{"id":8491,"date":"2021-03-29T22:27:37","date_gmt":"2021-03-29T19:27:37","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8491"},"modified":"2024-03-19T18:19:25","modified_gmt":"2024-03-19T15:19:25","slug":"install-libmodsecurity-with-apache-on-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-libmodsecurity-with-apache-on-debian\/","title":{"rendered":"Install LibModsecurity with Apache on Debian 10"},"content":{"rendered":"\n

Welcome to our guide on how to install LibModsecurity with Apache on Debian 10. Libmodsecurity (Modsecurity v3)<\/a>, is an open source, cross platform web application firewall (WAF) developed by Trustwave’s SpiderLabs. It is a complete rewrite of ModSecurity v2 and it provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc. It also allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n\n\n\n

Installing Modsecurity3 with Apache on Debian 10<\/h2>\n\n\n\n

Prerequisites<\/h2>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Resynchronize your system packages to their latest versions.<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
apt upgrade<\/code><\/pre>\n\n\n\n
Install LAMP Stack<\/h3>\n\n\n\n
Well, if you are running a web application, that needs LAMP stack, go ahead and setup LAMP stack.<\/p>\n\n\n\n
However, in this demo setup, we will just install Apache, which is enough to demonstrate how ModSecurity 3 works.<\/p>\n\n\n\n
apt install apache2<\/code><\/pre>\n\n\n\n
Install Required Build Tools and Dependencies<\/h3>\n\n\n\n
To install Libmodsecurity or Modsecurity v3 on Debian 10, we are going to build it from source. Hence, you need to install some required build tools and dependencies for a successful build.<\/p>\n\n\n\n
apt install g++ flex bison curl apache2-dev doxygen libyajl-dev ssdeep liblua5.2-dev libgeoip-dev libtool dh-autoreconf libcurl4-gnutls-dev libxml2 libpcre++-dev libxml2-dev git<\/code><\/pre>\n\n\n\n
Compile and Install LibModsecurity on Debian 10<\/h3>\n\n\n\n
Once your system is setup, you can proceed to install Modsecurity v3 on Debian 10.<\/p>\n\n\n\n
Download LibModsecurity Source Code<\/h3>\n\n\n\n
To install the latest stable version of LibModsecurity<\/strong>, you need to compile it from the source.<\/p>\n\n\n\n
Therefore, navigate to ModSecurity releases page<\/a> and download ModSecurity source code. You can simply use wget to pull it.<\/p>\n\n\n\n
wget https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.4\/modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Extract the ModSecurity source code.<\/p>\n\n\n\n
tar xzf modsecurity-v3.0.4.tar.gz<\/code><\/pre>\n\n\n\n
Compile and Install LibModsecurity<\/h3>\n\n\n\n
Navigate to the LibModsecurity source directory, configure, compile and install it<\/p>\n\n\n\n
cd modsecurity-v3.0.4<\/code><\/pre>\n\n\n\n
Configure LibModsecurity to adapt it to your system and check if any required dependency is missing.<\/p>\n\n\n\n
.\/build.sh<\/code><\/pre>\n\n\n\n
You can safely ignore the fatal: not a git repository (or any of the parent directories): .git<\/strong><\/code> error messages.<\/p>\n\n\n\n
.\/configure<\/code><\/pre>\n\n\n\n
Be sure to fix any dependency issue, if any, before you can proceed to compile and install libModsecurity.<\/p>\n\n\n\n
If the configure script above completes with no error, proceed to compile and install LibModSecurity on Debian 10.<\/p>\n\n\n\n
make<\/code><\/pre>\n\n\n\n
make install<\/code><\/pre>\n\n\n\n
LibModSecurity aka ModSecurity v3 has now been installed on Debian 10<\/p>\n\n\n\n
Install ModSecurity-Apache Connector<\/h2>\n\n\n\n
The ModSecurity-apache connector provides a communication channel between Apache and libModsecurity. Now that libmodsecurity is installed, follow through the following steps to install Modsecurity Apache connector.<\/p>\n\n\n\n
