{"id":12439,"date":"2022-04-30T23:49:59","date_gmt":"2022-04-30T20:49:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=12439"},"modified":"2024-03-09T11:17:52","modified_gmt":"2024-03-09T08:17:52","slug":"install-modsecurity-with-apache-on-ubuntu-22-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-modsecurity-with-apache-on-ubuntu-22-04\/","title":{"rendered":"Install ModSecurity with Apache on Ubuntu 22.04"},"content":{"rendered":"\n<p>Welcome to our guide on how to install ModSecurity with Apache on Ubuntu 22.04. <a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">Modsecurity<\/a> is an open source, cross platform web application firewall (WAF) developed by Trustwave&#8217;s SpiderLabs. It provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc. It also allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n\n\n\n<p>There exists two versions of ModSecurity. Modsecurity 2.x and libmodsecurity (Modsecurity 3.x) which is a complete rewrite of Modsecurity 2.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#install-mod-security-with-apache-on-ubuntu-22-04\">Install ModSecurity with Apache on Ubuntu 22.04<\/a><ul><li><a href=\"#install-apache-web-server-on-ubuntu-22-04\">Install Apache Web Server on Ubuntu 22.04<\/a><\/li><li><a href=\"#install-modsecurity-2-x-on-ubuntu-22-04\">Install Modsecurity 2.x on Ubuntu 22.04<\/a><\/li><li><a href=\"#install-modsecurity-3-x-on-ubuntu-22-04\">Install Modsecurity 3.x on Ubuntu 22.04<\/a><\/li><li><a href=\"#configure-apache-with-mod-security\">Configure Apache with ModSecurity<\/a><ul><li><a href=\"#configure-modsecurity-2-x\">Configure Modsecurity 2.x<\/a><\/li><li><a href=\"#configure-modsecurity-3-x\">Configure Modsecurity 3.x<\/a><\/li><\/ul><\/li><li><a href=\"#activate-mod-security-apache-protection-on-ubuntu\">Activate ModSecurity Apache Protection on Ubuntu<\/a><ul><li><a href=\"#activate-modsecurity-2-x-on-ubuntu\">Activate Modsecurity 2.x on Ubuntu<\/a><\/li><li><a href=\"#activate-modsecurity-3-x-on-ubuntu\">Activate Modsecurity 3.x on Ubuntu<\/a><\/li><\/ul><\/li><li><a href=\"#testing-modsecurity\">Testing Modsecurity<\/a><\/li><li><a href=\"#reference\">Reference:<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-mod-security-with-apache-on-ubuntu-22-04\">Install ModSecurity with Apache on Ubuntu 22.04<\/h2>\n\n\n\n<p>To begin with, re-synchronize your system packages to their latest versions.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-apache-web-server-on-ubuntu-22-04\">Install Apache Web Server on Ubuntu 22.04<\/h3>\n\n\n\n<p>ModSecurity runs on a top of a web server. In this guide, we are using Apache. If not already installed, you can install Apache <\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-lamp-stack-on-ubuntu-22-04\/\">Install LAMP Stack on Ubuntu 22.04<\/a><\/p>\n\n\n\n<p>You can now choose to install Modsecurity 2 or install Modsecurity 3.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#modsec-2\">Install Modsecurity 2.x on Ubuntu 22.04<\/a><\/li>\n\n\n\n<li><a href=\"#modsec-3\">Install Modsecurity 3.x on Ubuntu 22.04<\/a><\/li>\n<\/ul>\n\n\n\n<p>The two work fine. However, I would choose Modsecurity 2.x for due some issues whereby with Modsecurity 3.x, when you enable blocking of detected attacks, the logs are only written to modsec_audit.log file and not to Apache error.log. The choice is yours on which one to install, however.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-modsecurity-2-x-on-ubuntu-22-04\">Install Modsecurity 2.x on Ubuntu 22.04<\/h3>\n\n\n\n<p>If you want to install ModSecurity 2 (2.9.5 to be specific), you can run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install libapache2-mod-security2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-modsecurity-3-x-on-ubuntu-22-04\">Install Modsecurity 3.x on Ubuntu 22.04<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Required Build Tools and Dependencies<\/li>\n<\/ul>\n\n\n\n<p>To install Libmodsecurity or Modsecurity 3 (3.0.6 to be specific) on Ubuntu 22.04, we are going to build it from source. Hence, you need to install some required build tools and dependencies for a successful build.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install g++ flex bison curl apache2-dev doxygen \\\nlibyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool \\\ndh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev \\\nlibxml2-dev git -y<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compile and Install ModSecurity on Ubuntu 22.04<\/li>\n<\/ul>\n\n\n\n<p>Once your system is setup, you can proceed to install Modsecurity v3 on Ubuntu 22.04.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Download ModSecurity Source Code<\/li>\n<\/ul>\n\n\n\n<p>To install the latest stable version of <strong>ModSecurity<\/strong>, you need to compile it from the source.<\/p>\n\n\n\n<p>Therefore, navigate to&nbsp;<a class=\"rank-math-link\" href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/\" target=\"_blank\" rel=\"noreferrer noopener\">ModSecurity releases page<\/a>&nbsp;and download ModSecurity 3 source code. You can simply use wget to pull it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>wget https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.6\/modsecurity-v3.0.6.tar.gz<\/code><\/pre>\n\n\n\n<p>Extract the ModSecurity source code.