{"id":18227,"date":"2023-08-07T21:04:32","date_gmt":"2023-08-07T18:04:32","guid":{"rendered":"https:\/\/kifarunix.com\/?p=18227"},"modified":"2024-03-10T10:44:09","modified_gmt":"2024-03-10T07:44:09","slug":"install-modsecurity-with-apache-on-debian-12","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-modsecurity-with-apache-on-debian-12\/","title":{"rendered":"Install ModSecurity with Apache on Debian 12"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to install ModSecurity with Apache on Debian 12. <a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">Modsecurity<\/a> is an open source, cross platform web application firewall (WAF) developed by Trustwave&#8217;s SpiderLabs. It provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.t.c. It also allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n\n\n\n<p>There exists two versions of ModSecurity. Modsecurity 2.x and libmodsecurity (Modsecurity 3.x) which is a complete rewrite of Modsecurity 2.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-mod-security-with-apache-on-debian-12\">Installing ModSecurity with Apache on Debian 12<\/a><ul><li><a href=\"#install-apache-web-server-on-debian-12\">Install Apache Web Server on Debian 12<\/a><\/li><li><a href=\"#install-modsecurity-2-x-on-debian-12\">Install Modsecurity 2.x on Debian 12<\/a><\/li><li><a href=\"#install-modsecurity-3-x-on-debian-12\">Install Modsecurity 3.x on Debian 12<\/a><ul><li><a href=\"#install-required-build-tools-and-dependencies\">Install Required Build Tools and Dependencies<\/a><\/li><li><a href=\"#compile-and-install-mod-security-on-debian-12\">Compile and Install ModSecurity on Debian 12<\/a><\/li><li><a href=\"#install-mod-security-apache-connector\">Install ModSecurity-Apache Connector<\/a><\/li><\/ul><\/li><li><a href=\"#configure-apache-with-mod-security\">Configure Apache with ModSecurity<\/a><ul><li><a href=\"#configure-modsecurity-2-x\">Configure Modsecurity 2.x<\/a><\/li><li><a href=\"#configure-modsecurity-3-x\">Configure Modsecurity 3.x<\/a><\/li><\/ul><\/li><li><a href=\"#activate-mod-security-apache-protection-on-ubuntu\">Activate ModSecurity Apache Protection on Ubuntu<\/a><ul><li><a href=\"#activate-modsecurity-2-x-on-ubuntu\">Activate Modsecurity 2.x on Ubuntu<\/a><\/li><li><a href=\"#activate-modsecurity-3-x-on-ubuntu\">Activate Modsecurity 3.x on Ubuntu<\/a><\/li><\/ul><\/li><li><a href=\"#testing-modsecurity\">Testing Modsecurity<\/a><\/li><li><a href=\"#reference\">Reference:<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-mod-security-with-apache-on-debian-12\">Installing ModSecurity with Apache on Debian 12<\/h2>\n\n\n\n<p>To begin with, re-synchronize your system packages to their latest versions.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt update<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-apache-web-server-on-debian-12\">Install Apache Web Server on Debian 12<\/h3>\n\n\n\n<p>ModSecurity runs on a top of a web server. In this guide, we are using Apache. If not already installed, you can install Apache <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install apache2<\/code><\/pre>\n\n\n\n<p>If you are running a PHP based app, then ensure PHP module for the Apache 2 webserver is installed.<\/p>\n\n\n\n<p>You can now choose to install Modsecurity 2 or install Modsecurity 3.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#modsec-2\">Install Modsecurity 2.x on Debian 12<\/a><\/li>\n\n\n\n<li><a href=\"#modsec-3\">Install Modsecurity 3.x on Debian 12<\/a><\/li>\n<\/ul>\n\n\n\n<p>Both of them work fine. However, I would choose Modsecurity 2.x for due some issues whereby with Modsecurity 3.x, when you enable blocking of detected attacks, the logs are only written to modsec_audit.log file and not to Apache error.log. The choice is yours on which one to install, however.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-modsecurity-2-x-on-debian-12\">Install Modsecurity 2.x on Debian 12<\/h3>\n\n\n\n<p>If you want to install ModSecurity 2 (2.9.5 to be specific), you can run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install libapache2-mod-security2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-modsecurity-3-x-on-debian-12\">Install Modsecurity 3.x on Debian 12<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-required-build-tools-and-dependencies\">Install Required Build Tools and Dependencies<\/h4>\n\n\n\n<p>To install Libmodsecurity or Modsecurity 3 (3.0.6 to be specific) on Debian 12, we are going to build it from source. Hence, you need to install some required build tools and dependencies for a successful build.