{"id":4296,"date":"2019-01-29T23:51:01","date_gmt":"2019-01-29T20:51:01","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4296"},"modified":"2020-03-11T12:15:21","modified_gmt":"2020-03-11T09:15:21","slug":"install-libmodsecurity-with-apache-on-fedora-30-29-centos-7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-libmodsecurity-with-apache-on-fedora-30-29-centos-7\/","title":{"rendered":"Install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7"},"content":{"rendered":"\n

In this guide, we are going to learn how to install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7. Modsecurity<\/a>, is an open source web application firewall (WAF) which provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc.<\/p>\n\n\n\n

Install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7<\/h2>\n\n\n\n

Update your system. YUM packages manager is used in this for package management since YUM can be used in both CentOS and Fedora.<\/p>\n\n\n\n

yum update<\/code><\/pre>\n\n\n\n
If you are building a web application, ensure that you have a LAMP stack. You can see how to install LAMP stack by following the links below;<\/p>\n\n\n\n
Install LAMP Stack on Fedora 30<\/a><\/p>\n\n\n\n
Install LAMP (Linux, Apache, MySQL, PHP) Stack on Fedora 28\/29<\/a><\/p>\n\n\n\n
Install Required Build Tools and Dependencies<\/h3>\n\n\n\n
Since we are going to install LibModsecurity from the source, a number of build tools dependencies are required. Run the command below to install them.<\/p>\n\n\n\n
yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config<\/code><\/pre>\n\n\n\n
Download LibModsecurity Source Code<\/h3>\n\n\n\n
To install LibModSecurity with Apache on Fedora 30\/29\/CentOS 7, you need to download the source code for compilation.<\/p>\n\n\n\n
Therefore, create a temporary directory to store the LibModSecurity source tarball.<\/p>\n\n\n\n
mkdir ~\/modsec<\/code><\/pre>\n\n\n\n
You can choose to use \/opt<\/code> instead.<\/p>\n\n\n\n
Navigate to ModSecurity releases page<\/a> and download ModSecurity source code. You can simply use wget to pull it.<\/p>\n\n\n\n
cd ~\/modsec<\/code><\/pre>\n\n\n\n
wget -P ~\/modsec https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.4\/modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Extract the ModSecurity source code.<\/p>\n\n\n\n
cd ~\/modsec<\/code><\/pre>\n\n\n\n
tar xzf modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Compile and Install LibModsecurity on Fedora 30\/29\/CentOS 7<\/h3>\n\n\n\n
Navigate to the LibModsecurity source directory, configure, compile and install it<\/p>\n\n\n\n
cd modsecurity-v3.0.4<\/code><\/pre>\n\n\n\n
Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n
.\/build.sh<\/code><\/pre>\n\n\n\n
You can safely ignore the fatal: No names found, cannot describe anything<\/strong> messages.<\/p>\n\n\n\n
.\/configure<\/code><\/pre>\n\n\n\n
Fix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on CentOS<\/p>\n\n\n\n
Compile and install LibModSecurity.<\/p>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
Install ModSecurity-Apache Connector<\/h3>\n\n\n\n
The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.<\/p>\n\n\n\n
Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n
cd ~\ngit clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n
Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n
cd ModSecurity-apache\n.\/autogen.sh\n.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/\nmake\nsudo make install<\/code><\/pre>\n\n\n\n
Configure Apache with LibModsecurity<\/h2>\n\n\n\n
To begin with, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n
echo \"LoadModule security3_module <\/code>\/usr\/lib64\/httpd\/modules\/mod_security3.so\" | sudo tee -a \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\n\n\n\n
Next, create ModSecurity configuration directory under \/etc\/httpd\/conf.d<\/code><\/p>\n\n\n\n
sudo mkdir \/etc\/httpd\/conf.d\/modsecurity.d<\/code><\/pre>\n\n\n\n
Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n
sudo cp ~\/ModSecurity\/modsecurity.conf-recommended \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Also copy the unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n
sudo cp ~\/ModSecurity\/unicode.mapping \/etc\/httpd\/conf.d\/modsecurity.d\/<\/code><\/pre>\n\n\n\n
Turn on ModSecurity by changing the value of SecRuleEngine<\/code> to On<\/code>.<\/p>\n\n\n\n
sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Change the default log directory for Modsecurity<\/p>\n\n\n\n
sed -i 's#\/var\/log\/modsec_audit.log#\/var\/log\/httpd\/modsec_audit.log#' \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Next, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include.<\/p>\n\n\n\n
sudo vim \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf<\/code><\/pre>\n\n\n\n
Include \"\/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/*.conf\"<\/code><\/pre>\n\n\n\n
