- Published on
Core Rule Set: Install Apache with ModSecurity and the Core Rule Set on Debian 12
- Authors
- Name
- Alex Lee
- @alexjoelee
**FYI: **This post is part of a series where we're covering how to use and implement the Core Rule Set. Check our all of our special articles and tutorials for Cybersecurity Month 2023.
Core Rule Set 3 poster by Hugo Costa, unmodified, original located here: https://coreruleset.org/poster/ Welcome to this comprehensive tutorial where you will be guided through the process of installing Apache, ModSecurity, and the Core Rule Set on your Debian server.By beginning this setup, you are showing a proactive attitude in protecting your digital world from a variety of online dangers. Apache serves as a reliable and widely-used web server solution, while ModSecurity acts as a vigilant watchdog, identifying and mitigating potential threats in real-time. Coupling these with the Core Rule Set further sharpens this security apparatus, providing a set of predefined rules to identify common threats. Though the journey may seem technical, the peace of mind and the layer of security you gain are invaluable. Every step you take is a stride towards creating a safer, more resilient server environment. Rest assured, the effort you invest in this tutorial will pay dividends in enhancing your server's security, performance, and reliability.
Outline:
- Update your system
- Install Apache and ModSecurity Module
- Configure ModSecurity
- Install OWASP Core Rule Set (CRS)
- Verify That ModSecurity is working
Apache is a widely used web server, but adding an extra layer of security can be essential. That's where ModSecurity comes in. It's a firewall for your Apache server. With customizable rules, ModSecurity not only strengthens your server but also keeps a real-time watch on your web traffic, ready to thwart potential threats. The best part? ModSecurity easily works with Apache, Nginx, and IIS, and supports ever major Linux and Windows version or distribution.
This tutorial will guide you through installing ModSecurity on Apache and setting it up with essential rules from the Open Web Application Security Project's Core Rule Set (OWASP CRS). These steps will shield your server from various online risks, including SQL injections, denial of service attacks, bad requests, cross-site scripting attacks, and more.
Prerequisites
Before getting started with the installation and configuration of ModSecurity on your Apache web server, ensure that you have the following:
- A Debian Linux server set up and accessible via SSH.
- Superuser (root) access or a user with sudo privileges.
- Basic knowledge of working with the Linux command line.
Step1: Update Your System
Start by updating your Debian Linux system to ensure you have the latest software packages and security fixes. Run the following commands to update the system:
sudo apt update sudo apt upgrade
Step 2: Install Apache and ModSecurity Module
First, we need to install the Apache web server on our Debian system. To do this, run the following command:
sudo apt install apache2
Next, let's install the ModSecurity module for Apache. Execute the following command to install it:
sudo apt install libapache2-mod-security2
Once the ModSecurity module is installed, it needs to be enabled. To enable it, run this command:
sudo a2enmod security2
Step 3: Configure ModSecurity
ModSecurity comes with a default set of rules, but it's often necessary to tailor them to your specific requirements. The primary configuration file for ModSecurity can be found at /etc/modsecurity/modsecurity.conf. To make adjustments, open this file in your text editor and enable or disable specific rules, adjusting their severity as needed.
**1. Enable/Disable Rules: **You can adjust the rules by editing this configuration file. For instance, if you want to activate a rule that blocks SQL injection attempts, locate the following line:
SecRuleEngine DetectionOnly
Comment this line by adding a "#" symbol at the beginning and add the line below to enable the rule:
#SecRuleEngine DetectionOnly
Make similar changes to activate or deactivate other rules as needed.
2. Modify Rule Severity: You can also modify the severity of specific rules. This allows you to control how strictly ModSecurity enforces those rules. You'll find rule severity settings within the configuration file, and you can adjust them to your desired levels.
3. Custom Rules: If you have custom security requirements, you can create your own ModSecurity rules. These rules can be added to separate configuration files and included in the main configuration. This is useful for addressing specific threats or tailoring protection for your applications.
After making changes to the ModSecurity configuration file, you need to restart the Apache web server to apply these modifications. Use the following command:
sudo systemctl restart apache2
Step 4: Install the OWASP Core Rule Set (CRS)
After setting up and configuring ModSecurity, the next step is defining a set of rules to spot and block harmful actors. If you're new with ModeSecurity, it's advisable to start with existing rule sets to get going swiftly. There are several free rule sets available for ModSecurity, with the OWASP Core Rule Set (CRS) being the widely used standard.
The CRS is not only free and community-maintained but also offers a solid default configuration for ModSecurity. It comes with rules that can help thwart common attacks like SQL injection (SQLi), cross-site scripting (XSS), and more. Additionally, it can be integrated with Project Honeypot and includes rules to detect bots and scanners. Thanks to extensive testing, it has very few false positives.
If you install ModSecurity from the default Debian/Linux repository, the modsecurity-crs package is automatically included as a dependency. However, this package might not have the latest version of the OWASP core rule set. For enhanced security, it's recommended to obtain the latest version of the core rule set from GitHub.
Download the latest version of OWASP CRS from GitHub. At the time of writing, the latest version is 3.3.5.
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.zip
Next, extract the CRS file
tarxvfv3.3.5.tar.gz
Create a new directory to store CRS files.
sudo mkdir /etc/apache2/modsecurity-crs/
Move the extracted CRS directory to the new location:
sudo mv coreruleset-3.3.5/ /etc/apache2/modsecurity-crs/
Go to that directory.
cd /etc/apache2/modsecurity-crs/coreruleset-3.3.5/
Rename the crs-setup.conf.example file.
sudomvcrs-setup.conf.examplecrs-setup.conf
Edit the /etc/apache2/mods-enabled/security2.conf file.
sudo nano /etc/apache2/mods-enabled/security2.conf
Find the following line, which loads the default CRS files.
IncludeOptional /usr/share/modsecurity-crs/*.load
Change it to the following, so the latest OWASP CRS will be used.
IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.5/crs-setup.conf IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-3.3.5/rules/*.conf
Save and close the file. Then test Apache configuration
sudo apache2ctl -t
If the syntax is OK, then restart Apache.
sudo systemctl restart apache2
Step 5: Verify that ModSecurity is Working
Finally, it's time to ensure that ModSecurity can effectively detect and block suspicious HTTP traffic. To achieve this, we need to edit the default virtual host configuration file by using the following command:
sudo nano /etc/apache2/sites-available/000-default.conf
Next, let's introduce a blocking rule that restricts access to a specific URL when accessed via a web browser. Add the following lines just before the closing 'Virtualhost' tag:
SecRuleEngineOn SecRuleARGS:testparam "@contains test" "id:254,deny,status:403,msg:'Test Successful'"
After making these changes, save the file and apply them by restarting the Apache web server:
sudo systemctl restart apache2
To test the system, attempt to access the specified URL with "?testparam=test" appended at the end:
http://server-ip/?testparam=test
If everything is set up correctly, you will receive a '403 Forbidden error,' indicating that access to the resource has been denied.
You can also ensure the client was blocked by checking the error logs using the following command:
cat /var/log/apache2/error.log | grep "Test Successful"
This verification assures that our ModSecurity setup effectively detects and prevents unwanted traffic.
Conclusion
To wrap up, you've now become adept at installing and configuring Apache, ModSecurity, and the Core Rule Set on the Debian Linux system. With these robust security measures in place, your server is well-protected against a host of potential online threats and vulnerabilities. However, to truly maximize the power of the Core Rule Set, we encourage you to refer to its comprehensive documentation. There, you'll find valuable insights and guidance to fine-tune your implementation, further enhancing your security rules.