Clone the git repository for the ModSecurity Apache connector.<\/p>\n\n\n\n
cd ~\ngit clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache<\/code><\/pre>\n\n\n\n
Navigate to ModSecurity-apache directory and run the following commands to compile and install it.<\/p>\n\n\n\n
cd ModSecurity-apache<\/code><\/pre>\n\n\n\n
.\/autogen.sh<\/code><\/pre>\n\n\n\n
.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/<\/code><\/pre>\n\n\n\n
make\nmake install<\/code><\/pre>\n\n\n\n
Configure Apache with LibModsecurity<\/h2>\n\n\n\n
Load the Apache ModSecurity Connector Module<\/h4>\n\n\n\n
Configure Apache to load Modsecurity Apache connector module by adding the line below to the main Apache configuration file.<\/p>\n\n\n\n
echo \"LoadModule security3_module \/usr\/lib\/apache2\/modules\/mod_security3.so\" | sudo tee -a \/etc\/apache2\/apache2.conf<\/code><\/pre>\n\n\n\n
Configure ModSecurity<\/h4>\n\n\n\n
Create ModSecurity configuration directory under \/etc\/apache2<\/code><\/p>\n\n\n\n
sudo mkdir \/etc\/apache2\/modsecurity.d<\/code><\/pre>\n\n\n\n
Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.<\/p>\n\n\n\n
sudo cp ~\/modsecurity-v3.0.4\/modsecurity.conf-recommended \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Also copy the unicode.mapping<\/code> file from ModSecurity source directory to Apache Modsecurity configuration directory.<\/p>\n\n\n\n
sudo cp ~\/modsecurity-v3.0.4\/unicode.mapping \/etc\/apache2\/modsecurity.d\/<\/code><\/pre>\n\n\n\n
Turn on ModSecurity by changing the value of SecRuleEngine<\/code> to On<\/code>.<\/p>\n\n\n\n
sed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/apache2\/modsecurity.d\/modsecurity.conf<\/code><\/pre>\n\n\n\n
Next, you need to configure ModSecurity rules. Therefore, create a file where you can define the rules to include, say, \/etc\/apache2\/modsecurity.d\/modsec_rules.conf<\/code>.<\/p>\n\n\n\n
cat > \/etc\/apache2\/modsecurity.d\/modsec_rules.conf << 'EOL'\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nEOL\n<\/code><\/pre>\n\n\n\n
Since we have included the OWASP Rules as part of ModSecurity 3 rules, proceed to install them.<\/p>\n\n\n\n
Install OWASP ModSecurity Core Rule Set (CRS) on Debian<\/h4>\n\n\n\n
The OWASP ModSecurity Core Rule Set (CRS)<\/strong> is a set of generic attack detection rules for use with ModSecurity. It aims at protecting the web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.<\/p>\n\n\n\n
Clone the CRS from GitHub repository<\/a> to \/etc\/apache2\/modsecurity.d\/<\/code> as shown below;<\/p>\n\n\n\n
git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/apache2\/modsecurity.d\/owasp-crs<\/code><\/pre>\n\n\n\n
Next, rename crs-setup.conf.example<\/code> to crs-setup.conf<\/code>.<\/p>\n\n\n\n
sudo cp \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf{.example,}<\/code><\/pre>\n\n\n\n
Activate ModSecurity<\/h3>\n\n\n\n
After all that, activate the modsecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.<\/p>\n\n\n\n
cp \/etc\/apache2\/sites-available\/000-default.conf{,.old}<\/code><\/pre>\n\n\n\n
See our sample default site virtual host configuration with no comments;<\/p>\n\n\n\n
cat > \/etc\/apache2\/sites-available\/000-default.conf << 'EOL'\n<VirtualHost *:80>\n\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf \n\tServerAdmin webmaster@localhost\n\tDocumentRoot \/var\/www\/html\n\tErrorLog ${APACHE_LOG_DIR}\/error.log\n\tCustomLog ${APACHE_LOG_DIR}\/access.log combined\n<\/VirtualHost>\nEOL\n<\/code><\/pre>\n\n\n\n
The lines;<\/p>\n\n\n\n
\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf <\/code><\/pre>\n\n\n\n
Turns on Modsecurity and specifies the location of the Modsecurity rules.<\/p>\n\n\n\n
