How to secure Apache with ModSecurity?

Clara - VPS Hosting Team

ModSecurity is an Apache module that functions as a web application firewall, helping to secure your server by using rule sets that allow you to customize and strengthen security measures. It also enables you to detect and respond to security breaches by monitoring web traffic in real-time.

In this guide, we'll walk you through the steps to install and configure ModSecurity with the Apache web server on your VPS.

Installing ModSecurity

Before installing ModSecurity, make sure Apache is installed on your VPS. You can refer to a separate guide for that.

To install ModSecurity, run the following command via SSH on your VPS:

sudo apt install libapache2-mod-security2 -y

Once the installation is complete, enable the Apache headers module:

sudo a2enmod headers

Next, restart Apache to apply the changes:

sudo systemctl restart apache2

At this point, ModSecurity is installed on your VPS.

Configuring ModSecurity

ModSecurity functions as a firewall, so it requires rules to operate. To enable these, remove the .recommended extension from the ModSecurity configuration file:

sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Use a text editor (such as vim or nano) to open the configuration file:

sudo vim /etc/modsecurity/modsecurity.conf

Within the file, find the line containing SecRuleEngine and change its value to On:

SecRuleEngine On

Once this change is made, restart Apache:

sudo systemctl restart apache2

Setting Up Rules

To effectively protect your web server from attacks, you need to implement a rule set. In this guide, we’ll use the OWASP Core Rule Set (CRS), a comprehensive collection of threat detection rules designed for web application firewalls like ModSecurity.

Start by removing the default rule set that comes with ModSecurity:

sudo rm -rf /usr/share/modsecurity-crs

Then, check if git is installed:

sudo apt install git

Next, clone the OWASP CRS GitHub repository into the appropriate directory:

sudo git clone https://github.com/coreruleset/coreruleset /usr/share/modsecurity-crs

After cloning, rename the CRS setup file:

sudo mv /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf

Rename the default request exclusion rule file:

sudo mv /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example /usr/share/modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf

With these steps, the OWASP CRS is now set up.

Enabling ModSecurity in Apache

To enable ModSecurity in Apache, open the /etc/apache2/mods-available/security2.conf file using a text editor:

sudo vim /etc/apache2/mods-available/security2.conf

Add the following lines to include the OWASP CRS files:

<IfModule security2_module>
    SecDataDir /var/cache/modsecurity
    Include /usr/share/modsecurity-crs/crs-setup.conf
    Include /usr/share/modsecurity-crs/rules/*.conf
</IfModule>

Next, open the /etc/apache2/sites-enabled/000-default.conf file and ensure that the SecRuleEngine directive is set to On within the VirtualHost block.

Note: If your site uses SSL, also add the SecRuleEngine directive to the SSL configuration file for that website.

Finally, restart Apache again:

sudo systemctl restart apache2

Testing ModSecurity

To test whether ModSecurity is working correctly, you can simulate a local file inclusion attack using the following curl command:

curl http://<SERVER-IP/DOMAIN>/index.php?exec=/bin/bash

Replace <SERVER-IP/DOMAIN> with your VPS’s IP address or the domain hosted on your server.

If ModSecurity is properly configured, you should see an error message in the output that says:

You don't have permission to access this resource.

This confirms that ModSecurity is actively blocking potential attacks.