{"id":8781,"date":"2021-05-06T21:40:17","date_gmt":"2021-05-06T18:40:17","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8781"},"modified":"2024-03-18T22:34:11","modified_gmt":"2024-03-18T19:34:11","slug":"install-modsecurity-3-with-apache-in-a-docker-container","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-modsecurity-3-with-apache-in-a-docker-container\/","title":{"rendered":"Install ModSecurity 3 with Apache in a Docker Container"},"content":{"rendered":"\n<p>Welcome to our guide on how to install ModSecurity 3 with Apache in a Docker container.&nbsp;<a href=\"https:\/\/github.com\/SpiderLabs\/ModSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">Libmodsecurity (Modsecurity v3)<\/a>, is an open source, cross platform web application firewall (WAF) developed by Trustwave\u2019s SpiderLabs. It is a complete rewrite of ModSecurity v2 and it provides a robust event-based programming language which protects web applications against a wide range of attacks such as SQL injection, Cross-site Scripting (XSS), Local File Include, Remote File Include e.tc. It also allows for HTTP traffic monitoring, logging and real-time analysis.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-mod-security-3-with-apache-in-a-docker-container\">Installing ModSecurity 3 with Apache in a Docker Container<\/a><ul><li><a href=\"#install-docker\">Install Docker<\/a><\/li><li><a href=\"#create-dockerfile\">Create Dockerfile<\/a><\/li><li><a href=\"#running-mod-security-3-with-apache-in-a-docker-container\">Running ModSecurity 3 with Apache in a Docker Container<\/a><ul><li><a href=\"#build-mod-security-3-with-apache-in-docker-image\">Build ModSecurity 3 with Apache in Docker Image<\/a><\/li><li><a href=\"#running-mod-security-3-with-apache-docker-container\">Running ModSecurity 3 with Apache Docker Container<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-mod-security-3-with-apache-in-a-docker-container\">Installing ModSecurity 3 with Apache in a Docker Container<\/h2>\n\n\n\n<p>In order to install ModSecurity 3 in a Docker container, we will create our own Docker image based on our previous tutorials on how to install ModSecurity 3, links given below;<\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-libmodsecurity-with-apache-on-debian\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install LibModsecurity with Apache on Debian 10<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-libmodsecurity-with-apache-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install LibModsecurity with Apache on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-libmodsecurity-with-apache-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Configure LibModsecurity with Apache on CentOS 8<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-libmodsecurity-with-nginx-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Configure LibModsecurity with Nginx on CentOS 8<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-docker\">Install Docker<\/h3>\n\n\n\n<p>In your respective base OS, you need to have Docker installed. In our guide, we are using Ubuntu 20.04 server to host the Docker containers. As such, run the command below to install Docker on Ubuntu 20.04.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install apt-transport-https ca-certificates curl gnupg-agent software-properties-common<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -fsSL https:\/\/download.docker.com\/linux\/ubuntu\/gpg | sudo apt-key add -<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"deb [arch=amd64] https:\/\/download.docker.com\/linux\/ubuntu $(lsb_release -sc) stable\" &gt; \/etc\/apt\/sources.list.d\/docker-ce.list<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Install Docker CE and other tools including&nbsp;<code>containerd.io<\/code>, An open and reliable container runtime.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install docker-ce docker-ce-cli containerd.io<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-dockerfile\">Create Dockerfile<\/h3>\n\n\n\n<p>Since we will be building our Modsecurity container based on the Modsecurity installation commands, you need to create a Dockerfile. Dockerfile is <em>a text document that contains all the commands a user could call on the command line to assemble an image<\/em>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim Dockerfile<\/code><\/pre>\n\n\n\n<p>Paste the content below into the Dockerfile.