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\napt install g++ \\\n\tflex \\\n\tbison \\\n\tcurl \\\n\tapache2-dev \\\n\tdoxygen \\\n\tlibyajl-dev \\\n\tssdeep \\\n\tliblua5.2-dev \\\n\tlibgeoip-dev \\\n\tlibtool \\\n\tdh-autoreconf \\\n\tlibcurl4-gnutls-dev \\\n\tlibxml2 \\\n\tlibpcre3-dev \\\n\tlibxml2-dev \\\n\tgit -y\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"compile-and-install-mod-security-on-debian-12\">Compile and Install ModSecurity on Debian 12<\/h4>\n\n\n\n<p>Once your system is setup, you can proceed to install Modsecurity v3 on Debian 12.<\/p>\n\n\n\n<p>To install the latest stable version of <strong>ModSecurity<\/strong>, you need to compile it from the source.<\/p>\n\n\n\n<p>Therefore, navigate to&nbsp;<a class=\"rank-math-link\" href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/\" target=\"_blank\" rel=\"noreferrer noopener\">ModSecurity releases page<\/a>&nbsp;and download ModSecurity 3 source code. You can simply use wget to pull it.<\/p>\n\n\n\n<p>Replace the value of VER with the current release version;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>VER=3.0.10<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">wget https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v${VER}\/modsecurity-v${VER}.tar.gz<\/pre>\n\n\n\n<p>Extract the ModSecurity source code.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tar xzf modsecurity-v${VER}.tar.gz<\/pre>\n\n\n\n<p>Navigate to the ModSecurity source directory, configure, compile and install it<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd modsecurity-v${VER}<\/pre>\n\n\n\n<p>Configure ModSecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/build.sh<\/pre>\n\n\n\n<p>You can safely ignore the&nbsp;<code><strong>fatal: not a git repository (or any of the parent directories): .git<\/strong><\/code> error and the obsolete warning messages.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/configure<\/pre>\n\n\n\n<p>Be sure to fix any dependency issue, if any, before you can proceed to compile and install ModSecurity with Apache.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n ...\n \nModSecurity -  for Linux\n \n Mandatory dependencies\n   + libInjection                                  ....\n   + SecLang tests                                 ....\n \n Optional dependencies\n   + GeoIP\/MaxMind                                 ....found \n      * (GeoIP) v1.6.12\n         -lGeoIP , -I\/usr\/include\/ \n   + LibCURL                                       ....found v7.88.1 \n      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL\n   + YAJL                                          ....found v2.1.0\n      -lyajl , -DWITH_YAJL -I\/usr\/include\/yajl \n   + LMDB                                          ....not found\n   + LibXML2                                       ....found v2.9.14\n      -lxml2 , -I\/usr\/include\/libxml2  -DWITH_LIBXML2\n   + SSDEEP                                        ....not found\n   + LUA                                           ....found v502\n      -llua5.2 -L\/usr\/lib\/x86_64-linux-gnu\/, -DWITH_LUA -DWITH_LUA_5_2 -I\/usr\/include\/lua5.2\n   + PCRE2                                          ....disabled\n \n Other Options\n   + Test Utilities                                ....enabled\n   + SecDebugLog                                   ....enabled\n   + afl fuzzer                                    ....disabled\n   + library examples                              ....enabled\n   + Building parser                               ....disabled\n   + Treating pm operations as critical section    ....disabled\n<\/code><\/pre>\n\n\n\n<p>If the configure script above completes with no error, proceed to compile and install LibModSecurity on Debian 12.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">make<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">make install<\/pre>\n\n\n\n<p>LibModSecurity aka ModSecurity v3 has now been installed on Debian 12<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-mod-security-apache-connector\">Install ModSecurity-Apache Connector<\/h4>\n\n\n\n<p>The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.