ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections. It is a useful tool to protect websites and web applications from web attacks like SQL Injection, Cross Site Scripting, Brute Force attacks, DDoS attacks on webserver etc. It provides a set of powerful OWASP (Open Web Application Security Project) rules to protect against the vulnerabilities. This guide attempts to help you to install ModSecurity in a CentOS server along with the OWASP core rule set.
In order to install ModSecurity, we have to login to the server using “root” and make sure all packages are updated. Simply run the following command
yum update -y
The above command will check the versions of the packages and will also download and install the packages which are required but not installed as well as the latest updated packages.
ModSecurity needs a few dependencies to be installed before installing the mod_security package. Execute the following command in the server as “root” to install the dependencies.
yum install gcc make httpd-devel libxml2 pcre-devel libxml2-devel curl-devel git
Now, we will download the source code from ModSecurity’s official website to the server.
cd /opt/
wget https://www.modsecurity.org/tarball/2.9.1/modsecurity-2.9.1.tar.gz
Extract the downloaded archive and change the current working directory to the newly extracted directory
tar xzfv modsecurity-2.9.1.tar.gz
cd modsecurity-2.9.1
Now, lets configure, compile and install mod_security from the source code
./configure
make
make install
Copy the default mod_security configuration and the unicode.mapping file to the necessary Apache directory
cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf
cp unicode.mapping /etc/httpd/conf.d/
The mod_security package is now installed on the server. Now, let us configure the Apache web server.
Edit the Apache configuration file using your favorite editor (nano /etc/httpd/conf/httpd.conf
) and add the following
LoadModule security2_module modules/mod_security2.so
LoadModule unique_id_module modules/mod_unique_id.so
Now save the changes and restart Apache.
/etc/init.d/httpd restart
Now, we will download and configure the OWASP core rule set
cd /etc/httpd
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
mv owasp-modsecurity-crs modsecurity-crs
cd modsecurity-crs
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf
Edit the Apache configuration file and add the following lines at the end of the file.
Include modsecurity-crs/modsecurity_crs_10_config.conf
Include modsecurity-crs/base_rules/*.conf
Now save the changes and restart Apache.
/etc/init.d/httpd restart
The OWASP core rule set is now configured and ModSecurity will start protecting your webserver. There are also commercial rule sets available here which you can use to strengthen the ModSecurity waf.