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tar xzf modsecurity-v3.0.6.tar.gz<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compile and Install ModSecurity 3 on Ubuntu 22.04<\/li>\n<\/ul>\n\n\n\n<p>Navigate to the ModSecurity source directory, configure, compile and install it<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd modsecurity-v3.0.6<\/code><\/pre>\n\n\n\n<p>Configure ModSecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/build.sh<\/code><\/pre>\n\n\n\n<p>You can safely ignore the&nbsp;<code><strong>fatal: not a git repository (or any of the parent directories): .git<\/strong><\/code> error and the obsolete warning messages.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/configure<\/code><\/pre>\n\n\n\n<p>Be sure to fix any dependency issue, if any, before you can proceed to compile and install ModSecurity.<\/p>\n\n\n\n<p>If the configure script above completes with no error, proceed to compile and install LibModSecurity on Ubuntu 22.04.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>make install<\/code><\/pre>\n\n\n\n<p>LibModSecurity aka ModSecurity v3 has now been installed on Ubuntu 22.04<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install ModSecurity-Apache Connector<\/li>\n<\/ul>\n\n\n\n<p>The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.<\/p>\n\n\n\n<p>Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~\ngit clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n<p>Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cd ModSecurity-apache<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/autogen.sh<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>make\nmake install<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-apache-with-mod-security\">Configure Apache with ModSecurity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#configure-modsec-2\">Configure Modsecurity 2.x<\/a><\/li>\n\n\n\n<li><a href=\"#configure-modsec-3\">Configure Modsecurity 3.x<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-modsecurity-2-x\">Configure Modsecurity 2.x<\/h4>\n\n\n\n<p>Rename sample configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/modsecurity\/modsecurity.conf{-recommended,}<\/code><\/pre>\n\n\n\n<p>Download OWASP ModSecurity Core Rule Set (CRS) into \/etc\/modsecurity\/crs\/ directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp -r owasp-modsecurity-crs\/rules \/etc\/modsecurity\/crs\/<\/code><\/pre>\n\n\n\n<p>Configure Apache to load Modsecurity rules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/apache2\/mods-available\/security2.conf{,.old}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/apache2\/mods-available\/security2.conf &lt;&lt; 'EOL'\n&lt;IfModule security2_module>\n        SecDataDir \/var\/cache\/modsecurity\n        Include \/etc\/modsecurity\/modsecurity.conf\n        Include \/etc\/modsecurity\/crs\/crs-setup.conf\n        Include \/etc\/modsecurity\/crs\/rules\/*.conf\n&lt;\/IfModule>\nEOL\n<\/code><\/pre>\n\n\n\n<p>Enable Modsecurity OWASP rules blocking;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/modsecurity\/crs\/crs-setup.conf<\/code><\/pre>\n\n\n\n<p>Comment the lines below by adding # at the beginning of a line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SecDefaultAction \"phase:1,log,auditlog,pass\"\nSecDefaultAction \"phase:2,log,auditlog,pass\"<\/code><\/pre>\n\n\n\n<p>Such that they look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#SecDefaultAction \"phase:1,log,auditlog,pass\"\n#SecDefaultAction \"phase:2,log,auditlog,pass\"<\/code><\/pre>\n\n\n\n<p>And then uncomment the lines below by removing the # at the beginning of the line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\n# SecDefaultAction \"phase:2,log,auditlog,deny,status:403\"<\/code><\/pre>\n\n\n\n<p>Such that they look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\nSecDefaultAction \"phase:2,log,auditlog,deny,status:403\"<\/code><\/pre>\n\n\n\n<p>Save the changes and exit the file.<\/p>\n\n\n\n<p>Turn on Modsecurity Engine;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/modsecurity\/modsecurity.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-modsecurity-3-x\">Configure Modsecurity 3.x<\/h4>\n\n\n\n<p>Configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"LoadModule security3_module \/usr\/lib\/apache2\/modules\/mod_security3.so\" | sudo tee -a \/etc\/apache2\/apache2.conf<\/code><\/pre>\n\n\n\n<p>Create ModSecurity configuration directory under <code>\/etc\/apache2<\/code><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo mkdir \/etc\/apache2\/modsecurity.d<\/code><\/pre>\n\n\n\n<p>Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo cp ~\/modsecurity-v3.0.6\/modsecurity.conf-recommended \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n<p>Also copy the <code>unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo cp ~\/modsecurity-v3.0.6\/unicode.mapping \/etc\/apache2\/modsecurity.d\/<\/code><\/pre>\n\n\n\n<p>Turn on ModSecurity by changing the value of <code>SecRuleEngine<\/code> to <code>On<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/pre>\n\n\n\n<p>Next, you need to configure ModSecurity rules.