<\/p>\n\n\n\n<p>Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n<p>Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd ModSecurity-apache<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/autogen.sh<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>make<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">make install<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-apache-with-mod-security\">Configure Apache with ModSecurity<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-modsecurity-2-x\">Configure Modsecurity 2.x<\/h4>\n\n\n\n<p>Rename sample configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/modsecurity\/modsecurity.conf{-recommended,}<\/code><\/pre>\n\n\n\n<p>Download OWASP ModSecurity Core Rule Set (CRS) into \/etc\/modsecurity\/crs\/ directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>cp -r owasp-modsecurity-crs\/rules \/etc\/modsecurity\/crs\/<\/code><\/pre>\n\n\n\n<p>Configure Apache to load Modsecurity rules;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/apache2\/mods-available\/security2.conf{,.old}<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/apache2\/mods-available\/security2.conf &lt;&lt; 'EOL'\n&lt;IfModule security2_module>\n        SecDataDir \/var\/cache\/modsecurity\n        Include \/etc\/modsecurity\/modsecurity.conf\n        Include \/etc\/modsecurity\/crs\/crs-setup.conf\n        Include \/etc\/modsecurity\/crs\/rules\/*.conf\n&lt;\/IfModule>\nEOL\n<\/code><\/pre>\n\n\n\n<p>Enable Modsecurity OWASP rules blocking;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/modsecurity\/crs\/crs-setup.conf<\/code><\/pre>\n\n\n\n<p>Comment the lines below by adding # at the beginning of a line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SecDefaultAction \"phase:1,log,auditlog,pass\"\nSecDefaultAction \"phase:2,log,auditlog,pass\"<\/code><\/pre>\n\n\n\n<p>Such that they look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#SecDefaultAction \"phase:1,log,auditlog,pass\"\n#SecDefaultAction \"phase:2,log,auditlog,pass\"<\/code><\/pre>\n\n\n\n<p>And then uncomment the lines below by removing the # at the beginning of the line;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\n# SecDefaultAction \"phase:2,log,auditlog,deny,status:403\"<\/code><\/pre>\n\n\n\n<p>Such that they look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\nSecDefaultAction \"phase:2,log,auditlog,deny,status:403\"<\/code><\/pre>\n\n\n\n<p>Save the changes and exit the file.<\/p>\n\n\n\n<p>Turn on Modsecurity Engine;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/modsecurity\/modsecurity.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-modsecurity-3-x\">Configure Modsecurity 3.x<\/h4>\n\n\n\n<p>Configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"LoadModule security3_module \/usr\/lib\/apache2\/modules\/mod_security3.so\" \\\n| sudo tee -a \/etc\/apache2\/apache2.conf<\/pre>\n\n\n\n<p>Create ModSecurity configuration directory under <code>\/etc\/apache2<\/code><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo mkdir \/etc\/apache2\/modsecurity.d<\/pre>\n\n\n\n<p>Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp ~\/modsecurity-v${VER}\/modsecurity.conf-recommended \\\n\/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/pre>\n\n\n\n<p>Also copy the <code>unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo cp ~\/modsecurity-v${VER}\/unicode.mapping \/etc\/apache2\/modsecurity.d\/<\/pre>\n\n\n\n<p>Turn on ModSecurity by changing the value of <code>SecRuleEngine<\/code> to <code>On<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/pre>\n\n\n\n<p>Next, you need to configure ModSecurity rules.<\/p>\n\n\n\n<p>Therefore, create a file where you can define the rules to include, say, <code>\/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &gt; \/etc\/apache2\/modsecurity.d\/modsec_rules.conf &lt;&lt; 'EOL'\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nEOL\n<\/code><\/pre>\n\n\n\n<p>Since we have included the OWASP Rules as part of ModSecurity 3 rules, proceed to install them.<\/p>\n\n\n\n<p>The <strong>OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n<p>Clone the CRS from <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs\/\" target=\"_blank\">GitHub repository<\/a> to <code>\/etc\/apache2\/modsecurity.d\/<\/code> as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/apache2\/modsecurity.d\/owasp-crs<\/pre>\n\n\n\n<p>Next, rename <code>crs-setup.conf.example<\/code> to <code>crs-setup.