In today’s world, web applications are constantly under attack, and it is crucial to have a reliable web application firewall (WAF) in place to protect your applications. ModSecurity is an open-source WAF that helps protect your web applications against common attacks such as SQL injection, cross-site scripting (XSS), and local file inclusion (LFI). This guide will walk you through the process of how to install and configure ModSecurity on Rocky Linux.
Table of Contents
- Introduction
- Prerequisites
- Installing Apache
- Installing ModSecurity
- Configuring ModSecurity
- Testing ModSecurity
- Conclusion
How to Install and Configure ModSecurity on Rocky Linux
Introduction
Before diving into the installation and configuration process, let’s first understand what ModSecurity is and why you need it. ModSecurity is a popular open-source WAF designed to protect web applications from various security threats. It operates by analyzing incoming HTTP requests and applying a set of rules to detect and block malicious traffic.
In this tutorial, we will be installing ModSecurity on a Rocky Linux server with Apache as the web server. We will also configure ModSecurity with the OWASP ModSecurity Core Rule Set (CRS), which is a widely used set of rules for ModSecurity.
Prerequisites
Before starting the installation process, make sure you have the following:
- A Rocky Linux server with root access or a user with sudo privileges
- A working installation of Apache web server. If you don’t have Apache installed, you can follow our guide on how to install Apache on Rocky Linux
- A basic understanding of Linux commands and text editors
Installing Apache on Rocky Linux
If you haven’t already installed Apache on your Rocky Linux server, you can do so by running the following commands:
sudo dnf install httpd -y
sudo systemctl enable httpd
sudo systemctl start httpdThis will install Apache, enable it to start on boot, and start the service. Verify that Apache is running by visiting http://your_server_ip in your browser. You should see the default Apache welcome page.
Installing ModSecurity on Rocky Linux
Now that you have Apache installed and running, you can proceed with installing ModSecurity. To do this, run the following commands:
sudo dnf install mod_security -yThis will install ModSecurity along with its dependencies. Once the installation is complete, enable ModSecurity by adding the following line to your Apache configuration file (/etc/httpd/conf/httpd.conf):
Include conf.modules.d/00-mod_security.confNow, restart Apache for the changes to take effect:
sudo systemctl restart httpdConfiguring ModSecurity on Rocky Linux
After installing ModSecurity, you need to configure it. First, create a backup of the default configuration file:
sudo cp /etc/httpd/conf.d/mod_security.conf /etc/httpd/conf.d/mod_security.conf.bakNext, open the /etc/httpd/conf.d/mod_security.conf file with your preferred text editor and uncomment the following line:
SecRuleEngine OnThis will enable the ModSecurity engine.
Now, you need to configure ModSecurity to use the OWASP CRS. To do this, first download the latest CRS from the official GitHub repository. You can do this by running the following command:
sudo git clone https://github.com/coreruleset/coreruleset.git /etc/nginx/modsecurity/crsOnce the CRS is downloaded, create a new ModSecurity configuration file:
sudo cp /etc/nginx/modsecurity/crs/crs-setup.conf.example /etc/nginx/modsecurity/crs/crs-setup.confNow, include the crs-setup.conf file and the rules from the CRS in your ModSecurity configuration file (/etc/nginx/modsecurity/modsecurity.conf). Add the following lines at the end of the file:
Include /etc/nginx/modsecurity/crs/crs-setup.conf
Include /etc/nginx/modsecurity/crs/rules/*.confConfigure Nginx to use ModSecurity in Linux
Before you can start using ModSecurity with Nginx, you need to configure Nginx to use ModSecurity. To do this, open the Nginx configuration file (usually /etc/nginx/nginx.conf) and add the following lines within the http block:
modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;Next, add the following lines within the server block:
location / {
modsecurity_rules_file /etc/nginx/modsecurity/crs/crs-setup.conf;
modsecurity_rules_file /etc/nginx/modsecurity/crs/rules/*.conf;
}This will enable ModSecurity for all requests made to your server. If you want to enable ModSecurity for a specific location, you can add the modsecurity_rules_file directive within a specific location block.
Save the file and restart Nginx:
sudo systemctl restart nginxTesting ModSecurity
To ensure that ModSecurity is working correctly, you can test it by triggering a rule from the CRS. To do this, you can use curl to send a request to your server with a specific user agent that is blocked by the CRS.
curl -I -A "Nikto" http://your_server_ip/If ModSecurity is working correctly, you should see a 403 Forbidden response, indicating that the request was blocked by ModSecurity.
Monitor and Adjust ModSecurity Rules
After you have installed and configured ModSecurity, it’s essential to monitor its performance and make any necessary adjustments to the rules. To do this, you can use tools like Kibana or Logstash to analyze the logs generated by ModSecurity.
By regularly monitoring the logs, you can identify any false positives or negatives and adjust the rules accordingly. This will help ensure that your server remains secure while minimizing the impact on legitimate traffic.
Conclusion
In this tutorial, you have learned how to install and configure ModSecurity on Rocky Linux. By using ModSecurity with the OWASP CRS, you can significantly improve the security of your web applications and protect them against a wide range of attacks.
Remember to monitor the performance of ModSecurity and adjust the rules as needed to ensure the best possible security for your server. For additional security measures, consider setting up tools like Fail2Ban
