{"id":8039,"date":"2021-02-25T22:51:27","date_gmt":"2021-02-25T19:51:27","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8039"},"modified":"2024-03-19T19:23:56","modified_gmt":"2024-03-19T16:23:56","slug":"install-libmodsecurity-with-apache-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-libmodsecurity-with-apache-on-ubuntu-20-04\/","title":{"rendered":"Install LibModsecurity with Apache on Ubuntu 20.04"},"content":{"rendered":"\n

Welcome to our guide on how to install LibModsecurity with Apache on Ubuntu 20.04. Libmodsecurity (Modsecurity v3)<\/a>, is an open source, cross platform web application firewall (WAF) developed by Trustwave’s SpiderLabs. It is a complete rewrite of ModSecurity v2 and it provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc. It also allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n\n\n\n

Install Modsecurity3 with Apache on Ubuntu 20.04<\/h2>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Resynchronize your system packages to their latest versions.<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
apt upgrade<\/code><\/pre>\n\n\n\n
Install LAMP Stack<\/h3>\n\n\n\n
Before you can install and configure LibModsecurity with Apache on Ubuntu 20.04, you need to have LAMP Stack installed and running your server. Follow the link below to setup LAMP stack on Ubuntu 20.04.<\/p>\n\n\n\n
Install LAMP Stack on Ubuntu 20.04<\/a><\/p>\n\n\n\n
Install Required Build Tools and Dependencies<\/h3>\n\n\n\n
To install Libmodsecurity or Modsecurity v3 on Ubuntu 20.04, we are going to build it from source. Hence, you need to install some required build tools and dependencies for a successful build.<\/p>\n\n\n\n
apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git<\/code><\/pre>\n\n\n\n
Compile and Install LibModsecurity on Ubuntu 20.04<\/h3>\n\n\n\n
Once your system is setup, you can proceed to install Modsecurity v3 on Ubuntu 20.04.<\/p>\n\n\n\n
Download LibModsecurity Source Code<\/h3>\n\n\n\n
To install the latest stable version of LibModsecurity<\/strong>, you need to compile it from the source.<\/p>\n\n\n\n
Therefore, navigate to ModSecurity releases page<\/a> and download ModSecurity source code. You can simply use wget to pull it.<\/p>\n\n\n\n
wget https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.4\/modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Extract the ModSecurity source code.<\/p>\n\n\n\n
tar xzf modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Compile and Install LibModsecurity<\/h3>\n\n\n\n
Navigate to the LibModsecurity source directory, configure, compile and install it<\/p>\n\n\n\n
cd modsecurity-v3.0.4<\/code><\/pre>\n\n\n\n
Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n
.\/build.sh<\/code><\/pre>\n\n\n\n
You can safely ignore the fatal: not a git repository (or any of the parent directories): .git<\/strong><\/code> error messages.<\/p>\n\n\n\n
.\/configure<\/code><\/pre>\n\n\n\n
Be sure to fix any dependency issue, if any, before you can proceed to compile and install LibModsecurity.<\/p>\n\n\n\n
If the configure script above completes with no error, proceed to compile and install LibModSecurity on Ubuntu 20.04.<\/p>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
LibModSecurity aka ModSecurity v3 has now been installed on Ubuntu 20.04<\/p>\n\n\n\n
Install ModSecurity-Apache Connector<\/h2>\n\n\n\n
The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.<\/p>\n\n\n\n
Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n
cd ~\ngit clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n
Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n
cd ModSecurity-apache<\/code><\/pre>\n\n\n\n
.\/autogen.sh<\/code><\/pre>\n\n\n\n
.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/<\/code><\/pre>\n\n\n\n
make\nmake install<\/code><\/pre>\n\n\n\n
Configure Apache with LibModsecurity<\/h2>\n\n\n\n
Load the Apache ModSecurity Connector Module<\/h4>\n\n\n\n
Configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n
echo \"LoadModule security3_module \/usr\/lib\/apache2\/modules\/mod_security3.so\" | sudo tee -a \/etc\/apache2\/apache2.conf<\/code><\/pre>\n\n\n\n
Configure ModSecurity<\/h4>\n\n\n\n
Create ModSecurity configuration directory under \/etc\/apache2<\/code><\/p>\n\n\n\n
sudo mkdir \/etc\/apache2\/modsecurity.d<\/code><\/pre>\n\n\n\n
Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n
sudo cp ~\/modsecurity-v3.0.4\/modsecurity.conf-recommended \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Also copy the unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n
sudo cp ~\/modsecurity-v3.0.4\/unicode.mapping \/etc\/apache2\/modsecurity.d\/<\/code><\/pre>\n\n\n\n
Turn on ModSecurity by changing the value of SecRuleEngine<\/code> to On<\/code>.<\/p>\n\n\n\n
sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Next, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include, say, \/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code>.<\/p>\n\n\n\n
\ncat > \/etc\/apache2\/modsecurity.d\/modsec_rules.conf << 'EOL'\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nEOL\n<\/code><\/pre>\n\n\n\n
