OWASP ModSecurity Core Rule Set

ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. I like to think about it as an enabler: there are no hard rules telling you what to do; instead, it is up to you to choose your own path through the available features. That’s why the title of this section asks what ModSecurity can do, not what it does.

  • Real-time application security monitoring and access control
  • Full HTTP traffic logging
  • Continuous passive security assessment
  • Web application hardening

ModSecurity is an Apache module, you can add it to any compatible version of Apache. The embedded option is a great choice for those who already have their architecture laid out and don’t want to change it. Embedded deployment is also the only option if you need to protect hundreds of web servers. In such situations, it is impractical to build a separate proxy-based security layer. It not only does not introduce new points of failure, but it scales seamlessly as the underlying web infrastructure scales. The main challenge with embedded deployment is that server resources are shared between the web server and ModSecurity.


Install the apache2 module

$ sudo apt-get install libapache2-mod-security2

you can verify the installation with this command

$ sudo apachectl -M | grep security
  security2_module (shared)

next, lets make the recommended rules active

$ mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Now the ModSecurity is in detection-only mode, lets turn it on. in /etc/modsecurity/modsecurity.conf ,  the Engine is in detection mode  (SecRuleEngine DetectionOnly) . we have to turn it on. so replace that line by this SecRuleEngine on .

turn on secure-rule-engine
turn on secure-rule-engine

restart apache2 webserver to take effects

$ sudo systemctl restart apache2

By default, mod_security comes with core rule set (security rules) located at /usr/share/modsecurity-crs directory. But it is recommended to download the mod_security CRS from GitHub repository.

First, remove the default CRS with the following command:

$ sudo rm -rf /usr/share/modsecurity-crs

Next, download the latest version of mod_security CRS with the following command:

$ sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Next, rename the example setup file with the following command:

$ cd /usr/share/modsecurity-crs  
$ sudo mv crs-setup.conf.example crs-setup.conf

You can do this by configuring /etc/apache2/mods-enabled/security2.conf file, Change the file as shown below:

<IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional "/usr/share/modsecurity-crs/*.conf
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf

Save and close the file to finish the installation, then restart apache service.

$ sudo systemctl restart apache2

this is how we install ModSecurity In apache2 + ubuntu !

Leave a Reply

Your email address will not be published. Required fields are marked *