Knowledge Base Hub

Browse through our helpful how-to guides to get the fastest solutions to your technical issues.

Home  >  Web Hosting FAQ  >  A Guide to Install and Configure Mod_Security on Ubuntu 16.04 Server
Top Scroll

A Guide to Install and Configure Mod_Security on Ubuntu 16.04 Server

 6 min

Modsec the short form for Mod_security, is a powerful WAF (Web Application Firewall) that integrates directly into Apache’s module system. Due to this direct integration the security module can intercept traffic at the initial stages of a request. It is important to detect the security flaw at an early stage so that one can block malicious requests before they get passed to web applications hosted by Apache websites. This creates an extra layer of security against common threats that a server faces. In this article you will get to see the installation of mod_security along with the CRS (Core Rule Set) in Ubuntu 16.04 LTS Server running Apache 2.4.

Prerequisites

Ensure your system environment comprises of following things:

• Ubuntu 16.04 LTS Server.
• Baseline Apache 2.4 pre-installed.
• Pre-configured Network & Internet Connection.
• Root user shell access (console or SSH).

Additionally, you should also know the below system administration concepts:

• How to basically navigate via the Linux command line shell?
• Ways to modify files in your chosen system editor (vim, nano, emacs, etc.).

Pre-Flight Checks

Many Apache-based OS images comprise of mod-security as a standard module and might be already installed on the target system. Prior to continuing, it is important to ensure, that you are running Apache 2.4 and mod-security isn’t pre-installed. You can do this by running the below two commands:

Note: All commands in this documentation use the sudo prefix. You can execute root-level permissions on a command by command basis. If you are new to sudo, you might be asked for your password to allow execution of one or more the commands in this outline.

Check Apache’s Version

sudo apache2ctl -v

Example Output:

Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

Check if the Security Module is Active

apache2ctl -M | grep security

– If you don’t get an output with this command, mod_security is not installed so proceed to the Installation Section.

– If you get the output as security2_module, mod_security is installed so proceed to the Configuration Section.

Installation Section

Installation is done in a quick and painless way with the apt package manager in all Debian-based system (like Ubuntu). In this case, offer the correct package name, libapache-modsecurity, to the apt command and confirm the installation.

Use Apt to Install the libpache2-modsecurity Plugin

sudo apt install libapache2-modsecurity -y

Example Output:

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libapache2-mod-security2 libyajl2 modsecurity-crs
Suggested packages:
lua geoip-database-contrib ruby
The following NEW packages will be installed:
libapache2-mod-security2 libapache2-modsecurity libyajl2 modsecurity-crs
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 545 kB of archives.
After this operation, 3,960 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 libyajl2 amd64 2.1.0-2 [19.6 kB] Get:2 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 libapache2-mod-security2 amd64 2.9.0-1 [314 kB] Get:3 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 libapache2-modsecurity all 2.9.0-1 [2,006 B] Get:4 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 modsecurity-crs all 2.2.9-1 [210 kB] Fetched 545 kB in 0s (1,659 kB/s)
Selecting previously unselected package libyajl2:amd64.
(Reading database ... 92965 files and directories currently installed.)
Preparing to unpack .../libyajl2_2.1.0-2_amd64.deb ...
Unpacking libyajl2:amd64 (2.1.0-2) ...
Selecting previously unselected package libapache2-mod-security2.
Preparing to unpack .../libapache2-mod-security2_2.9.0-1_amd64.deb ...
Unpacking libapache2-mod-security2 (2.9.0-1) ...
Selecting previously unselected package libapache2-modsecurity.
Preparing to unpack .../libapache2-modsecurity_2.9.0-1_all.deb ...
Unpacking libapache2-modsecurity (2.9.0-1) ...
Selecting previously unselected package modsecurity-crs.
Preparing to unpack .../modsecurity-crs_2.2.9-1_all.deb ...
Unpacking modsecurity-crs (2.2.9-1) ...
Setting up libyajl2:amd64 (2.1.0-2) ...
Setting up libapache2-mod-security2 (2.9.0-1) ...
apache2_invoke: Enable module security2
Setting up libapache2-modsecurity (2.9.0-1) ...
Setting up modsecurity-crs (2.2.9-1) ...
Processing triggers for libc-bin (2.23-0ubuntu11) ...

After installation, you need to confirm if the security module is being loaded by Apache:

Check if the Security Module is Active

apache2ctl -M | grep security

Example Output:

security2_module (shared)

Configuration Section

Now as the base module is installed, you will need to configure and enable it. This requires a few steps:

Step 1) Use the below command to copy the recommended config over as the live config

sudo cp /etc/modsecurity/modsecurity.conf{-recommended,}

Step 2)With the below command, modify the live config and change “SecRuleEngine DetectionOnly” to “SecRuleEngine On”

sudo sed -i -e 's/DetectionOnly$/On/i' /etc/modsecurity/modsecurity.conf

Step 3) Check Apache’s config syntax & restart Apache if all is fine

sudo apache2ctl -t && sudo apache2ctl restart

Example output:

Syntax OK

You will find Apache running actively with mod_security in place. But, you won’t find rules in place for it. In the next section, you will learn to configure these rules.

Enable Core Rule Set & Base Rules

You will find the security module appears to be good only because of the rules governing it. In order to start, the libapache2-modsecurity package comes with a companion package (modsecurity-crs). In this package you get the Core Rule Set or CRS, a basic set of rules that manages some of the most common malicious activity on the Internet today. Many dangerous types of traffic include are protected by the CRS, but not limited to:

• SQL Injections (SQLi)
• Remote Code Execution (RCE)
• Cross Site Scripting (XSS)
• And many other common malicious behavior

The installation of CRS is done along with the security module. Follow the below steps to enable CRS & its Base Rules.

Step 1) Using your preferred editor include the below lines to modsecurity.conf

# ModSecurity Core Rule Set (CRS)
IncludeOptional /usr/share/modsecurity-crs/*.conf
IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf

Step 2) In the activated_rules directory, create a symlink for all *.conf files in the base_rules directory

CSRD=/usr/share/modsecurity-crs; for e in $CSRD/base_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; done

Step 3) Confirm symlinks are in the activated_rules directory (this is optional)

sudo ls /usr/share/modsecurity-crs/activated_rules/*.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_23_request_limits.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_30_http_policy.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_35_bad_robots.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_40_generic_attacks.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_xss_attacks.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_42_tight_security.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_45_trojans.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_47_common_exceptions.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_49_inbound_blocking.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_50_outbound.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_59_outbound_blocking.conf
/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_60_correlation.conf

Step 4) Verify Apache’s config syntax & restart Apache if all is fine:

sudo apache2ctl -t && sudo apache2ctl restart

Example output:

Syntax OK

You will now find that the server configured and actively using the base_rules from the CRS. The CRS package provides additional rules. These rules are discussed in more detail in the next section.

Rule of Thumb:
You should verify syntax and restart Apache, anytime changes are made to one or more mod_security rules.

Enable Additional Rules [Optional]

Many additional rules are included in the Core Rule Set. These rules are divided into three distinct categories: experimental_rules, optional_rules, and slr_rules. Each category’s rules are included within their own directory of the same name. In order to activate these rules you need to follow the same process as to enable the base_rules.

From the activated_rules directory, create a symlink to the desired rule from the activated_rules directory. You can use the below commands to quickly enable these rules if required.

Caution:
It is important to judge while you enable the additional rules after those in the base_rules set. In additional rules, experimental_rules might encounter false positives, blocking legitimate traffic. The commands are given below for easing the process and isn’t a support of enabling all rules by chance.

experimental_rules

CSRD=/usr/share/modsecurity-crs; for e in $CSRD/experimental_rules/*.conf; do sudo ln -s $e 
$CSRD/activated_rules/; done

optional_rules

CSRD=/usr/share/modsecurity-crs; for e in $CSRD/optional_rules/*.conf; do sudo ln -s $e 
$CSRD/activated_rules/; done

slr_rules

CSRD=/usr/share/modsecurity-crs; for e in $CSRD/slr_rules/*.conf; do sudo ln -s $e $CSRD/activated_rules/; 
done

Disable Rules

For disabling rules, delete the symlink within the activated_rules directory that relates to the rule in question. After deleting it, you need a quick restart of Apache services for making the change active.

Example: Delete the application_defects rule then restart Apache.

sudo rm -rf /usr/share/modsecurity-crs/activated_rules/modsecurity_crs_55_application_defects.conf
sudo apache2ctl restart

That’s it! You have now learned to install and configure mod_security on Ubuntu 16.04 server.

For our Knowledge Base visitors only
Get 10% OFF on Hosting
Special Offer!
30
MINS
59
SECS
Claim the discount before it’s too late. Use the coupon code:
STORYSAVER
Note: Copy the coupon code and apply it on checkout.