Installing Mod_Security and OWASP on Apache CentOS server – This tutorial will show you (with pictures) how to install a web application firewall engine that provides very little protection on its own. This web app, mod_security is basically used to protect and monitor real time HTTP traffic and web applications from brute fore attacks and it also acts as intrusion detection and prevention system for web applications. In order to become useful, ModSecurity must be configured with rules which we can then use OWASP (Open Web Application Security Project) which is a Core Rules Set (CRS) for mod_security base configuration. The Core Rules are heavily commented to allow it to be used as a step-by-step deployment guide for ModSecurity.
You can install mod_security in any server-compliant Linux distros like Ubuntu, Fedora, Debian and CentOS but this tutorial is done in a CentOS machine. You can simply adopt the command according to the Distro you are using. However, RHEL 6.2/6.1/6/5.8, CentOS 6.2/6.1/6/5.8 and Fedora 17,16,15,14,13,12 users can simply follow the exact steps.
Basically mod_security can be installed in most web servers like Nginx, Apache and even Microsoft IIS. But this tutorial will cover only on a server running Apache. So I assume you have already installed and configured your LAMP stack.
How to Install Mod_Security (using source code)
Step 1 – Login to your server and follow my previous guide about Basic setup for CentOS before you build a live web server. You may and may not follow that tutorial but if you followed, it will give you some basic security tweak to your server.
Before you proceed to the next steps, it is better to explain that all commands in this tutorial are written without the “sudo” prefix. However if you disabled root login and you logged in using another username with root privilege, you can add the “sudo” prefix all by your self. Alternatively you can simply type su, hit Enter and type in your password twice to switch login as root. You may also need to type this command to go to the root directory:
Step 2 – Next, you have to install some dependency packages for mod_security. Here’s the command you can try to issue:
yum install gcc make
yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel
p.s: if you see two lines of command like above means you have to hit Enter after each line for issuing the command.
Hit Y if asked to confirm.
Step 3 – Now download latest version of mod_security. To do that, you can always check it at ModSecurity official website (http://www.modsecurity.org/download/). In my case it is now version 2.7.4. Then issue this command:
Step 4 – Once downloaded, extract it using this command:
tar xzf modsecurity-apache_2.7.4.tar.gz
Of course you have to replace modsecurity-apache_2.7.4.tar.gz part with the latest version of ModSecurity you’ve downloaded.
Step 5 – Let’s install it. First, go to the newly extracted folder and configure it:
Next, install mod_security with simple make install command:
The output will be a bit too long. Just wait till it done:
Step 6 – Once done, copy recommended configuration file:
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
Step 7 – Now load the module in your Apache configuration. You can use either Nano or vi editor to do that:
Step 8 – Once the editor appears, locate line LoadModule in your httpd.conf and add this below line at the bottom. If you are using Nano like me, hit Control+W to search.
LoadModule security2_module modules/mod_security2.so
In Nano, hit Control+O to save then Control+X to exit.
Do not restart Apache yet as we will also install OWSAP CRS to be integrated with Apache’s ModSecurity.
Alternate Method to Install Mod_Security
There is also another way you can follow to always install the latest version of ModSecurity module on your Apache server. Use these steps to replace step 3, 4 and 5 above:
Step 3 – Download Mod_Security from Github project page:
git clone https://github.com/SpiderLabs/ModSecurity.git
Step 4 – Now issue these:
form here you can simply follow steps 6 above.
How to Install OWASP CRS
Step 1 – Still in your favorite SSH client, now move to /etc/httpd directory:
Step 2 – Next, lets grab OWASP CRS from SpiderLabs Github project page:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
Step 3 – A simple task, rename it to modsecurity-crs then go to that folder:
mv owasp-modsecurity-crs modsecurity-crs
Step 4 – Now create configuration file from included example:
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
Step 5 – Finally, edit Apache configuration again:
then scroll down (go to the very bottom of the config page) and place this in the very bottom (after your virtual host file):
Now save it and exit Nano editor. Pic:
So now you’ve installed Mod_Security and OWASP-CRS, it’s time to restart Apache service so the module can be loaded along with its rules:
service httpd restart
p.s: This tutorial is done in CentOS 6.4 x86_64 server hosted by DigitalOcean.
That’s it. Enjoy some basic necessary protection on your Apache server as the Mod_Security + OWASP CRS give you these advantages:
- HTTP Protection – detecting violations of the HTTP protocol and a locally defined usage policy.
- Real-time Blacklist Lookups – utilizes 3rd Party IP Reputation
- Web-based Malware Detection – identifies malicious web content by check against the Google Safe Browsing API.
- Identification of Application Defects – alerts on application misconfigurations.
- HTTP Denial of Service Protections – defense against HTTP Flooding and Slow HTTP DoS Attacks.
- Common Web Attacks Protection – detecting common web application security attack.
- Automation Detection – Detecting bots, crawlers, scanners and other surface malicious activity.
- Tracking Sensitive Data – Tracks Credit Card usage and blocks leakages.
- Trojan Protection – Detecting access to Trojans horses.
- Integration with AV Scanning for File Uploads – detects malicious files uploaded through the web application.
- Error Detection and Hiding – Disguising error messages sent by the server.