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo cp \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n<p>Similarly, enable Modsecurity OWASP rules blocking by editing the \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf file above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n<strong>#SecDefaultAction \"phase:1,log,auditlog,pass\"\n#SecDefaultAction \"phase:2,log,auditlog,pass\"<\/strong>\n\n...\n#\n<strong>SecDefaultAction \"phase:1,log,auditlog,deny,status:403\"\nSecDefaultAction \"phase:2,log,auditlog,deny,status:403<\/strong>\"\n...\n<\/code><\/pre>\n\n\n\n<p><strong>NOTE<\/strong> that with this change, it causes ModSecurity 3 to log to modsec_audit.log file ONLY and not to Apache error.log.<\/p>\n\n\n\n<p>For ModSecurity 2, the attack logs are written to Apache error log. This makes it easy to process these logs with other external security monitoring tools.<\/p>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"activate-mod-security-apache-protection-on-ubuntu\">Activate ModSecurity Apache Protection on Ubuntu<\/h3>\n\n\n\n<p>After all that, activate the Modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache&#8217;s default site configuration file.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"activate-modsecurity-2-x-on-ubuntu\">Activate Modsecurity 2.x on Ubuntu<\/h4>\n\n\n\n<p>If you are running Modsecurity 2.x, all you need to do at this point is to restart Apache web server.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apachectl -t<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart apache2<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"activate-modsecurity-3-x-on-ubuntu\">Activate Modsecurity 3.x on Ubuntu<\/h4>\n\n\n\n<p>If you are running Modsecurity 3.x, activate it as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp \/etc\/apache2\/sites-available\/000-default.conf{,.old}<\/code><\/pre>\n\n\n\n<p>See our sample default site virtual host configuration with no comments;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cat &gt; \/etc\/apache2\/sites-available\/000-default.conf &lt;&lt; 'EOL'\n&lt;VirtualHost *:80&gt;\n\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf \n\tServerAdmin webmaster@localhost\n\tDocumentRoot \/var\/www\/html\n\tErrorLog ${APACHE_LOG_DIR}\/error.log\n\tCustomLog ${APACHE_LOG_DIR}\/access.log combined\n&lt;\/VirtualHost&gt;\nEOL\n<\/code><\/pre>\n\n\n\n<p>The lines;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf <\/code><\/pre>\n\n\n\n<p>Turns on Modsecurity and specifies the location of the Modsecurity rules.<\/p>\n\n\n\n<p>Check Apache for configuration errors and restart it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apachectl -t<\/code><\/pre>\n\n\n\n<p>If there is no error, you should get the output, <strong>Syntax OK<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart apache2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-modsecurity\">Testing Modsecurity<\/h3>\n\n\n\n<p>Next, test the effectiveness of Modsecurity, for example, command injection. Run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl localhost?doc=\/bin\/ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>&lt;!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\"&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;403 Forbidden&lt;\/title&gt;\n&lt;\/head&gt;&lt;body&gt;\n&lt;h1&gt;Forbidden&lt;\/h1&gt;\n&lt;p&gt;You don't have permission to access this resource.&lt;\/p&gt;\n&lt;hr&gt;\n&lt;address&gt;Apache\/2.4.52 (Ubuntu) Server at localhost Port 80&lt;\/address&gt;\n&lt;\/body&gt;&lt;\/html&gt;\n<\/code><\/pre>\n\n\n\n<p>Check Modsecurity logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail \/var\/log\/modsec_audit.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n---yawo6Wfg---H--\nModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"169143105929.925538\"] [ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n\n---yawo6Wfg---I--\n\n---yawo6Wfg---J--\n\n---yawo6Wfg---Z--\n<\/code><\/pre>\n\n\n\n<p>Similarly, install Nikto on Ubuntu and use it to scan the server to test the modsecurity rules;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-use-nikto-web-scanner-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Use Nikto Web Scanner on Ubuntu<\/a><\/p>\n\n\n\n<p>Access the site from browser and test command injection attack, <code><strong>http:\/\/domain.name\/?exec=\/bin\/bash<\/strong><\/code>.