<\/p>\n\n\n\n<p>We will be using an Ubuntu image to create our Modsecurity container, hence, install commands from the guide, <a rel=\"noreferrer noopener\" class=\"rank-math-link\" href=\"https:\/\/kifarunix.com\/install-libmodsecurity-with-apache-on-ubuntu-20-04\/\" target=\"_blank\">Install LibModsecurity with Apache on Ubuntu 20.04<\/a>, are used.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n# Running Modsecurity in a Docker container;\nFROM ubuntu:latest\nARG DEBIAN_FRONTEND=noninteractive\n# Run system update\/upgrade\nRUN apt update -y &amp;&amp; apt upgrade -y\n\n# Install Required Build Tools and Dependencies\nRUN apt install -y g++ flex bison curl apache2-dev \\\n\tdoxygen libyajl-dev ssdeep liblua5.2-dev \\\n\tlibgeoip-dev libtool dh-autoreconf \\\n\tlibcurl4-gnutls-dev libxml2 libpcre++-dev \\\n\tlibxml2-dev git wget tar apache2\n\n# Download LibModsecurity Source Code\nRUN wget https:\/\/github.com\/SpiderLabs\/ModSecurity\/releases\/download\/v3.0.4\/modsecurity-v3.0.4.tar.gz\n\n# Extract the ModSecurity source code.\nRUN tar xzf modsecurity-v3.0.4.tar.gz &amp;&amp; rm -rf modsecurity-v3.0.4.tar.gz\n\n# Compile and Install LibModsecurity\nRUN cd modsecurity-v3.0.4 &amp;&amp; \\\n\t.\/build.sh &amp;&amp; .\/configure &amp;&amp; \\\n\tmake &amp;&amp; make install\n\n# Install ModSecurity-Apache Connector\nRUN cd ~ &amp;&amp; git clone https:\/\/github.com\/SpiderLabs\/ModSecurity-apache\n\nRUN cd ~\/ModSecurity-apache &amp;&amp; \\\n\t.\/autogen.sh &amp;&amp; \\\n\t.\/configure --with-libmodsecurity=\/usr\/local\/modsecurity\/ &amp;&amp; \\\n\tmake &amp;&amp; \\\n\tmake install\n\n# Load the Apache ModSecurity Connector Module\nRUN echo \"LoadModule security3_module \/usr\/lib\/apache2\/modules\/mod_security3.so\" &gt;&gt; \/etc\/apache2\/apache2.conf\n\n# Configure ModSecurity\nRUN mkdir \/etc\/apache2\/modsecurity.d &amp;&amp; \\\n\tcp modsecurity-v3.0.4\/modsecurity.conf-recommended \/etc\/apache2\/modsecurity.d\/modsecurity.conf &amp;&amp; \\\n\tcp modsecurity-v3.0.4\/unicode.mapping \/etc\/apache2\/modsecurity.d\/ &amp;&amp; \\\n\tsed -i 's\/SecRuleEngine DetectionOnly\/SecRuleEngine On\/' \/etc\/apache2\/modsecurity.d\/modsecurity.conf\nADD modsec_rules.conf \/etc\/apache2\/modsecurity.d\/\n\n# Install OWASP ModSecurity Core Rule Set (CRS) on Ubuntu\nRUN git clone https:\/\/github.com\/SpiderLabs\/owasp-modsecurity-crs.git \/etc\/apache2\/modsecurity.d\/owasp-crs &amp;&amp; \\\n\tcp \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf.example \/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\n# Activate ModSecurity\nRUN mv \/etc\/apache2\/sites-available\/000-default.conf \/etc\/apache2\/sites-available\/000-default.conf.old\nADD 000-default.conf \/etc\/apache2\/sites-available\/\n\nEXPOSE 80\nCMD apachectl -D FOREGROUND\n<\/code><\/pre>\n\n\n\n<p>Define the base image for the Docker container. This can be done using the <strong><code>FROM<\/code><\/strong> instruction command. The image will be pulled from the&nbsp;<a aria-label=\" (opens in a new tab)\" href=\"https:\/\/docs.docker.com\/docker-hub\/repos\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\"><em>Public Repositories<\/em><\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-mod-security-3-with-apache-in-a-docker-container\">Running ModSecurity 3 with Apache in a Docker Container<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"build-mod-security-3-with-apache-in-docker-image\">Build ModSecurity 3 with Apache in Docker Image<\/h4>\n\n\n\n<p>Once you have setup your Dockerfile, you can now build an image out of it.