Install ModSecurity with Apache on AlmaLinux 8

In this guide, we want to teach you How To Install ModSecurity with Apache on AlmaLinux 8.

Web application firewalls are deployed to establish an external security layer that increases the protection level and detects and prevents attacks before they reach web-based software programs.

ModSecurity is an open-source web-based firewall application (or WAF) supported by different web servers: Apache, Nginx, and IIS.

The module is configured to protect web applications from various attacks. ModSecurity supports flexible rule engines to perform both simple and complex operations.

what you read in this post?

Steps To Install ModSecurity with Apache on AlmaLinux 8

Steps To Install ModSecurity with Apache on AlmaLinux 8

To install ModSecurity with Apache, you must log in to your server as a non-root user with sudo privileges. To do this, you can follow our guide the Initial Server Setup with AlmaLinux 8.

Now follow the steps below to complete this guide.

Install Required packages and Dependencies for ModSecurity

LibModsecurity is going to be compiled from the source and thus a number of build tools and dependencies are required.

First, you need to update your local package index with the command below:

sudo dnf update -y

Then, enable the PowerTools on AlmaLinux 8 with the command below:

sudo dnf config-manager --set-enabled powertools

Now run the following commands to install the Epel and Remi repositories:

sudo dnf install epel-release -y

sudo dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm -y

sudo dnf config-manager --set-enabled remi

Next, use the following command to install the required packages and dependencies:

sudo dnf install gcc-c++ flex bison yajl curl-devel curl zlib-devel pcre-devel autoconf automake git curl make libxml2-devel pkgconfig libtool httpd-devel redhat-rpm-config git wget openssl openssl-devel vim GeoIP-devel doxygen yajl-devel libmaxminddb libmaxminddb-devel GeoIP-devel lmdb lmdb-devel ssdeep-devel lua-devel perl-File-Path -y

Download Modsecurity From Source on AlmaLinux 8

First, you need to create a temporary directory to store the source tarballs with the following command:

mkdir ~/modsec

Note: You can choose to use the /opt instead.

Then, visit the ModSecurity Release page and download the ModSecurity source code. You can simply use the wget command to download it.

Switch to your ModSecurity directory:

cd ~/modsec

Then, use the command below to download the ModSecurity source code:

wget -P ~/modsec https://github.com/SpiderLabs/ModSecurity/releases/download/v3.0.7/modsecurity-v3.0.7.tar.gz

Extract your downloaded file:

sudo tar xzf modsecurity-v3.0.7.tar.gz

Compile and Install Modsecurity on AlmaLinux 8

Navigate to the LibModsecurity source directory:

cd modsecurity-v3.0.7

Then, configure LibModsecurity to adapt it to your system and check if any required dependency is missing:

sudo ./build.sh

Note: You can safely ignore the fatal: * messages.

sudo ./configure --with-maxmind=no

Fix any dependency issue just in case there is any before you can proceed to compile and install LibModsecurity with Apache on AlmaLinux.

At this point, you can compile and install ModSecurity:

sudo make

sudo make install

Install ModSecurity-Apache Connector on AlmaLinux 8

At this point, you can install the ModSecurity-apache connector which provides a communication channel between Apache and libModsecurity.

First, clone the git repository for the ModSecurity Apache connector:

# cd ~
# sudo git clone https://github.com/SpiderLabs/ModSecurity-apache

Then, switch to the ModSecurity-apache directory and run the following commands to compile and install it.

cd ModSecurity-apache

sudo ./autogen.sh

sudo ./configure --with-libmodsecurity=/usr/local/modsecurity/

sudo make

sudo make install

Configure Apache with ModSecurity

Now you need to configure Apache to load the ModSecurity Apache connector module by adding the line below to the main Apache configuration file.

echo "LoadModule security3_module /usr/lib64/httpd/modules/mod_security3.so" | sudo tee -a /etc/httpd/conf/httpd.conf

Then, create a ModSecurity configuration directory under the /etc/httpd/conf.d file:

mkdir /etc/httpd/conf.d/modsecurity.d

Copy the sample ModSecurity configuration file from the source code directory to the ModSec configuration directory created above renaming it as follows.

sudo cp ~/modsec/modsecurity-v3.0.7/modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Also, copy the unicode.mapping file from the ModSecurity source directory to the Apache Modsecurity configuration directory:

sudo cp ~/modsec/modsecurity-v3.0.7/unicode.mapping /etc/httpd/conf.d/modsecurity.d/

Activate ModSecurity by changing the value of SecRuleEngine to On.

sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

Next, change the default log directory for Modsecurity:

sudo sed -i 's#/var/log/modsec_audit.log#/var/log/httpd/modsec_audit.log#' /etc/httpd/conf.d/modsecurity.d/modsecurity.conf

At this point, you need to configure ModSecurity rules by creating a file where you can define the rules to include:

cat > /etc/httpd/conf.d/modsecurity.d/rules.conf << 'EOL' 
Include "/etc/httpd/conf.d/modsecurity.d/modsecurity.conf" 
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf" 
Include "/etc/httpd/conf.d/modsecurity.d/owasp-crs/rules/*.conf" 
EOL

Since we have included the OWASP Rules, proceed to install them.

Install OWASP ModSecurity Core Rule Set

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity. It aims at protecting web applications from a wide range of attacks, including the OWASP Top Ten, minimum of false alerts.

Clone the CRS from GitHub repository to the /etc/apache2/modsecurity.d/ as shown below:

sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/httpd/conf.d/modsecurity.d/owasp-crs

Then, rename the crs-setup.conf.example to crs-setup.conf:

sudo cp /etc/httpd/conf.d/modsecurity.d/owasp-crs/crs-setup.conf{.example,}

Activate ModSecurity on AlmaLinux 8

After all, you need to activate ModSecurity on the default site configuration file or on any virtual host configuration file. In this guide, we are using Apache’s default site configuration file.

Note that you have to enable ModSecurity per-directory context.

sudo vi /etc/httpd/conf/httpd.conf

Add the following lines under the >Directory “/var/www/html”<:

 modsecurity on
 modsecurity_rules_file /etc/httpd/conf.d/modsecurity.d/rules.conf

When you are done, save and close the file.

Check Apache for configuration errors and restart it:

httpd -t

Output
Syntax OK

sudo systemctl restart httpd

Test ModSecurity on AlmaLinux

Now that you are done with everything, you can test the effectiveness of Modsecurity with OWASP rules, for example, using the command injection. Run the command below:

curl localhost/index.html?exec=/bin/bash

Output
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
</body></html>

If you see, 403 Forbidden then it means you have nailed it.

You can as well check Modsecurity logs:

tail /var/log/httpd/modsec_audit.log

Output
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.
...
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with 
...

You will also find such logs on Apache error log files: