ModSecurity is an open-source web application firewall (WAF) designed to protect web applications from various online threats such as SQL injection, cross-site scripting (XSS), and other attacks. It can be used with web servers like Apache, Nginx, and LiteSpeed to add a layer of security to your VPS-hosted websites.
In this tutorial, we’ll guide you through the steps to install and configure ModSecurity on your VPS for enhanced protection.
Prerequisites
- A VPS running Ubuntu 20.04 or later (other Linux distributions can be used but might have slight variations).
- Root access or sudo privileges on the VPS.
- Apache or Nginx installed (we will cover both in the following steps).
- Basic understanding of server administration and command-line usage.
Step 1: Install ModSecurity on Apache or Nginx
ModSecurity can be installed for both Apache and Nginx web servers. We will guide you through the process for both.
1.1 Install ModSecurity for Apache
-
Update your system: Begin by ensuring your system is up to date.
-
Install Apache and ModSecurity: Install Apache and ModSecurity packages from the default Ubuntu repositories.
-
Enable ModSecurity: By default, ModSecurity might not be enabled after installation. Enable it with the following command:
-
Restart Apache: Restart Apache to apply the changes.
1.2 Install ModSecurity for Nginx
ModSecurity can also be installed on Nginx, though it requires additional steps as it doesn't come pre-packaged with Nginx.
-
Install Nginx and ModSecurity dependencies: You will need the Nginx ModSecurity module and some dependencies for compilation.
-
Download and compile ModSecurity module: Download the ModSecurity source code from GitHub and compile it:
-
Configure Nginx to use ModSecurity: After compiling and installing ModSecurity, you need to configure Nginx to load the module. Edit your Nginx configuration file to load the ModSecurity module:
Add the following line at the top of the
http
block: -
Restart Nginx: Restart Nginx to load the ModSecurity module.
Step 2: Configure ModSecurity Rules
ModSecurity relies on rules to detect and block malicious requests. The default rule set is OWASP CRS (Core Rule Set), which is a good starting point.
2.1 Apache Configuration
-
Edit ModSecurity configuration file: The main configuration file for ModSecurity is located at
/etc/modsecurity/modsecurity.conf
. Open it for editing: -
Activate ModSecurity: Make sure ModSecurity is enabled by changing the following line:
-
Set the SecRequestBodyAccess: Ensure that ModSecurity inspects request bodies for malicious content:
-
Enable the OWASP CRS: To use the OWASP Core Rule Set, include the rules in your ModSecurity configuration file. Add the following lines:
If the CRS package is not installed, you can install it:
-
Restart Apache: After configuring ModSecurity, restart Apache to apply the settings:
2.2 Nginx Configuration
-
Enable ModSecurity in Nginx: To enable ModSecurity, open the
nginx.conf
file:In the
http
block, include ModSecurity configuration: -
Configure OWASP CRS: Download and configure the OWASP CRS for Nginx by creating a custom ModSecurity rule configuration file:
Add the following configuration to load the default OWASP rules:
-
Restart Nginx: After making the changes, restart Nginx to apply the configuration:
Step 3: Testing ModSecurity
After installation and configuration, you can test whether ModSecurity is working properly by performing an attack simulation.
3.1 Test ModSecurity on Apache
To check if ModSecurity is filtering requests, you can use a basic SQL injection test.
-
Create a test page: Create a test PHP file to simulate an SQL injection attack:
-
Test the SQL injection: Open your browser and visit
http://yourserver/test.php?id=1 OR 1=1
. ModSecurity should block this request and log it.
3.2 Test ModSecurity on Nginx
-
Create a test page for SQL injection as done in the Apache test.
-
Check Nginx error logs for any blocked requests:
You should see entries indicating that requests have been blocked by ModSecurity.
Step 4: Monitor and Fine-Tune ModSecurity
ModSecurity will start logging blocked requests in the Apache or Nginx logs. You can use these logs to fine-tune your ruleset and ensure that legitimate traffic is not blocked.
4.1 View ModSecurity Logs
-
Apache: The ModSecurity logs are typically stored in
/var/log/apache2/modsec_audit.log
. Use the following command to view them: -
Nginx: For Nginx, the ModSecurity logs are usually located in
/var/log/nginx/modsec_audit.log
.
4.2 Fine-tune rules
You may need to fine-tune rules by adjusting the ModSecurity configuration file or disabling certain rules that might block legitimate traffic. It’s recommended to start with a testing mode (SecRuleEngine DetectionOnly
) and move to full protection once you’re confident that no false positives are being triggered.
Conclusion
By following this guide, you have successfully installed and configured ModSecurity as a Web Application Firewall on your VPS. ModSecurity adds an extra layer of security, helping protect your web applications from common threats and vulnerabilities.
Regularly monitor your logs, update rules, and fine-tune your configuration for optimal protection. ModSecurity, combined with other server hardening practices, can significantly reduce the risk of malicious attacks on your VPS-hosted websites.