<\/p>\n\n\n\n<p>Ensure docker service is running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status docker<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf docker.service - Docker Application Container Engine\n     Loaded: loaded (\/lib\/systemd\/system\/docker.service; enabled; vendor preset: enabled)\n     Active: active (running) since Thu 2021-05-06 05:19:12 UTC; 1s ago\nTriggeredBy: \u25cf docker.socket\n       Docs: https:\/\/docs.docker.com\n   Main PID: 8542 (dockerd)\n      Tasks: 8\n     Memory: 40.5M\n     CGroup: \/system.slice\/docker.service\n             \u2514\u25008542 \/usr\/bin\/dockerd -H fd:\/\/ --containerd=\/run\/containerd\/containerd.sock\n\nMay 06 05:19:08 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:08.455064769Z\" level=warning msg=\"Your kernel does not support CPU realtime scheduler\"\nMay 06 05:19:08 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:08.455517885Z\" level=warning msg=\"Your kernel does not support cgroup blkio weight\"\nMay 06 05:19:08 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:08.455936526Z\" level=warning msg=\"Your kernel does not support cgroup blkio weight_device\"\nMay 06 05:19:08 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:08.456858801Z\" level=info msg=\"Loading containers: start.\"\nMay 06 05:19:09 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:09.970095995Z\" level=info msg=\"Default bridge (docker0) is assigned with an IP address 172.17.0.0\/16. D&gt;\nMay 06 05:19:10 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:10.589619449Z\" level=info msg=\"Loading containers: done.\"\nMay 06 05:19:11 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:11.360156761Z\" level=info msg=\"Docker daemon\" commit=8728dd2 graphdriver(s)=overlay2 version=20.10.6\nMay 06 05:19:11 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:11.362448498Z\" level=info msg=\"Daemon has completed initialization\"\nMay 06 05:19:12 kifarunix.com systemd[1]: Started Docker Application Container Engine.\nMay 06 05:19:12 kifarunix.com dockerd[8542]: time=\"2021-05-06T05:19:12.141070774Z\" level=info msg=\"API listen on \/run\/docker.sock\"\n<\/code><\/pre>\n\n\n\n<p>If not, then start Docker service using;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl start docker<\/code><\/pre>\n\n\n\n<p>Before you can build the image, there are files that needs to be copied from the host as per out Dockerfile. These are the modsecuriry rules and Apache site configuration file.<\/p>\n\n\n\n<p>Thus create these files;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &gt; modsec_rules.conf &lt;&lt; 'EOL'\nInclude \"\/etc\/apache2\/modsecurity.d\/modsecurity.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/crs-setup.conf\"\nInclude \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/*.conf\"\nEOL\n<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat &gt; 000-default.conf &lt;&lt; 'EOL'\n&lt;VirtualHost *:80&gt;\n\tmodsecurity on\n\tmodsecurity_rules_file \/etc\/apache2\/modsecurity.d\/modsec_rules.conf \n\tServerAdmin webmaster@localhost\n\tDocumentRoot \/var\/www\/html\n\tErrorLog ${APACHE_LOG_DIR}\/error.log\n\tCustomLog ${APACHE_LOG_DIR}\/access.log combined\n&lt;\/VirtualHost&gt;\nEOL\n<\/code><\/pre>\n\n\n\n<p>You can now proceed to build the docker image.<\/p>\n\n\n\n<p>To build a Docker image using a Dockerfile, simply use the <strong><code>docker build &lt;path to Dockerfile&gt;<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker build .<\/code><\/pre>\n\n\n\n<p>I used the <strong><code>dot (.)<\/code><\/strong> to signify current location of my Dockerfile.<\/p>\n\n\n\n<p>If it is not in the current working directory, then use the <code><strong>-f<\/strong><\/code> option to specify the path:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker build -f \/path\/to\/a\/Dockerfile .<\/code><\/pre>\n\n\n\n<p>Sample output of the build command;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\nStep 14\/18 : RUN mv \/etc\/apache2\/sites-available\/000-default.conf \/etc\/apache2\/sites-available\/000-default.conf.old\n ---&gt; Running in ac6525e24f7d\nRemoving intermediate container ac6525e24f7d\n ---&gt; ec6d4457b765\nStep 15\/18 : ADD 000-default.conf \/etc\/apache2\/sites-available\/\n ---&gt; 7c4201ccfd92\nStep 16\/18 : VOLUME \/var\/log\/apache2\n ---&gt; Running in 9919d9cf570d\nRemoving intermediate container 9919d9cf570d\n ---&gt; aa45b6406512\nStep 17\/18 : EXPOSE 80\n ---&gt; Running in 368fc959c99d\nRemoving intermediate container 368fc959c99d\n ---&gt; 210d4c2df36e\nStep 18\/18 : CMD apachectl -D FOREGROUND\n ---&gt; Running in dfea7e1352ee\nRemoving intermediate container dfea7e1352ee\n ---&gt; 229edcf62162\nSuccessfully built 229edcf62162\n<\/code><\/pre>\n\n\n\n<p>You have successfully build Modsecurity 3 with Apache on Docker Image.