Check Apache for configuration errors and restart it.<\/p>\n\n\n\n
apachectl -t<\/code><\/pre>\n\n\n\n
If there is no error, you should get the output, Syntax OK<\/strong>.<\/p>\n\n\n\n
systemctl restart apache2<\/code><\/pre>\n\n\n\n
Testing Modsecurity<\/h3>\n\n\n\n
Next, test the effectiveness of Modsecurity, for example, command injection. Run the command below;<\/p>\n\n\n\n
curl localhost?doc=\/bin\/ls<\/code><\/pre>\n\n\n\n
<!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n<html><head>\n<title>403 Forbidden<\/title>\n<\/head><body>\n<h1>Forbidden<\/h1>\n<p>You don't have permission to access this resource.<\/p>\n<hr>\n<address>Apache\/2.4.41 (Debian) Server at localhost Port 80<\/address>\n<\/body><\/html>\n<\/code><\/pre>\n\n\n\n
Check Modsecurity logs;<\/p>\n\n\n\n
tail \/var\/log\/modsec_audit.log<\/code><\/pre>\n\n\n\n
ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"161428003146.366446\"] [ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]<\/code><\/pre>\n\n\n\n
ModSecurity: Access denied with code 403 (phase 2). Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"80\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 5)\"] [data \"\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"161428003146.366446\"] [ref \"\"]<\/code><\/pre>\n\n\n\n
Access the site from browser and test command injection attack, http:\/\/domain.name\/?exec=\/bin\/bash<\/strong><\/code>.<\/p>\n\n\n\n
\"Install<\/figure><\/div><\/a><\/div>\n\n\n\n
Tailing the Apache error logs;<\/p>\n\n\n\n
tail -f \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n
[Thu Feb 25 19:29:06.385428 2021] [:error] [pid 38210] [client 192.168.57.1:45916] ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:exec' (Value: `\/bin\/bash' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/bash found within ARGS:exec: \/bin\/bash\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"127.0.1.1\"] [uri \"\/\"] [unique_id \"161428134623.117562\"] [ref \"o1,8v11,9t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]<\/code><\/pre>\n\n\n\n
As a result, this confirms that the Modsecurity is functioning as expected.<\/p>\n\n\n\n
Reference:<\/h3>\n\n\n\n
ModSecurity-apache<\/a><\/p>\n\n\n\n
ModSecurity<\/a><\/p>\n\n\n\n
Related Guides<\/h3>\n\n\n\n
Restrict Access to WordPress Login Page to Specific IPs with libModSecurity<\/a><\/p>\n\n\n\n
Create Kibana Visualization Dashboards for ModSecurity Logs<\/a><\/p>\n\n\n\n
Process and Visualize ModSecurity Logs on ELK Stack<\/a><\/p>\n\n\n\n
Configure LibModsecurity with Nginx on CentOS 8<\/a><\/p>\n\n\n\n
Install LibModsecurity with Apache on Fedora 30\/29\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Welcome to our guide on how to install LibModsecurity with Apache on Debian 10. Libmodsecurity (Modsecurity v3), is an open source, cross platform web application<\/p>\n","protected":false},"author":1,"featured_media":8493,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[3358,3359,3356,1140,3357],"class_list":["post-8491","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-debian-10-modsecurity","tag-install-modsecurity-3","tag-install-modsecurity-3-debian","tag-libmodsecurity","tag-modsecurity-3-debian","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8491"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8491"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8491\/revisions"}],"predecessor-version":[{"id":21871,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8491\/revisions\/21871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8493"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8491"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8491"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8491"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}