ModSecurity (also known as ModSec) is an open-source web application firewall (WAF). It is implemented to protect sites and applications against many common attacks, including XSS, code injection, etc.
70% of all attacks are carried out through the application level of the web. Thus, implementing a WAF would be helpful for organizations in ensuring system security.
It establishes an extra security layer that increases the protection level of web servers, detects, and prevents attacks before they reach web application programs.
Initially, ModSecurity was a module for Apache web servers, and with time, it grew to a full-fledged web application firewall with support for different platforms, including Apache, Nginx, and IIS.
They work on the application layer (the 7th layer in the OSI model).
It examines the incoming requests, compares them to patterns described in the rules in the ruleset, and takes actions on the requests based on the results of the tests. If the check succeeds, the HTTP request is passed to the website to retrieve the content. If not, pre-defined actions are performed.
It has a flexible rule engine to perform simple and complex operations and comes with a Core Rule Set (CRS).
And the most popular one among those is the OWASP ModSecurity Core Rule Set, which is updated regularly and can block a wide range of generic attacks, including OWASP’s top-ten list of critical vulnerabilities.
The ModSecurity module for Apache is available in the default Debian/Ubuntu repository.
To install it, run the following commands in the terminal:
sudo apt install libapache2-mod-security2
sudo systemctl restart apache2
apachectl -M | grep security
security2_module (shared)
sudo a2enmod security2
sudo systemctl restart apache2
The default rule of ModSecurity is to log suspicious activity. And we need to change the configuration to detect and block traffic according to our requirement.
Let us have a closer look at the steps involved in configuration.
/etc/modsecurity/modsecurity.conf-recommended
and we need to copy this file and rename it as modsecurity.conf
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo nano /etc/modsecurity/modsecurity.conf
SecRuleEngine on
systemctl restart apache2
This will turn to ModSecurity using the basic default rules. And versions of Linux come with OWASP Core Rule at user/share/modesecurity-crs directory.
It is recommended to download the latest CRS from the GitHub repository since the developers frequently update the same.
rm -rf /usr/share/modsecurity-crs
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
cd /usr/share/modsecurity-crs
mv crs-setup.conf.example crs-setup.conf
sudo nano /etc/apache2/mods-enabled/security2.conf