Ubuntu 12.04 Precise LTS: Install ModSecurity for Apache 2 web server








  1. Install ModSecurity:
     sudo apt-get install libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache-mod-security
    If your Ubuntu is 64bit, you need to fix a bug:
    sudo ln -s /usr/lib/x86_64-linux-gnu/libxml2.so.2 /usr/lib/libxml2.so.2
  2. Configure ModSecurity:
    sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf; sudo vi /etc/modsecurity/modsecurity.conf
        
    Enable the rule engine:
    SecRuleEngine On
    Increase the request body size limit to 10Mb(Optional, only if your site accepts uploads):
    SecRequestBodyLimit 10000000
    SecRequestBodyInMemoryLimit 10000000
  3. Check the ModSecurity version:
    dpkg -s libapache-mod-security | grep Version
    The installed ModSecurity version is:
    Version: 2.6.3-1ubuntu0.2
  4. Install OWASP ModSecurity Core Rule Set:
    1. Download the rule set(version 2.2.5 because the latest version requires ModSecurity 2.7.0+):
      wget https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/v2.2.5 -O /tmp/owasp.tar.gz
    2. Extract the package:
      cd /tmp; tar -zxvf owasp.tar.gz; rm owasp.tar.gz
    3. Copy the directory to /etc/modsecurity, and set the permissions:
      sudo mv SpiderLabs-owasp-modsecurity-crs-5c28b52/ /etc/modsecurity/owasp-crs
      sudo chmod -R 644 /etc/modsecurity/owasp-crs
    4. Link the rules to /etc/modsecruity/owasp-crs/activated_rules directory:
      sudo mv /etc/modsecurity/owasp-crs/modsecurity_crs_10_setup.conf.example /etc/modsecurity/owasp-crs/modsecurity_crs_10_setup.conf
      cd /etc/modsecurity/owasp-crs/activated_rules/
      sudo ln -s ../modsecurity_crs_10_setup.conf
      for f in $(ls ../base_rules/); do sudo ln -s ../base_rules/$f; done
      for f in $(ls ../optional_rules/); do sudo ln -s ../optional_rules/$f; done
    5. Modify /etc/apache2/mods-available/mod-security.conf to include the rules:
      sudo vi /etc/apache2/mods-available/mod-security.conf
      Add the following line:
      Include "/etc/modsecurity/owasp-crs/activated_rules/*.conf"
    6. Enable headers module:
      sudo a2enmod headers
      This to fix the following error:
      Syntax error on line 29 of /etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf:
      Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration
      Action 'configtest' failed.
      The Apache error log may have more information.
         ...fail!
      when restarting apache2.
  5. Enable ModSecurity module and restart apache2:
    sudo a2enmod mod-security; sudo /etc/init.d/apache2 restart

See also




9 comments:

  1. I've got libapache-mod-security version 2.6.3-1ubuntu0.2 but am still getting:

    Syntax error on line 29 of /etc/modsecurity/activated_rules/modsecurity_crs_21_protocol_anomalies.conf

    According to comments from the author in http://www.tecmint.com/protect-apache-using-mod_security-and-mod_evasive-on-rhel-centos-fedora/

    The directory activated_rules contains some rules that comes with modsecurity 2.2.5 version and are not comptaible with the modsecurity version 2.6.6. In version 2.6.6 there is no such activated_rules directory exists. see my article did i mentioned the directory above.

    ReplyDelete
  2. Thank you very much. This is a great tutorial. You listed just the things that I needed to get this up and running. I think there is one issue with the first command in 4C. In order to move the contents of the folder instead of the folder itself, the command needs a trailing asterisk as here:

    sudo mv SpiderLabs-owasp-modsecurity-crs-5c28b52/* /etc/modsecurity/owasp-crs

    ReplyDelete
  3. Great tutorial, many thanks for taking the time to put it together. After installing and configuring exactly as recommended, Apache won't serve up any pages without kicking out a "403 Forbidden" error for every single request. I realize the ruleset is likely restrictive, but that's a bit much! :)

    Any quick suggestions to get Apache serving files properly again?

    ReplyDelete
    Replies
    1. Hello Kevin,

      for bypassing your error "404" you must modify /etc/modsecurity/modsecurity.conf --> SecRuleEngine on to DetectionOnly

      good luck

      HM

      Delete
  4. Hi,

    I followed your tutorial step by step but get the following error:

    Syntax error on line 53 of /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf:
    Error parsing actions: Unknown action: ver
    Action 'configtest' failed.
    The Apache error log may have more information.
    ...fail!

    Any ideas on how to fix it?

    Thanks in advance!

    ReplyDelete
  5. follow the above tutor will fix the error dude!

    ReplyDelete