It’s a bit tricky to install ModSecurity on Ubuntu 14.04 LTS. The official ubuntu repository only offers the old ModSecurity 2.7.7, not the latest version. Most tutorials online are also outdated.
After some tests I’ve developed the following steps to compile and install ModSecurity 2.9.0 on Ubuntu 14.04, with OWASP Core Rule Set (CRS). Other rule sets will also do.
Note: Apache is used in this tutorial. Nginx users should make changes accordingly. 32-bit OS needs a minor twist, and so does the old Apache 2.2 (see comments).
Step 1
# update and install build-tools and dependenciessudo apt-get update && sudo apt-get upgrade sudo apt-get install gcc make libxml2 libxml2-dev liblua5.1 apache2-prefork-dev
# enable mod_unique_idsudo a2enmod unique_id sudo service apache2 restart
# compile and install in the /tmp/ foldercd /tmp/ wget https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz tar xvzf modsecurity-2.9.0.tar.gz cd modsecurity-2.9.0/ sudo ./configure sudo make sudo make install
Step 2
# create .conf file in /etc/apache2/mods-available/sudo nano /etc/apache2/mods-available/security2.conf
# add the following lines into the file<IfModule security2_module> # Default Debian dir for modsecurity's persistent data SecDataDir /var/cache/modsecurity # Include all the *.conf files in /etc/modsecurity. # Keeping your local configuration in that directory # will allow for an easy upgrade of THIS file and # make your life easier IncludeOptional /etc/modsecurity/*.conf </IfModule>
# save and quit nano
Step 3
# create .load file in /etc/apache2/mods-available/sudo nano /etc/apache2/mods-available/security2.load
# add the following lines into the file# Depends: unique_id LoadFile libxml2.so.2 LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so
# save and quit nano
Step 4
# copy the recommended configuration filessudo mkdir /etc/modsecurity/ sudo cp modsecurity.conf-recommended unicode.mapping /etc/modsecurity/ sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
# load modulesudo a2enmod security2 sudo service apache2 restart
# if syntax errors are found, check the files we just created/etc/apache2/mods-available/security2.conf and /etc/apache2/mods-available/security2.load to make sure the content is correct.
# check module is loadedsudo apachectl -M |grep security
# there should be no syntax error:security2_module (shared)
Step 5
# install the Open Web Application Security Project (OWASP) Core Rule Set (crs):wget https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/master.tar.gz tar xvzf master.tar.gz sudo cp -r owasp-modsecurity-crs-master/* /etc/modsecurity/ sudo cp /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf
# create symbolic linkssudo ls /etc/modsecurity/base_rules | xargs -I {} sudo ln -s /etc/modsecurity/base_rules/{} /etc/modsecurity/activated_rules/{} sudo ls /etc/modsecurity/optional_rules | xargs -I {} sudo ln -s /etc/modsecurity/optional_rules/{} /etc/modsecurity/activated_rules/{}
# [optional] install selected slr-rules (SpiderLabs Research Rules) designed for known vulnerabilities in specific applications
# to install this optional rule set, check the second source listed at the end of this document for method
# note: install all slr-rules will likely cause the “same-id” error
# add the rules to Apache2sudo nano /etc/apache2/mods-available/security2.conf
# add the following line before </IfModule>:Include "/etc/modsecurity/activated_rules/*.conf"
# reload Apache2sudo service apache2 restart
if error Invalid command ‘RequestHeader’, perhaps misspelled or defined by a module
If you are using Ubuntu just enable the module by running the following command:
sudo a2enmod headers
Of course restart Apache after that
Of course restart Apache after that
service apache2 restart
Step 6
# Run a test-attack against the web server, and check if the attack will be logged in the Apache error log and ModSecurity audit log (if enabled)/var/log/modsec_audit.log
# turn on modsecuritysudo nano /etc/modsecurity/modsecurity.conf
# change SecRuleEngine DetectionOnly to SecRuleEngine On
# save and quit nano
References
# https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
# https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/INSTALL
# https://www.modsecurity.org/
#https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
# https://gist.github.com/fduran/1947100
# http://packages.ubuntu.com/trusty/libapache2-mod-security2
Step 6
# Run a test-attack against the web server, and check if the attack will be logged in the Apache error log and ModSecurity audit log (if enabled)/var/log/modsec_audit.log
# turn on modsecuritysudo nano /etc/modsecurity/modsecurity.conf
# change SecRuleEngine DetectionOnly to SecRuleEngine On
# save and quit nano
References
# https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
# https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/INSTALL
# https://www.modsecurity.org/
#https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
# https://gist.github.com/fduran/1947100
# http://packages.ubuntu.com/trusty/libapache2-mod-security2
Blogger Comment
Facebook Comment