Enabling ModSecurity protection in Apache2 on Ubuntu

 
This post documents how to add ModSecurity protection in Ubuntu’s Apache. It has been tested on Ubuntu 11.04 but might work on earlier or latter issues with few modifications.

Installation of base packages

ModSecurity is a open source Web Application Firewall (WAF). It offers an array of request filtering and other security features to the Apache HTTP Server.

Fortunately, ModSecurity is already part of the Ubuntu package repositories. Therefore, installing the necessary stuff is rather straightforward:

apt-get install libapache2-mod-security mod-security-common
a2enmod mod-security
/etc/init.d/apache2 force-reload

Activation of the core rule set

The mod-security-common-package contains the core rule set (crs) which will not be configured automatically. In order to activate the crs, /etc/apache2/conf.d/mod-security.conf has to be created with the following content:

<IfModule security2_module>
    Include /usr/share/doc/mod-security-common/examples/rules/*conf
    Include /usr/share/doc/mod-security-common/examples/rules/base_rules/*conf
</IfModule>

Now the web server has to be restarted by the following line:

service apache2 restart

Testing the setup

In order to prove the setup is working, a test file called test.php with the following content can be used:

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

It’s supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php. To run the actual test, the following address will do:

http://yourserver.tld/test.php?secret_file=/etc/passwd

If the content of /etc/passwd is displayed, ModSecurity is not working. A working installation will show a “403 Forbidden” error message.

  1. Thanks, These instructions worked perfectly. I am running Debian, apache2/modsecurity and had been having problems getting crs to start.

    Many Thanks, BikerMike

  2. Thanks for this! Have it running now. Any chances you can simulate another attack? Like SQL injection and see those in log files or so?

  3. Thanks for the write-up.

    Small update / correction: the apt-get command refers to an unavailable package repository. It should be:

    apt-get install libapache2-mod-security2 mod-security2-common

Leave a Comment