Web Development - Installing mod_security with OWASP

April 29, 2013

You want to secure your web application, but you don't know where to start. A number of open-source resources and modules exist, but that variety is more intimidating than it is liberating. If you're going to take the time to implement application security, you don't want to put your eggs in the wrong basket, so you wind up suffering from analysis paralysis as you compare all of the options. You want a powerful, flexible security solution that isn't overly complex, so to save you the headache of making the decision, I'll make it for you: Start with mod_security and OWASP.

ModSecurity (mod_security) is an open-source Apache module that acts as a web application firewall. It is used to help protect your server (and websites) from several methods of attack, most common being brute force. You can think of mod_security as an invisible layer that separates users and the content on your server, quietly monitoring HTTP traffic and other interactions. It's easy to understand and simple to implement.

The challenge is that without some advanced configuration, mod_security isn't very functional, and that advanced configuration can get complex pretty quickly. You need to determine and set additional rules so that mod_security knows how to respond when approached with a potential threat. That's where Open Web Application Security Project (OWASP) comes in. You can think of the OWASP as an enhanced core ruleset that the mod_security module will follow to prevent attacks on your server.

The process of getting started with mod_security and OWASP might seem like a lot of work, but it's actually quite simple. Let's look at the installation and configuration process in a CentOS environment. First, we want to install the dependencies that mod_security needs:

## Install the GCC compiler and mod_security dependencies ##
$ sudo yum install gcc make
$ sudo yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

Now that we have the dependencies in place, let's install mod_security. Unfortunately, there is no yum for mod_security because it is not a maintained package, so you'll have to install it directly from the source:

## Get mod_security from its source ##
$ cd /usr/src
$ git clone https://github.com/SpiderLabs/ModSecurity.git

Now that we have mod_security on our server, we'll install it:

## Install mod_security ##
$ cd ModSecurity
$ ./configure
$ make install

And we'll copy over the default mod_security configuration file into the necessary Apache directory:

## Copy configuration file ##
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

We've got mod_security installed now, so we need to tell Apache about it ... It's no use having mod_security installed if our server doesn't know it's supposed to be using it:

## Apache configuration for mod_security ##
$ vi /etc/httpd/conf/httpd.conf

We'll need to load our Apache config file to include our dependencies (BEFORE the mod_security module) and the mod_security file module itself:

## Load dependencies ##
LoadFile /usr/lib/libxml2.so
LoadFile /usr/lib/liblua5.1.so
## Load mod_security ##
LoadModule security2_module modules/mod_security2.so

We'll save our configuration changes and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

As I mentioned at the top of this post, our installation of mod_security is good, but we want to enhance our ruleset with the help of OWASP. If you've made it this far, you won't have a problem following a similar process to install OWASP:

## OWASP ##
$ cd /etc/httpd/
$ git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
$ mv owasp-modsecurity-crs modsecurity-crs

Just like with mod_security, we'll set up our configuration file:

## OWASP configuration file ##
$ cd modsecurity-crs
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Now we have mod_security and the OWASP core ruleset ready to go! The last step we need to take is to update the Apache config file to set up our basic ruleset:

## Apache configuration ##
$ vi /etc/httpd/conf/httpd.conf

We'll add an IfModule and point it to our new OWASP rule set at the end of the file:

<IfModule security2_module>
    Include modsecurity-crs/modsecurity_crs_10_config.conf
    Include modsecurity-crs/base_rules/*.conf
</IfModule>

And to complete the installation, we save the config file and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

And we've got mod_security installed with the OWASP core ruleset! With this default installation, we're leveraging the rules the OWASP open source community has come up with, and we have the flexibility to tweak and enhance those rules as our needs dictate. If you have any questions about this installation or you have any other technical blog topics you'd like to hear from us about, please let us know!

-Cassandra

Comments

 

April 29th, 2013 at 5:35pm

Hi Kyle,

Please excuse our errors. The blog was written during ModSecurity's transition from Sourceforge to GitHub. We've made the necessary changes to the repos and it should work for you now. Please let us know if you have any problems!

-Rachel

May 1st, 2013 at 1:04am

This can be installed via yum on the epel repos. Both mod_security and mod_security_crs are available.

If you have the epel yum repos installed this should be as easy as "yum install mod_security mod_security_crs." Of course, as this is meant to be security precautions it's always better to use the original providers (from the github repo now), and you're still better off learning how to configure it, but installation via yum is possible.