Since we have included the OWASP Rules as part of ModSecurity 3 rules, proceed to install them.<\/p>\n\n\n\n
Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu<\/h4>\n\n\n\n
The OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n
Clone the CRS from GitHub repository<\/a> to \/etc\/apache2\/modsecurity.d\/<\/code> as shown below;<\/p>\n\n\n\n
git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/apache2\/modsecurity.d\/owasp-crs<\/code><\/pre>\n\n\n\n
Next, rename crs-setup.conf.example<\/code> to crs-setup.conf<\/code>.<\/p>\n\n\n\n
sudo cp \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n
Activate ModSecurity<\/h3>\n\n\n\n
After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.<\/p>\n\n\n\n
cp \/etc\/apache2\/sites-available\/000-default.conf{,.old}<\/code><\/pre>\n\n\n\n
See our sample default site virtual host configuration with no comments;<\/p>\n\n\n\n
\ncat > \/etc\/apache2\/sites-available\/000-default.conf << 'EOL'\n<VirtualHost *:80>\n\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf \n\tServerAdmin webmaster@localhost\n\tDocumentRoot \/var\/www\/html\n\tErrorLog ${APACHE_LOG_DIR}\/error.log\n\tCustomLog ${APACHE_LOG_DIR}\/access.log combined\n<\/VirtualHost>\nEOL\n<\/code><\/pre>\n\n\n\n
The lines;<\/p>\n\n\n\n
\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf <\/code><\/pre>\n\n\n\n
Turns on Modsecurity and specifies the location of the Modsecurity rules.<\/p>\n\n\n\n
Check Apache for configuration errors and restart it.<\/p>\n\n\n\n
apachectl -t<\/code><\/pre>\n\n\n\n
If there is no error, you should get the output, Syntax OK<\/strong>.<\/p>\n\n\n\n
systemctl restart apache2<\/code><\/pre>\n\n\n\n
Testing Modsecurity<\/h3>\n\n\n\n
Next, test the effectiveness of Modsecurity, for example, command injection. Run the command below;<\/p>\n\n\n\n
curl localhost?doc=\/bin\/ls<\/code><\/pre>\n\n\n\n
\n<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>403 Forbidden<\/title>\n<\/head><body>\n<h1>Forbidden<\/h1>\n<p>You don't have permission to access this resource.<\/p>\n<hr>\n<address>Apache\/2.4.41 (Ubuntu) Server at localhost Port 80<\/address>\n<\/body><\/html>\n<\/code><\/pre>\n\n\n\n
Check Modsecurity logs;<\/p>\n\n\n\n
tail \/var\/log\/modsec_audit.log<\/code><\/pre>\n\n\n\n
ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"161428003146.366446\"] [ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]<\/code><\/pre>\n\n\n\n
ModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"80\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [data \"\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"161428003146.366446\"] [ref \"\"]<\/code><\/pre>\n\n\n\n
Access the site from browser and test command injection attack, http:\/\/domain.name\/?exec=\/bin\/bash<\/strong><\/code>.<\/p>\n\n\n\n
\"Install<\/figure><\/div><\/a><\/div>\n\n\n\n
Tailing the Apache error logs;<\/p>\n\n\n\n
tail -f \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n
[Thu Feb 25 19:29:06.385428 2021] [:error] [pid 38210] [client 192.168.57.1:45916] ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `\/bin\/bash' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/bash found within ARGS:exec: \/bin\/bash\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"161428134623.117562\"] [ref \"o1,8v11,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]<\/code><\/pre>\n\n\n\n
As a result, this confirms that the Modsecurity is functioning as expected.<\/p>\n\n\n\n
Reference:<\/h3>\n\n\n\n
ModSecurity-apache<\/a><\/p>\n\n\n\n
ModSecurity<\/a><\/p>\n\n\n\n
Related Guides<\/h3>\n\n\n\n
Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n\n\n\n
Create Kibana Visualization Dashboards for ModSecurity Logs<\/a><\/p>\n\n\n\n
Process and Visualize ModSecurity Logs on ELK Stack<\/a><\/p>\n\n\n\n
Configure LibModsecurity with Nginx on CentOS 8<\/a><\/p>\n\n\n\n
Install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome to our guide on how to install LibModsecurity with Apache on Ubuntu 20.04. Libmodsecurity (Modsecurity v3), is an open source, cross platform web application<\/p>\n","protected":false},"author":1,"featured_media":8043,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[1207,121,34],"tags":[202,3201,3200,3199,1140,1141],"class_list":["post-8039","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-modsecurity","category-howtos","category-security","tag-apache","tag-command-injection-modsecurity","tag-install-libmodsecurity-with-apache-on-ubuntu","tag-install-modsecurity-3-on-ubuntu","tag-libmodsecurity","tag-modsecurity-3","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8039"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8039"}],"version-history":[{"count":4,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8039\/revisions"}],"predecessor-version":[{"id":21919,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8039\/revisions\/21919"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8043"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}