{"id":5185,"date":"2020-03-10T22:22:05","date_gmt":"2020-03-10T19:22:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5185"},"modified":"2021-08-19T21:09:59","modified_gmt":"2021-08-19T18:09:59","slug":"configure-libmodsecurity-with-apache-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-libmodsecurity-with-apache-on-centos-8\/","title":{"rendered":"Configure LibModsecurity with Apache on CentOS 8"},"content":{"rendered":"\n

In this guide, we are going to learn how to configure LibModsecurity with Apache on CentOS 8. LibMosecurity<\/a> also known as ModSecurity version 3, is an open source, cross platform web application firewall (WAF) engine which provides protection against a wide range of web application attacks.<\/p>\n\n\n\n

Configure LibModsecurity with Apache on CentOS 8<\/h2>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Begin by updating your system packages.<\/p>\n\n\n\n

dnf update<\/code><\/pre>\n\n\n\n
Install Required Build Tools and Dependencies<\/h3>\n\n\n\n
LibModsecurity are going to be compiled from the source and thus a number of build tools and dependencies are required. Run the command below to install them.<\/p>\n\n\n\n
dnf config-manager --set-enabled powertools<\/code><\/pre>\n\n\n\n
Install additional repositories.<\/p>\n\n\n\n
dnf install https:\/\/dl.fedoraproject.org\/pub\/epel\/epel-release-latest-8.noarch.rpm<\/code><\/pre>\n\n\n\n
dnf install https:\/\/rpms.remirepo.net\/enterprise\/remi-release-8.rpm<\/code><\/pre>\n\n\n\n
dnf config-manager --set-enabled remi<\/code><\/pre>\n\n\n\n
Install the required dependencies.<\/p>\n\n\n\n
dnf install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config git wget openssl openssl-devel vim GeoIP-devel doxygen yajl-devel libmaxminddb libmaxminddb-devel GeoIP-devel lmdb lmdb-devel ssdeep-devel lua-devel<\/code><\/pre>\n\n\n\n
Download LibModsecurity Source Code<\/h3>\n\n\n\n
Create a temporary directory to store the source tarballs.<\/p>\n\n\n\n
mkdir ~\/modsec<\/code><\/pre>\n\n\n\n
You can choose to use \/opt<\/code> instead.<\/p>\n\n\n\n
Navigate to ModSecurity releases page<\/a> and download ModSecurity source code. You can simply use wget to pull it.<\/p>\n\n\n\n
cd ~\/modsec<\/code><\/pre>\n\n\n\n
wget -P ~\/modsec https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.4\/modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Extract the ModSecurity source code.<\/p>\n\n\n\n
cd ~\/modsec<\/code><\/pre>\n\n\n\n
tar xzf modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Compile and Install LibModsecurity<\/h3>\n\n\n\n
Navigate to the LibModsecurity source directory, configure, compile and install it<\/p>\n\n\n\n
cd modsecurity-v3.0.4<\/code><\/pre>\n\n\n\n
Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n
.\/build.sh<\/code><\/pre>\n\n\n\n
You can safely ignore the fatal: No names found, cannot describe anything<\/strong> messages.<\/p>\n\n\n\n
.\/configure<\/code><\/pre>\n\n\n\n
Fix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on CentOS<\/p>\n\n\n\n
Compile and install LibModSecurity.<\/p>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
Install ModSecurity-Apache Connector on CentOS 8<\/h3>\n\n\n\n
Once the installation of LibModsecurity is done, proceed to install the ModSecurity-apache connector which provides a communication channel between Apache and libModsecurity. <\/p>\n\n\n\n
Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n
cd ~\ngit clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n
Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n
cd ModSecurity-apache<\/code><\/pre>\n\n\n\n
.\/autogen.sh<\/code><\/pre>\n\n\n\n
.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/<\/code><\/pre>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
Configure Apache with LibModsecurity on CentOS 8<\/h2>\n\n\n\n
Next, configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n
echo \"LoadModule security3_module <\/code>\/usr\/lib64\/httpd\/modules\/mod_security3.so\" | sudo tee -a \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\n\n\n\n
Create ModSecurity configuration directory under \/etc\/httpd\/conf.d<\/code><\/p>\n\n\n\n
mkdir \/etc\/httpd\/conf.d\/modsecurity.d<\/code><\/pre>\n\n\n\n
Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n
cp ~\/modsec\/modsecurity-v3.0.4\/modsecurity.conf-recommended \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Also copy the unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n
sudo cp ~\/modsec\/modsecurity-v3.0.4\/unicode.mapping \/etc\/httpd\/conf.d\/modsecurity.d\/<\/code><\/pre>\n\n\n\n
Activate ModSecurity by changing the value of SecRuleEngine<\/code> to On<\/code>.<\/p>\n\n\n\n
sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Change the default log directory for Modsecurity<\/p>\n\n\n\n
sed -i 's#\/var\/log\/modsec_audit.log#\/var\/log\/httpd\/modsec_audit.log#' \/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Configure ModSecurity rules by creating a file where you can define the rules to include.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf<\/code><\/pre>\n\n\n\n