Thanks
-Mara-

May 3rd, 2013 at 9:50am

I tend to keep mod_security and mod_security_crs Fedora/EPEL packages up-to-date especially when it comes to security updates.

If it's not the case, you can always request it via Bugzilla.

-- Athmane, Fedora/EPEL mod_security packages maintainer

May 3rd, 2013 at 10:55am

Thank you! I have been searching for this for weeks now, this is exactly what I need.

May 13th, 2013 at 12:58am

This is an awesome article. Thanks!

May 14th, 2013 at 1:55pm

Hi !

Great article. We tried to give it a go but when we get to this step:

## Install mod_security ##
$ cd ModSecurity
$ ./configure
$ make install

After we try "make install" we just get an error:
make: *** No rule to make target `install'. Stop.

How to fix that error in order to continue the article steps?

We are on CENTos 6

June 3rd, 2013 at 7:12am

There's an error here:
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs10_config.conf
That should be:
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Your config states:
Include modsecurity-crs/modsecurity_crs_10_config.conf

June 3rd, 2013 at 7:17am

Also, a missing step is before the ./configure of ModSecurity, you need to run ./autogen.sh (and install the required tools/libs)

June 3rd, 2013 at 10:18am

Thanks for pointing out the problem with the typo when coding the second crs_10 part of that command. We've updated the content inline to have it shown properly.

When it comes to the ./configure command, Cassandra's example installs the required tools/libs via a yum command earlier in the post. She explained that she'd be using a CentOS environment in her example, so if you're using a different OS, the process may look subtly different.

July 31st, 2013 at 4:02am

Install deny host:

sudo yum -y install denyhosts

It's really crucial to have...

August 7th, 2013 at 6:15am

Security is key concern for all the companies and ModSecurity is surely one very good an open-source Apache module that acts as a web application firewall, and helps to protect any website.

Leave a Reply

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <pre>, <blockcode>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.

Comments

 

April 29th, 2013 at 5:35pm

Hi Kyle,

Please excuse our errors. The blog was written during ModSecurity's transition from Sourceforge to GitHub. We've made the necessary changes to the repos and it should work for you now. Please let us know if you have any problems!

-Rachel

May 1st, 2013 at 1:04am

This can be installed via yum on the epel repos. Both mod_security and mod_security_crs are available.

If you have the epel yum repos installed this should be as easy as "yum install mod_security mod_security_crs." Of course, as this is meant to be security precautions it's always better to use the original providers (from the github repo now), and you're still better off learning how to configure it, but installation via yum is possible.

Thanks
-Mara-

May 3rd, 2013 at 9:50am

I tend to keep mod_security and mod_security_crs Fedora/EPEL packages up-to-date especially when it comes to security updates.

If it's not the case, you can always request it via Bugzilla.

-- Athmane, Fedora/EPEL mod_security packages maintainer

May 3rd, 2013 at 10:55am

Thank you! I have been searching for this for weeks now, this is exactly what I need.

May 13th, 2013 at 12:58am

This is an awesome article. Thanks!

May 14th, 2013 at 1:55pm

Hi !

Great article. We tried to give it a go but when we get to this step:

## Install mod_security ##
$ cd ModSecurity
$ ./configure
$ make install

After we try "make install" we just get an error:
make: *** No rule to make target `install'. Stop.

How to fix that error in order to continue the article steps?

We are on CENTos 6

June 3rd, 2013 at 7:12am

There's an error here:
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs10_config.conf
That should be:
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Your config states:
Include modsecurity-crs/modsecurity_crs_10_config.conf

June 3rd, 2013 at 7:17am

Also, a missing step is before the ./configure of ModSecurity, you need to run ./autogen.sh (and install the required tools/libs)

June 3rd, 2013 at 10:18am

Thanks for pointing out the problem with the typo when coding the second crs_10 part of that command. We've updated the content inline to have it shown properly.

When it comes to the ./configure command, Cassandra's example installs the required tools/libs via a yum command earlier in the post. She explained that she'd be using a CentOS environment in her example, so if you're using a different OS, the process may look subtly different.

July 31st, 2013 at 4:02am

Install deny host:

sudo yum -y install denyhosts

It's really crucial to have...

August 7th, 2013 at 6:15am

Security is key concern for all the companies and ModSecurity is surely one very good an open-source Apache module that acts as a web application firewall, and helps to protect any website.

Leave a Reply

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • You can enable syntax highlighting of source code with the following tags: <pre>, <blockcode>, <bash>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.