<\/p>\n\n\n\n<p>Listing the currently available images;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker image ls<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>REPOSITORY   TAG       IMAGE ID       CREATED       SIZE\n&lt;none&gt;       &lt;none&gt;    229edcf62162   2 hours ago   2.48GB\n...<\/code><\/pre>\n\n\n\n<p>Our ModSecurity 3 docker image ID is, <code>229edcf62162<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"running-mod-security-3-with-apache-docker-container\">Running ModSecurity 3 with Apache Docker Container<\/h4>\n\n\n\n<p>You can now create a ModSecurity Docker container based on the image created above using the <strong><code><a href=\"https:\/\/docs.docker.com\/engine\/reference\/commandline\/run\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">docker run<\/a><\/code><\/strong> command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><code>docker run [OPTIONS] IMAGE [COMMAND] [ARG...]<\/code><\/code><\/pre>\n\n\n\n<p>For example, we can launch our Apache Server with ModSecurity container by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker run --name modsec3-apache -dp 80:80 229edcf62162<\/code><\/pre>\n\n\n\n<p>The above command starts an Apache with ModSecurity container called <strong>modsec3-apache<\/strong> in the background (-b) based on the image created. It also exposes the container port 80 to port 80 on the host server.<\/p>\n\n\n\n<p>Listing the containers;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker container ls<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>CONTAINER ID   IMAGE          COMMAND                  CREATED              STATUS              PORTS                               NAMES\nae4017bdaf23   229edcf62162   \"\/bin\/sh -c 'apachec\u2026\"   About a minute ago   Up About a minute   0.0.0.0:80-&gt;80\/tcp, :::80-&gt;80\/tcp   modsec3-apache<\/code><\/pre>\n\n\n\n<p>You can also list running containers using the <strong><code>docker ps<\/code><\/strong> command.<\/p>\n\n\n\n<p>And that is it. Your Apache with ModSecurity running as a docker container is setup.<\/p>\n\n\n\n<p>You can test whether ModSecurity is now protecting Apache running in a docker container as follows.<\/p>\n\n\n\n<p>Open port 80\/tcp on firewall on the host;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow 80\/tcp<\/code><\/pre>\n\n\n\n<p>Now, on the host, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ss -altnp | grep :80<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>LISTEN    0         4096               0.0.0.0:80               0.0.0.0:*        users:((\"docker-proxy\",pid=29372,fd=4))                                        \nLISTEN    0         4096                  &#91;::]:80                  &#91;::]:*        users:((\"docker-proxy\",pid=29377,fd=4)) <\/code><\/pre>\n\n\n\n<p>So, on the host, we can access our Apache\/Modsecurity docker container using any address;<\/p>\n\n\n\n<p>hence, to test the effectiveness of the ModSecurity in the container;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl localhost?doc=\/bin\/ls<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>&lt;!DOCTYPE HTML PUBLIC \"-\/\/IETF\/\/DTD HTML 2.0\/\/EN\">\n&lt;html>&lt;head>\n&lt;title>403 Forbidden&lt;\/title>\n&lt;\/head>&lt;body>\n&lt;h1>Forbidden&lt;\/h1>\n&lt;p>You don't have permission to access this resource.&lt;\/p>\n&lt;hr>\n&lt;address>Apache\/2.4.41 (Ubuntu) Server at localhost Port 80&lt;\/address>\n&lt;\/body>&lt;\/html><\/strong>\n<\/code><\/pre>\n\n\n\n<p>You can login to the container and check the logs;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker exec -it modsec3-apache \/bin\/bash<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n[Thu May 06 17:12:15.526844 2021] [:notice] [pid 16:tid 139891014069312] ModSecurity: ModSecurity-Apache v0.1.1-beta configured.