<\/p>\n\n\n\n<div><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection.png\" class=\"td-modal-image\"><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1019\" height=\"247\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection.png\" alt=\"Install ModSecurity with Apache on Debian 12\" class=\"wp-image-8042\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection.png?v=1614281958 1019w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-768x186.png?v=1614281958 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-150x36.png?v=1614281958 150w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-300x73.png?v=1614281958 300w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/02\/modsecurity-command-injection-696x169.png?v=1614281958 696w\" sizes=\"(max-width: 1019px) 100vw, 1019px\" \/><\/figure><\/div><\/a><\/div>\n\n\n\n<p>Tailing the Apache error logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Sat Apr 30 23:43:10.888508 2022] &#91;:error] &#91;pid 4504:tid 140113703069248] &#91;client 127.0.0.1:57030] &#91;client 127.0.0.1] ModSecurity: Access denied with code 403 (phase 2). Matched phrase \"bin\/ls\" at ARGS:doc. &#91;file \"\/etc\/modsecurity\/crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] &#91;line \"518\"] &#91;id \"932160\"] &#91;msg \"Remote Command Execution: Unix Shell Code Found\"] &#91;data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] &#91;severity \"CRITICAL\"] &#91;ver \"OWASP_CRS\/3.2.0\"] &#91;tag \"application-multi\"] &#91;tag \"language-shell\"] &#91;tag \"platform-unix\"] &#91;tag \"attack-rce\"] &#91;tag \"paranoia-level\/1\"] &#91;tag \"OWASP_CRS\"] &#91;tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] &#91;tag \"WASCTC\/WASC-31\"] &#91;tag \"OWASP_TOP_10\/A1\"] &#91;tag \"PCI\/6.5.2\"] &#91;hostname \"localhost\"] &#91;uri \"\/\"] &#91;unique_id \"Ym2fXltd6Nody7X50nHgVQAAAAc\"]<\/code><\/pre>\n\n\n\n<p>As a result, this confirms that the Modsecurity is functioning as expected.<\/p>\n\n\n\n<p>That is just about it on our guide on how to install ModSecurity with Apache on Debian 12.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference:<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity-apache\" target=\"_blank\">ModSecurity-apache<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noopener\">ModSecurity<\/a><\/p>\n\n\n\n<p>Other Tutorials<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-modsecurity-3-with-apache-in-a-docker-container\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ModSecurity 3 with Apache in a Docker Container<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/intercept-malicious-file-upload-with-modsecurity-and-clamav\/\" target=\"_blank\" rel=\"noreferrer noopener\">Intercept Malicious File Upload with ModSecurity and ClamAV<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to install ModSecurity with Apache on Debian 12. Modsecurity is an open source, cross platform web application firewall<\/p>\n","protected":false},"author":10,"featured_media":8493,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,254,121,1207,253],"tags":[7151,7149,7148,7150,7153,7152],"class_list":["post-18227","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-apache","category-howtos","category-modsecurity","category-web-servers","tag-debian-12-apache-security","tag-debian-12-modsecurity","tag-install-modsecurity-debian-12","tag-install-modsecurity-with-apache","tag-libmodsecurity-debian-12","tag-modsecurity-3-apache","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18227"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=18227"}],"version-history":[{"count":4,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18227\/revisions"}],"predecessor-version":[{"id":20840,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/18227\/revisions\/20840"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8493"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=18227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=18227"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=18227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}