ModSecurity is a powerful Apache module that acts as a Web Application Firewall (WAF). It enhances your server’s security by working with customizable rule sets, helping to monitor web traffic in real time and respond to potential threats.
In this guide, you’ll learn how to install and configure ModSecurity with Apache on your VPS.
1. Installing ModSecurity
Before getting started, ensure that Apache is installed on your VPS. Once Apache is set up, you can install ModSecurity by running the following command via SSH:
sudo apt install libapache2-mod-security2 -y
After installing ModSecurity, enable the Apache headers module with this command:
sudo a2enmod headers
Restart Apache to apply the changes:
sudo systemctl restart apache2
At this point, ModSecurity is successfully installed on your VPS.
2. Configuring ModSecurity
ModSecurity requires rules to function as a firewall. Begin by renaming the default configuration file:
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Next, open the configuration file using a text editor (e.g., vim or nano):
sudo nano /etc/modsecurity/modsecurity.conf
Find the line that defines SecRuleEngine and change its value to On to enable the firewall:
SecRuleEngine On
Restart Apache again to apply the changes:
sudo systemctl restart apache2
3. Setting Rules with OWASP Core Rule Set
ModSecurity needs a set of rules to actively protect your server from attacks. The OWASP ModSecurity Core Rule Set (CRS) provides a robust collection of threat detection rules designed to protect web applications from a variety of security risks with minimal false positives.
Start by removing the pre-installed rule set that comes with ModSecurity:
sudo rm -rf /usr/share/modsecurity-crs
Then, install Git if it’s not already installed:
sudo apt install git
Clone the OWASP CRS repository from GitHub:
sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs
Next, rename the setup and rule exclusion files:
sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
sudo mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf
At this point, the OWASP CRS is set up and ready to be used.
4. Enabling ModSecurity in Apache
To enable ModSecurity with the OWASP CRS in Apache, open the security2 configuration file:
sudo nano /etc/apache2/mods-available/security2.conf
Add the following lines within the <IfModule security2_module> block to include the OWASP CRS files:
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
Include /usr/share/modsecurity-crs/crs-setup.conf
Include /usr/share/modsecurity-crs/rules/*.conf
</IfModule>
If your website uses SSL, add the SecRuleEngine directive set to On in your website's configuration file as well. You can also add it to the default virtual host configuration:
<VirtualHost *:80>
...
SecRuleEngine On
...
</VirtualHost>
Restart Apache to apply all the configurations:
sudo systemctl restart apache2
5. Testing ModSecurity
To test if ModSecurity is working correctly, you can simulate an attack by running a local file inclusion (LFI) attack:
curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash
Replace <SERVER-IP/DOMAIN> with your VPS IP address or domain name. If ModSecurity is properly configured, you should see the following message in response:
You don't have permission to access this resource.
This indicates that ModSecurity is actively blocking malicious requests and protecting your server.