\nAH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message\n[Thu May 06 17:12:15.592630 2021] [mpm_event:notice] [pid 16:tid 139891014069312] AH00489: Apache\/2.4.41 (Ubuntu) configured -- resuming normal operations\n[Thu May 06 17:12:15.592655 2021] [core:notice] [pid 16:tid 139891014069312] AH00094: Command line: '\/usr\/sbin\/apache2 -D FOREGROUND'\n[Thu May 06 17:32:37.690656 2021] [:error] [pid 17:tid 139890944558848] [client 172.17.0.1:60688] ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"172.17.0.2\"] [uri \"\/\"] [unique_id \"162032235753.217056\"] [ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n[Thu May 06 17:35:30.014353 2021] [:error] [pid 17:tid 139890927757056] [client 172.17.0.1:60692] ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"172.17.0.2\"] [uri \"\/\"] [unique_id \"16203225307.958576\"] [ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n...\n<\/code><\/pre>\n\n\n\n<p>You can also check how to view the logs using the <code><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/docs.docker.com\/engine\/reference\/commandline\/logs\/\" rel=\"noreferrer noopener nofollow\" target=\"_blank\" class=\"rank-math-link\">docker logs<\/a><\/code> command.<\/p>\n\n\n\n<p>You can as well set the container to store the logs on the host using the <strong><code>docker run<\/code><\/strong> <strong><code>--volume\/-v<\/code><\/strong> option.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>docker run --name modsec3-apache -v \/var\/log\/apache2:\/var\/log\/apache2 -dp 80:80 229edcf62162<\/code><\/pre>\n\n\n\n<p>The logs should now be written to the <code><strong>\/var\/log\/apache2<\/strong><\/code> on the host.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>tail -f \/var\/log\/apache2\/error.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n[Thu May 06 17:55:35.007467 2021] [:notice] [pid 16:tid 139799054105664] ModSecurity: ModSecurity-Apache v0.1.1-beta configured.\nAH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message\n[Thu May 06 17:55:35.066755 2021] [mpm_event:notice] [pid 16:tid 139799054105664] AH00489: Apache\/2.4.41 (Ubuntu) configured -- resuming normal operations\n[Thu May 06 17:55:35.066783 2021] [core:notice] [pid 16:tid 139799054105664] AH00094: Command line: '\/usr\/sbin\/apache2 -D FOREGROUND'\n[Thu May 06 17:55:56.640042 2021] [:error] [pid 18:tid 139798870210304] [client 172.17.0.1:60700] ModSecurity: Warning. Matched \"Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:doc' (Value: `\/bin\/ls' ) [file \"\/etc\/apache2\/modsecurity.d\/owasp-crs\/rules\/REQUEST-932-APPLICATION-ATTACK-RCE.conf\"] [line \"496\"] [id \"932160\"] [rev \"\"] [msg \"Remote Command Execution: Unix Shell Code Found\"] [data \"Matched Data: bin\/ls found within ARGS:doc: \/bin\/ls\"] [severity \"2\"] [ver \"OWASP_CRS\/3.2.0\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-shell\"] [tag \"platform-unix\"] [tag \"attack-rce\"] [tag \"paranoia-level\/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS\/WEB_ATTACK\/COMMAND_INJECTION\"] [tag \"WASCTC\/WASC-31\"] [tag \"OWASP_TOP_10\/A1\"] [tag \"PCI\/6.5.2\"] [hostname \"172.17.0.2\"] [uri \"\/\"] [unique_id \"162032375634.996239\"] [ref \"o1,6v10,7t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase\"]\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our guide on how to install ModSecurity 3 with Apache in a Docker container.&nbsp;Libmodsecurity (Modsecurity v3), is an open source, cross platform web<\/p>\n","protected":false},"author":1,"featured_media":8792,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,1207],"tags":[3496,3497,3494,1141,3495,3498],"class_list":["post-8781","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-modsecurity","tag-apache-with-modsecurity-docker-container","tag-install-modsecurity-3-in-a-docker-container","tag-install-modsecurity-3-with-apache-in-a-docker-container","tag-modsecurity-3","tag-modsecurity-docker-container","tag-run-modsecurity-3-in-a-docker-container","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8781"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8781"}],"version-history":[{"count":13,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8781\/revisions"}],"predecessor-version":[{"id":21824,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8781\/revisions\/21824"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8792"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}