ModSecurity is a free open source web application firewall that can run as a module on the Apache web server. This WAF can help you detect and block the various types of attacks including:
- Cross-Site Scripting (XSS)
- Backdoors Detection
- Trojans
- ASP/PHP Injection
- SQL & Command Injection, etc.
In this guide we will help you install the mod_security module on a web server running Ubuntu or Debian. For my part, I have tested the ModSecurity module on Ubuntu 11.10. If you haven't installed an Apache web server on Ubuntu, you can follow the instructions given here. For Debian, you have to login as root via the terminal (su), then run the commands given below without the "sudo" command.
Note: ModSecurity works only with Apache 2 or higher.
ModSecurity Installation
1. To install ModSecurity on Ubuntu, open the terminal (Ctrl+Alt+T) and run this command:
sudo apt-get install libapache2-modsecurity
2. Create now directory for ModSecurity in the Apache2 folder:
sudo mkdir /etc/apache2/modsecurity
3. Create now the configuration file for ModSecurity, which will be loaded by Apache, using this command:
sudo gedit /etc/apache2/conf.d/modsecurity.conf
Inside this new file, insert these two lines:
## /etc/init.d/apache2/conf.d/modsecurity.conf
Include modsecurity/*.conf
Save your file and close it:
4. Lets now access the previously created folder and copy the ModSecurity rules using these two commands:
cd /etc/apache2/modsecurity
sudo cp -R /usr/share/modsecurity-crs/base_rules/* .
5. There is a line that needs to be corrected in the modsecurity_crs_20_protocol_violations.conf file. Via the terminal, edit this file with this command:
sudo gedit /etc/apache2/modsecurity/modsecurity_crs_20_protocol_violations.conf
- Replace this line:
SecRule REQBODY_ERROR "!@eq 0" \
with this one:
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
Save the file and close it.
6. Restart now the Apche web server with this command:
sudo /etc/init.d/apache2 restart
7. To verify if the ModSecurity module is loaded in Apache, use this command:
cat /var/log/apache2/error.log | grep modsecurity
- The output returned must be like this:
ModSecurity for Apache/2.6.0 (URL) configured.
That's it!