<\/code><\/pre>\n\n\n\n
Fix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on CentOS<\/p>\n\n\n\n
Compile and install ModSecurity on Rocky Linux 8.<\/p>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
Install ModSecurity-Apache Connector on Rocky Linux 8<\/h3>\n\n\n\n
Once the installation of LibModsecurity is done, proceed to install the ModSecurity-apache connector which provides a communication channel between Apache and libModsecurity. <\/p>\n\n\n\n
Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n
cd ~\ngit clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n
Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n
cd ModSecurity-apache<\/code><\/pre>\n\n\n\n
.\/autogen.sh<\/code><\/pre>\n\n\n\n
.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/<\/code><\/pre>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
Configure Apache with Modsecurity on Rocky Linux 8<\/h2>\n\n\n\n
Next, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n
echo \"LoadModule security3_module <\/code>\/usr\/lib64\/httpd\/modules\/mod_security3.so\" | sudo tee -a \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\n\n\n\n
Create ModSecurity configuration directory under \/etc\/httpd\/conf.d<\/code><\/p>\n\n\n\n
mkdir \/etc\/httpd\/conf.d\/modsecurity.d<\/code><\/pre>\n\n\n\n
Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n
cp ~\/modsec\/modsecurity-v3.0.5\/modsecurity.conf-recommended \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Also copy the unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n
sudo cp ~\/modsec\/modsecurity-v3.0.5\/unicode.mapping \/etc\/httpd\/conf.d\/modsecurity.d\/<\/code><\/pre>\n\n\n\n
Activate ModSecurity by changing the value of SecRuleEngine<\/code> to On<\/code>.<\/p>\n\n\n\n
sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Change the default log directory for Modsecurity<\/p>\n\n\n\n
sed -i 's#\/var\/log\/modsec_audit.log#\/var\/log\/httpd\/modsec_audit.log#' \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Configure ModSecurity rules by creating a file where you can define the rules to include.<\/p>\n\n\n\n
cat > \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf << 'EOL'\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nEOL<\/code><\/pre>\n\n\n\n
Since we have included the OWASP Rules, proceed to install them.<\/p>\n\n\n\n
Install OWASP ModSecurity Core Rule Set (CRS)<\/h3>\n\n\n\n
The OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n
Clone the CRS from GitHub repository<\/a> to \/etc\/apache2\/modsecurity.d\/<\/code> as shown below;<\/p>\n\n\n\n
git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs<\/code><\/pre>\n\n\n\n
Next, rename crs-setup.conf.example<\/code> to crs-setup.conf<\/code>.<\/p>\n\n\n\n
cp \/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n
Activate ModSecurity 3 on Rocky Linux 8<\/h3>\n\n\n\n
After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache\u2019s default site configuration file.<\/p>\n\n\n\n
Note that you have to enable ModSecurity per directory context.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\n\n\n\n
See our below the changes made on the default web root directory on the default Apache configuration;<\/p>\n\n\n\n
...\n>Directory \"\/var\/www\/html\"<\n    modsecurity on\n    modsecurity_rules_file \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf<\/strong>\n    Options Indexes FollowSymLinks\n    AllowOverride None\n    Require all granted\n>\/Directory<\n...\n<\/code><\/pre>\n\n\n\n
The lines;<\/p>\n\n\n\n
 modsecurity on\n modsecurity_rules_file \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf<\/strong><\/code><\/pre>\n\n\n\n
Turns on Modsecurity and specifies the location of the Modsecurity rules respectively.<\/p>\n\n\n\n
Check Apache for configuration errors and restart it.<\/p>\n\n\n\n
httpd -t<\/code><\/pre>\n\n\n\n
Syntax OK<\/code><\/pre>\n\n\n\n
systemctl restart httpd<\/code><\/pre>\n\n\n\n
Testing Modsecurity<\/h3>\n\n\n\n
Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;<\/p>\n\n\n\n
curl localhost\/index.html?exec=\/bin\/bash<\/code><\/pre>\n\n\n\n
<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>403 Forbidden<\/title>\n<\/head><body>\n<h1>Forbidden<\/h1>\n<p>You don't have permission to access \/index.html\non this server.<\/p>\n<\/body><\/html><\/code><\/pre>\n\n\n\n
If you see, 403 Forbidden<\/code><\/strong> then it means you have nailed it.<\/p>\n\n\n\n
You can as well check Modsecurity logs;<\/p>\n\n\n\n
tail \/var\/log\/httpd\/modsec_audit.log<\/code><\/pre>\n\n\n\n
---AzdMfmgc---B--\nGET \/index.html?exec=\/bin\/bash HTTP\/1.1\nHost: localhost\nUser-Agent: curl\/7.61.1\nAccept: *\/*\n\n---AzdMfmgc---D--\n\n---AzdMfmgc---F--\nHTTP\/1.1 403\n\n---AzdMfmgc---H--\nModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `\/bin\/bash' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/bash found within ARGS:exec: \/bin\/bash\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] \n[tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"rocky8.kifarunix-demo.com\"] [uri \"\/index.html\"] [unique_id \"1629389313\"] [ref \"o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\nModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"80\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] \n[data \"\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"rocky8.kifarunix-demo.com\"] [uri \"\/index.html\"] [unique_id \"1629389313\"] [ref \"\"]<\/strong>\n\n---AzdMfmgc---I--\n\n---AzdMfmgc---J--\n\n---AzdMfmgc---Z--\n<\/code><\/pre>\n\n\n\n
You will also find such logs on Apache error log files;<\/p>\n\n\n\n
tail \/var\/log\/httpd\/error_log<\/code><\/pre>\n\n\n\n
...\n[Thu Aug 19 19:08:33.445040 2021] [:error] [pid 1658:tid 140385787549440] [client ::1:58424] ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `\/bin\/bash' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] \n[line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/bash found within ARGS:exec: \/bin\/bash\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] \n[tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"rocky8.kifarunix-demo.com\"] [uri \"\/index.html\"] [unique_id \"1629389313\"] [ref \"o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n...\n\n<\/code><\/pre>\n\n\n\n
Well, there you go. ModSecurity 3 or LibModSeceurity is now installed, activated and protecting your site against web attacks.<\/p>\n\n\n\n
Feel free to set up more rules as you wish and protect your web application.<\/p>\n\n\n\n
Other Tutorials<\/h2>\n\n\n\n
Protect WordPress Against Brute force Attacks Using Fail2ban<\/a><\/p>\n\n\n\n
Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n\n\n\n
Configure LDAP Based HTTP Basic Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to install ModSecurity with Apache on Rocky Linux 8. This guide focusses on installing the LibMosecurity, also known<\/p>\n","protected":false},"author":3,"featured_media":10111,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,254,121,1207,304,253],"tags":[3971,3968,1140,3970,3969,3972],"class_list":["post-10092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-apache","category-howtos","category-modsecurity","category-nginx","category-web-servers","tag-apache-modsecurity","tag-install-modsecurity-on-rocky-linux","tag-libmodsecurity","tag-modsecurity-3-with-apache","tag-setup-modsecurity-with-apache","tag-web-application-modsecurity","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10092"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=10092"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10092\/revisions"}],"predecessor-version":[{"id":21689,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10092\/revisions\/21689"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10111"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=10092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=10092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=10092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}