Installing ModSecurity with OWASP

ModSecurity is web application firewall to secure the http server . OWASP is the modsecurity rule set that protect trojan, web defacement etc.

Following is steps to install on Linux System (or example here is running on DirectAdmin)

# Install Prerequisite
# Run this if you are in directadmin, make sure libxml2 and limxslt is installed
cd /usr/local/directadmin/custombuild
./build update
./build versions
./build libxml2
./build libxslt
./build php n

# Install Related Library
yum -y install expat-devel

# For 64bit system
ln -s /usr/lib64/libxml2.so.2 /usr/lib/libxml2.so.2

# Prepare apache environment
perl -pi -e ’s/ServerTokens Major/ServerTokens Full/’ /etc/httpd/conf/extra/httpd-default.conf
perl -pi -e ’s/ServerSignature Off/ServerSignature On/’ /etc/httpd/conf/extra/httpd-default.conf
perl -pi -e ’s/ServerSignature EMail/ServerSignature On/’ /etc/httpd/conf/extra/httpd-default.conf

#Download ModSecurity for Apache
cd /root/
https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz

#Unzip and Untar
tar -zxvf modsecurity-apache_2.7.7.tar.gz

#Compile ModSecurity

cd /root/modsecurity-apache_*.*.*
./configure
make
make test
make install

#Create Config Directory
mkdir /etc/modsecurity

#At source folder of modsecurity

cp modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
cp unicode.mapping /etc/modsecurity/

#Change ModSecurity Value

# vi /etc/modsecurity/modsecurity.conf
# SecRuleEngine On
# SecRequestBodyLimit 16384000
# SecRequestBodyInMemoryLimit 16384000

perl -pi -e ‘s/SecRuleEngine DetectionOnly/SecRuleEngine On/’ /etc/modsecurity/modsecurity.conf
perl -pi -e ‘s/SecRequestBodyLimit 13107200/SecRequestBodyLimit 16384000/’ /etc/modsecurity/modsecurity.conf
perl -pi -e ‘s/SecRequestBodyInMemoryLimit 131072/SecRequestBodyInMemoryLimit 16384000/’ /etc/modsecurity/modsecurity.conf

# create files /etc/httpd/conf/extra/httpd-modsecurity.conf

vi /etc/httpd/conf/extra/httpd-modsecurity.conf

#insert following
LoadModule security2_module /usr/lib/apache/mod_security2.so

Include /etc/modsecurity/modsecurity.conf
Include “/etc/modsecurity/activated_rules/*.conf”

# at /etc/httpd/conf/httpd.conf

vi /etc/httpd/conf/httpd.conf

Include conf/extra/httpd-modsecurity.conf

# Download ModSecurity Rules
cd /root/
wget -O SpiderLabs-owasp-modsecurity-crs.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/tarball/master –no-check-certificate

# or replace master with ver num , like v2.2.5 if want older version

tar -zxvf SpiderLabs-owasp-modsecurity-crs.tar.gz

cp -R SpiderLabs-owasp-modsecurity-crs-*/* /etc/modsecurity/

mv /etc/modsecurity/modsecurity_crs_10_setup.conf.example /etc/modsecurity/modsecurity_crs_10_setup.conf

cd /etc/modsecurity/base_rules
for f in * ; do ln -s /etc/modsecurity/base_rules/$f /etc/modsecurity/activated_rules/$f ; done
cd /etc/modsecurity/optional_rules
for f in * ; do ln -s /etc/modsecurity/optional_rules/$f /etc/modsecurity/activated_rules/$f ; done

# Include thi if not done at above
# vi /etc/apache2/mods-available/mod-security.conf
# Include “/etc/modsecurity/activated_rules/*.conf”

service httpd restart

#make sure is running by see the log and no error
tail -f /var/log/modsec_audit.log

#Done