<\/p>\n\n\n\n<p>Therefore, create a file where you can define the rules to include, say, <code>\/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &gt; \/etc\/apache2\/modsecurity.d\/modsec_rules.conf &lt;&lt; 'EOL'\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nEOL\n<\/code><\/pre>\n\n\n\n<p>Since we have included the OWASP Rules as part of ModSecurity 3 rules, proceed to install them.<\/p>\n\n\n\n<p>The <strong>OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n<p>Clone the CRS from <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs\/\" target=\"_blank\">GitHub repository<\/a> to <code>\/etc\/apache2\/modsecurity.d\/<\/code> as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/apache2\/modsecurity.d\/owasp-crs<\/code><\/pre>\n\n\n\n<p>Next, rename <code>crs-setup.conf.example<\/code> to <code>crs-setup.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo cp \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n<p>Similarly, enable Modsecurity OWASP rules blocking by editing the \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf file above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n<strong>#SecDefaultAction \"phase:1,log,auditlog,pass\"\n#SecDefaultAction \"phase:2,log,auditlog,pass\"<\/strong>\n\n...\n#\n<strong>SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\nSecDefaultAction \"phase:2,log,auditlog,deny,status:403<\/strong>\"\n...\n<\/code><\/pre>\n\n\n\n<p><strong>NOTE<\/strong> that with this change, it causes ModSecurity 3 to log to modsec_audit.log file ONLY and not to Apache error.log.<\/p>\n\n\n\n<p>For ModSecurity 2, the attack logs are written to Apache error log. This makes it easy to process these logs with other external security monitoring tools.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"activate-mod-security-apache-protection-on-ubuntu\">Activate ModSecurity Apache Protection on Ubuntu<\/h3>\n\n\n\n<p>After all that, activate the Modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache&#8217;s default site configuration file.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#activate-modsec-2\">Activate Modsecurity 2.x on Ubuntu<\/a><\/li>\n\n\n\n<li><a href=\"#activate-modsec-3\">Activate Modsecurity 3.x on Ubuntu<\/a><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"activate-modsecurity-2-x-on-ubuntu\">Activate Modsecurity 2.x on Ubuntu<\/h4>\n\n\n\n<p>If you are running Modsecurity 2.x, all you need to do at this point is to restart Apache web server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apachectl -t<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart apache2<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"activate-modsecurity-3-x-on-ubuntu\">Activate Modsecurity 3.x on Ubuntu<\/h4>\n\n\n\n<p>If you are running Modsecurity 3.x, activate it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/apache2\/sites-available\/000-default.conf{,.old}<\/code><\/pre>\n\n\n\n<p>See our sample default site virtual host configuration with no comments;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/apache2\/sites-available\/000-default.conf &lt;&lt; 'EOL'\n&lt;VirtualHost *:80&gt;\n\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf \n\tServerAdmin webmaster@localhost\n\tDocumentRoot \/var\/www\/html\n\tErrorLog ${APACHE_LOG_DIR}\/error.log\n\tCustomLog ${APACHE_LOG_DIR}\/access.log combined\n&lt;\/VirtualHost&gt;\nEOL\n<\/code><\/pre>\n\n\n\n<p>The lines;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf <\/code><\/pre>\n\n\n\n<p>Turns on Modsecurity and specifies the location of the Modsecurity rules.<\/p>\n\n\n\n<p>Check Apache for configuration errors and restart it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apachectl -t<\/code><\/pre>\n\n\n\n<p>If there is no error, you should get the output, <strong>Syntax OK<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart apache2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-modsecurity\">Testing Modsecurity<\/h3>\n\n\n\n<p>Next, test the effectiveness of Modsecurity, for example, command injection. Run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl localhost?doc=\/bin\/ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>&lt;!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\"&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;403 Forbidden&lt;\/title&gt;\n&lt;\/head&gt;&lt;body&gt;\n&lt;h1&gt;Forbidden&lt;\/h1&gt;\n&lt;p&gt;You don't have permission to access this resource.&lt;\/p&gt;\n&lt;hr&gt;\n&lt;address&gt;Apache\/2.4.52 (Ubuntu) Server at localhost Port 80&lt;\/address&gt;\n&lt;\/body&gt;&lt;\/html&gt;\n<\/code><\/pre>\n\n\n\n<p>Check Modsecurity logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail \/var\/log\/modsec_audit.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\n\n---GMiW89KJ---H--\n<strong>ModSecurity: Access denied with code 403 (phase 2)<\/strong>. