How to Install ModSecurity Apache on Ubuntu 20.04

Install ModSecurity Apache on Ubuntu 20.04

In this article, we will have explained the necessary steps to install and configure ModSecurity Apache on Ubuntu 20.04 LTS. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.

ModSecurity is the most well-known open-source web application firewall (WAF), providing comprehensive protection for your web applications (like WordPress, Owncloud, Ghost, etc) against a wide range of Layer 7 (HTTP) attacks, such as SQL injection, cross-site scripting, and local file inclusion. ModSecurity is a toolkit for real-time web application monitoring, logging, and access control.

Install ModSecurity Apache on Ubuntu 20.04

Step 1. First, before you start installing any package on your Ubuntu server, we always recommend making sure that all system packages are updated.

sudo apt update
sudo apt upgrade

Step 2. Install ModSecurity on the Ubuntu system.

Run the command to install it on Ubuntu:

sudo apt install libapache2-mod-security2

Restart Apache for the change to take effect:

sudo systemctl restart apache2

Verify that the version of ModSecurity:

apt-cache show libapache2-modsecurity

Step 3. Configure ModSecurity.

Now move and change the name of the default ModSecurity file:

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Next, download the OWASP ModSecurity CRS from Github:

cd ~
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git

After that, move and rename crs-setup.conf.example to crs-setup.conf. Then move rules/ directory as well:

cd ~/owasp-modsecurity-crs
sudo mv crs-setup.conf.example /etc/modsecurity/crs-setup.conf
sudo mv rules/ /etc/modsecurity/

Next, open this configuration file:

sudo nano etc/apache2/mods-available/security2.conf

Add another Include directive pointing to the ruleset:

<IfModule security2_module>
        # Default Debian dir for modsecurity's persistent data
        SecDataDir /var/cache/modsecurity

        # Include all the *.conf files in /etc/modsecurity.
        # Keeping your local configuration in that directory
        # will allow for an easy upgrade of THIS file and
        # make your life easier
        IncludeOptional /etc/modsecurity/*.confInclude /etc/modsecurity/rules/*.conf
</IfModule>

Restart Apache for changes to take effect:

sudo systemctl restart apache2

Step 4. Test ModSecurity.

Open the default Apache configuration and add two additional directives, using the default configuration as an example:

sudo nano /etc/apache2/sites-available/000-default.conf

Add the SecRuleEngine and SecRule directives as shown below:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SecRuleEngine On
    SecRule ARGS:modsecparam "@contains test" "id:4567,deny,status:403,msg:'ModSecurity test rule'"
</VirtualHost>

Restart Apache to take changes into effect:

sudo systemctl restart apache2

Next, curl the index page to intentionally trigger the alarms using the following:

curl localhost/index.html?modsecparam=test

The response code should be 403. There should be a message in the logs that shows the defined ModSecurity rule worked. You should expect to get a 403 response code and see the response from the logs:

sudo tail -f /var/log/apache2/error.log

That’s all you need to do to install ModSecurity on Ubuntu 20.04 LTS Focal Fossa. I hope you find this quick tip helpful. For further reading on ModSecurity Apache, please refer to their official knowledge base. If you have questions or suggestions, feel free to leave a comment below.