Since we have included the OWASP Rules, proceed to install them.<\/p>\n\n\n\n
Install OWASP ModSecurity Core Rule Set (CRS)<\/h4>\n\n\n\n
The OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n
Clone the CRS from\u00a0GitHub repository<\/a>\u00a0to\u00a0\/etc\/httpd\/conf.d\/modsecurity.d\/<\/code>\u00a0as shown below;<\/p>\n\n\n\n
git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs<\/code><\/pre>\n\n\n\n
Next, rename crs-setup.conf.example<\/code> to crs-setup.conf<\/code>.<\/p>\n\n\n\n
sudo cp \/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n
Activate ModSecurity<\/h3>\n\n\n\n
After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache\u2019s default site configuration file.<\/p>\n\n\n\n
Note that you have to enable ModSecurity per directory context.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\n\n\n\n
See our below the changes made on the default web root directory on the default Apache configuration;<\/p>\n\n\n\n
...\n<Directory \"\/var\/www\/html\">\n    modsecurity on\n    modsecurity_rules_file \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf\n    Options Indexes FollowSymLinks\n    AllowOverride None\n    Require all granted\n<\/Directory>\n...<\/code><\/pre>\n\n\n\n
The lines;<\/p>\n\n\n\n
 modsecurity on\n modsecurity_rules_file \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf<\/code><\/pre>\n\n\n\n
Turns on Modsecurity and specifies the location of the Modsecurity rules.<\/p>\n\n\n\n
Check Apache for configuration errors and restart it.<\/p>\n\n\n\n
httpd -t\nSyntax OK<\/code><\/pre>\n\n\n\n
systemctl restart httpd<\/code><\/pre>\n\n\n\n
Testing Modsecurity<\/h3>\n\n\n\n
Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;<\/p>\n\n\n\n
curl localhost\/index.html?exec=\/bin\/bash<\/code><\/pre>\n\n\n\n
<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>403 Forbidden<\/title>\n<\/head><body>\n<h1>Forbidden<\/h1>\n<p>You don't have permission to access \/index.html\non this server.<\/p>\n<\/body><\/html><\/code><\/pre>\n\n\n\n
If you see, 403 Forbidden<\/code><\/strong> then it means you have nailed it.<\/p>\n\n\n\n
You can as well check Modsecurity logs;<\/p>\n\n\n\n
tail \/var\/log\/httpd\/modsec_audit.log<\/code><\/pre>\n\n\n\n
ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `\/bin\/bash' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"488\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/bash found within ARGS:exec: \/bin\/bash\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"cent7.example.com\"] [uri \"\/index.html\"] [unique_id \"156978926276.295922\"] [ref \"o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\nModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"79\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [data \"\"] [severity \"2\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"cent7.example.com\"] [uri \"\/index.html\"] [unique_id \"156978926276.295922\"] [ref \"\"]\nModSecurity: Warning. Matched \"Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `5' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/RESPONSE-980-CORRELATION.conf\"] [line \"76\"] [id \"980130\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Inbound Score: 5 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=0,HTTP=0,SESS=0): individual paranoia level scores: 5, 0, 0, 0\"] [data \"\"] [severity \"0\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [tag \"event-correlation\"] [hostname \"cent7.example.com\"] [uri \"\/index.html\"] [unique_id \"156978926276.295922\"] [ref \"\"]<\/code><\/pre>\n\n\n\n
Well, there you go and that is it on our guide on how to install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7. Feel free to set up more rules as you wish and protect your web application.<\/p>\n\n\n\n
Reference:<\/p>\n\n\n\n
ModSecurity Wiki<\/a><\/p>\n\n\n\n
ModSecurity-apache connector<\/a><\/p>\n\n\n\n
Related Guides<\/h3>\n\n\n\n
Configure LibModsecurity with Nginx on CentOS 8<\/a><\/p>\n\n\n\n
Install LibModsecurity with Apache on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7. Modsecurity, is an open source web application<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,34,305],"tags":[202,88,289,924,1140,1139,1141],"class_list":["post-4296","post","type-post","status-publish","format-standard","hentry","category-howtos","category-security","category-waf","tag-apache","tag-centos-7","tag-fedora-29","tag-fedora-30","tag-libmodsecurity","tag-modsecurity","tag-modsecurity-3","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4296"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4296"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4296\/revisions"}],"predecessor-version":[{"id":5193,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4296\/revisions\/5193"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}