Include \"\/etc\/httpd\/conf.d\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/*.conf\"<\/code><\/pre>\n\n\n\n
Since we have included the OWASP Rules, proceed to install them.<\/p>\n\n\n\n
Install OWASP ModSecurity Core Rule Set (CRS)<\/h4>\n\n\n\n
The OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n
Clone the CRS from GitHub repository<\/a> to \/etc\/apache2\/modsecurity.d\/<\/code> as shown below;<\/p>\n\n\n\n
git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs<\/code><\/pre>\n\n\n\n
Next, rename crs-setup.conf.example<\/code> to crs-setup.conf<\/code>.<\/p>\n\n\n\n
cp \/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n
Activate ModSecurity 3 on CentOS 8<\/h3>\n\n\n\n
After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache\u2019s default site configuration file.<\/p>\n\n\n\n
Note that you have to enable ModSecurity per directory context.<\/p>\n\n\n\n
vim \/etc\/httpd\/conf\/httpd.conf<\/code><\/pre>\n\n\n\n
See our below the changes made on the default web root directory on the default Apache configuration;<\/p>\n\n\n\n
...\n<Directory \"\/var\/www\/html\">\n    modsecurity on\n    modsecurity_rules_file \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf\n    Options Indexes FollowSymLinks\n    AllowOverride None\n    Require all granted\n<\/Directory>\n...<\/code><\/pre>\n\n\n\n
The lines;<\/p>\n\n\n\n
 modsecurity on\n modsecurity_rules_file \/etc\/httpd\/conf.d\/modsecurity.d\/rules.conf<\/code><\/pre>\n\n\n\n
Turns on Modsecurity and specifies the location of the Modsecurity rules respectively.<\/p>\n\n\n\n
Check Apache for configuration errors and restart it.<\/p>\n\n\n\n
httpd -t<\/code><\/pre>\n\n\n\n
Syntax OK<\/code><\/pre>\n\n\n\n
systemctl restart httpd<\/code><\/pre>\n\n\n\n
Testing Modsecurity<\/h3>\n\n\n\n
Next, test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below;<\/p>\n\n\n\n
curl localhost\/index.html?exec=\/bin\/bash<\/code><\/pre>\n\n\n\n
<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>403 Forbidden<\/title>\n<\/head><body>\n<h1>Forbidden<\/h1>\n<p>You don't have permission to access \/index.html\non this server.<\/p>\n<\/body><\/html><\/code><\/pre>\n\n\n\n
If you see, 403 Forbidden<\/code><\/strong> then it means you have nailed it.<\/p>\n\n\n\n
You can as well check Modsecurity logs;<\/p>\n\n\n\n
tail \/var\/log\/httpd\/modsec_audit.log<\/code><\/pre>\n\n\n\n
...\nModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `\/bin\/bash' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found<\/strong>\"] [data \"Matched Data: bin\/bash found within ARGS:exec: \/bin\/bash<\/strong>\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"centos8.kifarunix-demo.com\"] [uri \"\/index.html\"] [unique_id \"158386776469.002836\"] [ref \"o1,8v21,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\nModSecurity: Access denied with code 403 (phase 2).<\/strong> Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \"\/etc\/httpd\/conf.d\/modsecurity.d\/owasp-crs\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"79\"] [id \"949110\"]<\/strong> [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [data \"\"] [severity \"2\"] [ver \"\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"centos8.kifarunix-demo.com\"] [uri \"\/index.html\"] [unique_id \"158386776469.002836\"] [ref \"\"]<\/code><\/pre>\n\n\n\n
Well, there you go. ModSecurity 3 or LibModSeceurity is now installed, activated and protecting your site against web attacks.<\/p>\n\n\n\n
Feel free to set up more rules as you wish and protect your web application.<\/p>\n\n\n\n
That marks the end of our our guide on how to install and configure LibModsecurity with Apache on CentOS 8. <\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n
Configure LibModsecurity with Nginx on CentOS 8<\/a><\/p>\n\n\n\n
Install LibModsecurity with Apache on Ubuntu 18.04<\/a><\/p>\n\n\n\n
Install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to configure LibModsecurity with Apache on CentOS 8. LibMosecurity also known as ModSecurity version 3, is<\/p>\n","protected":false},"author":1,"featured_media":10113,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,1207],"tags":[202,1337,1140,1336,1141,1335,1334,307],"class_list":["post-5185","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-modsecurity","tag-apache","tag-centos-8-modsecurity","tag-libmodsecurity","tag-libmodsecurity-on-centos-8","tag-modsecurity-3","tag-modsecurity-3-on-centos-8","tag-modsecurity-apache-connector","tag-waf","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5185"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5185"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5185\/revisions"}],"predecessor-version":[{"id":10110,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5185\/revisions\/10110"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10113"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}