Knowledge Base
MilesWeb / Web Hosting FAQ

A Guide to Install and Configure Mod_Security on Ubuntu 16.04 Server

Approx. read time : 4 min

Modsec the short form for Mod_security, is a powerful WAF (Web Application Firewall) that integrates directly into Apache’s module system. Due to this direct integration the security module can intercept traffic at the initial stages of a request. It is important to detect the security flaw at an early stage so that one can block malicious requests before they get passed to web applications hosted by Apache websites. This creates an extra layer of security against common threats that a server faces. In this article you will get to see the installation of mod_security along with the CRS (Core Rule Set) in Ubuntu 16.04 LTS Server running Apache 2.4.

Prerequisites

Ensure your system environment comprises of following things:

• Ubuntu 16.04 LTS Server.
• Baseline Apache 2.4 pre-installed.
• Pre-configured Network & Internet Connection.
• Root user shell access (console or SSH).

Additionally, you should also know the below system administration concepts:

• How to basically navigate via the Linux command line shell?
• Ways to modify files in your chosen system editor (vim, nano, emacs, etc.).

Pre-Flight Checks

Many Apache-based OS images comprise of mod-security as a standard module and might be already installed on the target system. Prior to continuing, it is important to ensure, that you are running Apache 2.4 and mod-security isn’t pre-installed. You can do this by running the below two commands:

Note: All commands in this documentation use the sudo prefix. You can execute root-level permissions on a command by command basis. If you are new to sudo, you might be asked for your password to allow execution of one or more the commands in this outline.

Check Apache’s Version

Example Output:

Check if the Security Module is Active

– If you don’t get an output with this command, mod_security is not installed so proceed to the Installation Section.

– If you get the output as security2_module, mod_security is installed so proceed to the Configuration Section.

Installation Section

Installation is done in a quick and painless way with the apt package manager in all Debian-based system (like Ubuntu). In this case, offer the correct package name, libapache-modsecurity, to the apt command and confirm the installation.

Use Apt to Install the libpache2-modsecurity Plugin

Example Output:

After installation, you need to confirm if the security module is being loaded by Apache:

Check if the Security Module is Active

Example Output:

Configuration Section

Now as the base module is installed, you will need to configure and enable it. This requires a few steps:

Step 1) Use the below command to copy the recommended config over as the live config

Step 2)With the below command, modify the live config and change “SecRuleEngine DetectionOnly” to “SecRuleEngine On”

Step 3) Check Apache’s config syntax & restart Apache if all is fine

Example output:

You will find Apache running actively with mod_security in place. But, you won’t find rules in place for it. In the next section, you will learn to configure these rules.

Enable Core Rule Set & Base Rules

You will find the security module appears to be good only because of the rules governing it. In order to start, the libapache2-modsecurity package comes with a companion package (modsecurity-crs). In this package you get the Core Rule Set or CRS, a basic set of rules that manages some of the most common malicious activity on the Internet today. Many dangerous types of traffic include are protected by the CRS, but not limited to:

• SQL Injections (SQLi)
• Remote Code Execution (RCE)
• Cross Site Scripting (XSS)
• And many other common malicious behavior

The installation of CRS is done along with the security module. Follow the below steps to enable CRS & its Base Rules.

Step 1) Using your preferred editor include the below lines to modsecurity.conf

Step 2) In the activated_rules directory, create a symlink for all *.conf files in the base_rules directory

Step 3) Confirm symlinks are in the activated_rules directory (this is optional)

Step 4) Verify Apache’s config syntax & restart Apache if all is fine:

Example output:

You will now find that the server configured and actively using the base_rules from the CRS. The CRS package provides additional rules. These rules are discussed in more detail in the next section.

Rule of Thumb:
You should verify syntax and restart Apache, anytime changes are made to one or more mod_security rules.

Enable Additional Rules [Optional]

Many additional rules are included in the Core Rule Set. These rules are divided into three distinct categories: experimental_rules, optional_rules, and slr_rules. Each category’s rules are included within their own directory of the same name. In order to activate these rules you need to follow the same process as to enable the base_rules.

From the activated_rules directory, create a symlink to the desired rule from the activated_rules directory. You can use the below commands to quickly enable these rules if required.

Caution:
It is important to judge while you enable the additional rules after those in the base_rules set. In additional rules, experimental_rules might encounter false positives, blocking legitimate traffic. The commands are given below for easing the process and isn’t a support of enabling all rules by chance.

experimental_rules

optional_rules

slr_rules

Disable Rules

For disabling rules, delete the symlink within the activated_rules directory that relates to the rule in question. After deleting it, you need a quick restart of Apache services for making the change active.

Example: Delete the application_defects rule then restart Apache.

That’s it! You have now learned to install and configure mod_security on Ubuntu 16.04 server.

Pallavi Godse
Pallavi is a Digital Marketing Executive at MilesWeb and has an experience of over 4 years in content development. She is interested in writing engaging content on business, technology, web hosting and other topics related to information technology.