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) &#91;file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] &#91;line \"496\"] &#91;id \"932160\"] &#91;rev \"\"] &#91;msg \"<strong>Remote Command Execution: Unix Shell Code Found\"]<\/strong> &#91;data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] &#91;severity \"2\"] &#91;ver \"OWASP_CRS\/3.2.0\"] &#91;maturity \"0\"] &#91;accuracy \"0\"] &#91;tag \"application-multi\"] &#91;tag \"language-shell\"] &#91;tag \"platform-unix\"] &#91;tag \"attack-rce\"] &#91;tag \"paranoia-level\/1\"] &#91;tag \"OWASP_CRS\"] &#91;tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] &#91;tag \"WASCTC\/WASC-31\"] &#91;tag \"OWASP_TOP_10\/A1\"] &#91;tag \"PCI\/6.5.2\"] &#91;hostname \"127.0.1.1\"] &#91;uri \"\/\"] &#91;unique_id \"1651339080\"] &#91;ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n\n---GMiW89KJ---I--\n\n---GMiW89KJ---J--\n\n---GMiW89KJ---Z--\n...<\/code><\/pre>\n\n\n\n<p>Similarly, install Nikto on Ubuntu and use it to scan the server to test the modsecurity rules;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-use-nikto-web-scanner-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Use Nikto Web Scanner on Ubuntu<\/a><\/p>\n\n\n\n<p>Access the site from browser and test command injection attack, <code><strong>http:\/\/domain.name\/?exec=\/bin\/bash<\/strong><\/code>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection.png\" class=\"td-modal-image\"><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1019\" height=\"247\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection.png\" alt=\"Install ModSecurity with Apache on Ubuntu 22.04\" class=\"wp-image-8042\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection.png?v=1614281958 1019w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-768x186.png?v=1614281958 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-150x36.png?v=1614281958 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-300x73.png?v=1614281958 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-696x169.png?v=1614281958 696w\" sizes=\"(max-width: 1019px) 100vw, 1019px\" \/><\/figure><\/div><\/a><\/div>\n\n\n\n<p>Tailing the Apache error logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Sat Apr 30 23:43:10.888508 2022] &#91;:error] &#91;pid 4504:tid 140113703069248] &#91;client 127.0.0.1:57030] &#91;client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase \"bin\/ls\" at ARGS:doc. &#91;file \"\/etc\/modsecurity\/crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] &#91;line \"518\"] &#91;id \"932160\"] &#91;msg \"Remote Command Execution: Unix Shell Code Found\"] &#91;data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] &#91;severity \"CRITICAL\"] &#91;ver \"OWASP_CRS\/3.2.0\"] &#91;tag \"application-multi\"] &#91;tag \"language-shell\"] &#91;tag \"platform-unix\"] &#91;tag \"attack-rce\"] &#91;tag \"paranoia-level\/1\"] &#91;tag \"OWASP_CRS\"] &#91;tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] &#91;tag \"WASCTC\/WASC-31\"] &#91;tag \"OWASP_TOP_10\/A1\"] &#91;tag \"PCI\/6.5.2\"] &#91;hostname \"localhost\"] &#91;uri \"\/\"] &#91;unique_id \"Ym2fXltd6Nody7X50nHgVQAAAAc\"]<\/code><\/pre>\n\n\n\n<p>As a result, this confirms that the Modsecurity is functioning as expected.<\/p>\n\n\n\n<p>That is just about it on our guide on how to install ModSecurity with Apache.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference:<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity-apache\" target=\"_blank\">ModSecurity-apache<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noopener\">ModSecurity<\/a><\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-modsecurity-3-with-apache-in-a-docker-container\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ModSecurity 3 with Apache in a Docker Container<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/intercept-malicious-file-upload-with-modsecurity-and-clamav\/\" target=\"_blank\" rel=\"noreferrer noopener\">Intercept Malicious File Upload with ModSecurity and ClamAV<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our guide on how to install ModSecurity with Apache on Ubuntu 22.04. Modsecurity is an open source, cross platform web application firewall (WAF)<\/p>\n","protected":false},"author":3,"featured_media":8043,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,1207,72,34,305],"tags":[202,4978,1139,4981,4980,4412,4979,307],"class_list":["post-12439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-modsecurity","category-monitoring","category-security","category-waf","tag-apache","tag-install-modsecurity-on-ubuntu-22-04","tag-modsecurity","tag-modsecurity-3-and-modsecurity-2","tag-opensource-waf","tag-ubuntu-22-04","tag-ubuntu-22-04-modsecurity","tag-waf","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12439"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=12439"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12439\/revisions"}],"predecessor-version":[{"id":20451,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/12439\/revisions\/20451"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8043"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=12439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=12439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=12439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}