How to Install ModSecurity on Ubuntu 20.4.1

To Install Modsecurity on Ubuntu 20.4.1

Introduction:

Mod security is a free Apache module that is used to secure our web server from various attacks including SQL injection, cross site scripting, session hijacking, brute force, and other exploits. It also permits us to monitor traffic on a real-time basis. Check OS version by using the below command

root@linuxhelp:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.1 LTS
Release:	20.04
Codename:	focal

You can install mod security using the following command:

root@linuxhelp:~# apt-get install libapache2-mod-security2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  apache2-bin libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0 liblua5.2-0 modsecurity-crs
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom lua geoip-database-contrib ruby python
The following NEW packages will be installed:
  apache2-bin libapache2-mod-security2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.1-0

check if the mod_security module is running, use the following command You should see a module named security2_module (shared) which indicates that the module was loaded.

root@linuxhelp:~# apachectl -M | grep --color security
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

enable the mod_security rules, you need to rename and edit the mod security recommended configuration file and set the SecRuleEngine option to On For this run the following command:

root@linuxhelp:~# mv /etc/modsecurity/modsecurity.conf-recommended/  /etc/modsecurity/modsecurity.conf/
root@linuxhelp:~# vim /etc/modsecurity/modsecurity.conf

Add/edit the following line in the above opened file:

SecRuleEngine On

Now restart Apache for the changes to take effect.

root@linuxhelp:~# systemctl restart apache2

There are lot of security rules that come with Modesecurity (called the Core Rule Set) that are located in the “/usr/share/modsecurity-crs” directory. Now you need to enable these rules to get it working with Apache.

root@linuxhelp:~# vim /etc/apache2/mods-enabled/security2.conf

Add/edit the following line:

IncludeOptional  “/usr/share/modsecurity-crs/*.con”
IncludeOptional  “/usr/share/modsecurity-crs/base_rules/*.conf

Save the file and restart the Apache service.

root@linuxhelp:~# systemctl restart apache2

With this method Installation of modsecurity on Ubuntu 20.4.1 comes to an end.

Tag : ModSecurity Ubuntu
FAQ
Q
What's new in ModSecurity and why should I upgrade if I am already using ModSecurity 1.x?
A
In order to use the OWASP ModSecurity Core Rules, you must use the 2.x version of ModSecurity as it takes advantage of specific features not available in previous versions.
Q
What attacks do the Core Rules protect against?
A
In order to provide generic web applications protection, the Core Rules use the following techniques:
HTTP protection - detecting violations of the HTTP protocol and a locally defined usage policy. Common Web Attacks Protection - detecting common web application security attacks. Automation detection - Detecting bots, crawlers, scanners, and other surface malicious activity.
Q
What is a Virtual Patch and why should I care?
A
Fixing identified vulnerabilities in web applications always requires time. Organizations often do not have access to a commercial application's source code and are at the vendor's mercy while waiting for a patch. Even if they have access to the code, implementing a patch in development takes time.
Q
What is the difference between ModSecurity and CRS?
A
ModSecurity is a firewall engine that can inspect traffic on your web server. It can log and block requests. However, an engine does nothing without a certain policy. The CRS delivers a policy where requests to your web applications are inspected for various attacks, and malicious traffic is blocked.
Q
What is meant by ModSecurity?
A
ModSecurity is an open-source Web Application Firewall (WAF). It can be installed as a module inside the Apache, Nginx, or IIS web servers.