How to Install ModSecurity with OWASP on Apache Server
Installing Mod_Security and OWASP on Apache CentOS server – This tutorial will show you (with pictures) how to install a web application firewall engine that provides very little protection on its own. This web app, mod_security is basically used to protect and monitor real time HTTP traffic and web applications from brute fore attacks and it also acts as intrusion detection and prevention system for web applications. In order to become useful, ModSecurity must be configured with rules which we can then use OWASP (Open Web Application Security Project) which is a Core Rules Set (CRS) for mod_security base configuration. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.
Prerequisites:
You can install mod_security in any server-compliant Linux distros like Ubuntu, Fedora, Debian and CentOS but this tutorial is done in a CentOS machine. You can simply adopt the command according to the Distro you are using. However, RHEL 6.2/6.1/6/5.8, CentOS 6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 users can simply follow the exact steps.
Basically mod_security can be installed in most web servers like Nginx, Apache and even Microsoft IIS. But this tutorial will cover only on a server running Apache. So I assume you have already installed and configured your LAMP stack.
How to Install Mod_Security (using source code)
Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:
cd ~
Step 2 – Next, you have to install some dependency packages for mod_security. Here’s the command you can try to issue:
yum install gcc make yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel
p.s: if you see two lines of command like above means you have to hit Enter after each line for issuing the command.
Hit Y if asked to confirm.
Step 3 – Now download latest version of mod_security. To do that, you can always check it at ModSecurity official website (http://www.modsecurity.org/download/). In my case it is now version 2.7.4. Then issue this command:
cd /usr/src wget https://www.modsecurity.org/tarball/2.7.4/modsecurity-apache_2.7.4.tar.gz
screenshot:
Step 4 – Once downloaded, extract it using this command:
tar xzf modsecurity-apache_2.7.4.tar.gz
Of course you have to replace modsecurity-apache_2.7.4.tar.gz part with the latest version of ModSecurity you’ve downloaded.
Step 5 – Let’s install it. First, go to the newly extracted folder and configure it:
cd modsecurity-apache_2.7.4 ./configure
pic:
Next, install mod_security with simple make install command:
make install
The output will be a bit too long. Just wait till it done:
Step 6 – Once done, copy recommended configuration file:
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
Step 7 – Now load the module in your Apache configuration. You can use either Nano or vi editor to do that:
nano /etc/httpd/conf/httpd.conf
Step 8 – Once the editor appears, locate line LoadModule in your httpd.conf and add this below line at the bottom. If you are using Nano like me, hit Control+W to search.
LoadModule security2_module modules/mod_security2.so
pic:
In Nano, hit Control+O to save then Control+X to exit.
Do not restart Apache yet as we will also install OWSAP CRS to be integrated with Apache’s ModSecurity.
Alternate Method to Install Mod_Security
There is also another way you can follow to always install the latest version of ModSecurity module on your Apache server. Use these steps to replace step 3, 4 and 5 above:
Step 3 – Download Mod_Security from Github project page:
cd /usr/src git clone https://github.com/SpiderLabs/ModSecurity.git
Step 4 – Now issue these:
cd ModSecurity ./configure make install
form here you can simply follow steps 6 above.
How to Install OWASP CRS
Step 1 – Still in your favorite SSH client, now move to /etc/httpd directory:
cd /etc/httpd/
Step 2 – Next, lets grab OWASP CRS from SpiderLabs Github project page:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
pic:
Step 3 – A simple task, rename it to modsecurity-crs then go to that folder:
mv owasp-modsecurity-crs modsecurity-crs
cd modsecurity-crs
Step 4 – Now create configuration file from included example:
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
pic:
Step 5 – Finally, edit Apache configuration again:
nano /etc/httpd/conf/httpd.conf
then scroll down (go to the very bottom of the config page) and place this in the very bottom (after your virtual host file):
<IfModule security2_module>
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/base_rules/*.conf
</IfModule>
Now save it and exit Nano editor. Pic:
Restart Apache
So now you’ve installed Mod_Security and OWASP-CRS, it’s time to restart Apache service so the module can be loaded along with its rules:
service httpd restart
p.s: This tutorial is done in CentOS 6.4 x86_64 server hosted by DigitalOcean.
That’s it. Enjoy some basic necessary protection on your Apache server as the Mod_Security + OWASP CRS give you these advantages:
- HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
- Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
- Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
- Identification of Application Defects – alerts on application misconfigurations.
- HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
- Common Web Attacks Protection – detecting common web application security attack.
- Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
- Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
- Trojan Protection – Detecting access to Trojans horses.
- Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
- Error Detection and Hiding – Disguising error messages sent by the server.
Very good except you need to add this at step 6;
cp unicode.mapping /etc/httpd/conf.d
really helpful tutorials
🙂 bagus…
usul saja, selama paket aplikasi linux masih ada paket bawaan, semisal .rpm buat centos, kita gunakan itu.
biar kedepannya tidak menjadikan momok bagi pengguna newbie linux.
saya juga install mod_security + OWASP rule + mod_evasive melalui .rpm dari epel repo.
salam kenal bu .. 🙂
great idea! thanks 🙂
walah, orang surabaya to ? 😀 ..
kepengen nulis di server mom tapi ada kendala dibahasa, berarti pakai bahasa indonesia boleh dong ? nanti servermom yg translate.
Hello, this article helped me greatly in installing mod_security. Thank you for that! 🙂
I was wondering however what necessary steps are required if one wants to upgrade mod_security to the latest version? Repeat all the steps above with new version by first removing the old version OR replace some files to new version?
Thank you.
thinks you Sawiyati for your tutoriel.
it’s work very well, i hop if you can help me to install also a reverse proxy. The idea it’s to use apache as a reverse proxy with mod-security as WAF. All requests will be analysed by mod-security and forword to on of 3 web solutions that i use.
Sorry but I never heard such thing (Apache as reverse proxy). If you want, Nginx will be suitable for that (I believe) 🙂
modsecurity-crs/modsecurity_crs_10_config.conf was probably renamed to modsecurity-crs/modsecurity_crs_10_setup.conf
Thanks for this tutorial, full complete, good post.
Regards