How to Install and Configure ModSecurity for Web Application Firewall on VPS

ModSecurity is an open-source web application firewall (WAF) designed to protect web applications from various online threats such as SQL injection, cross-site scripting (XSS), and other attacks. It can be used with web servers like Apache, Nginx, and LiteSpeed to add a layer of security to your VPS-hosted websites.

In this tutorial, we’ll guide you through the steps to install and configure ModSecurity on your VPS for enhanced protection.


Prerequisites

  • A VPS running Ubuntu 20.04 or later (other Linux distributions can be used but might have slight variations).
  • Root access or sudo privileges on the VPS.
  • Apache or Nginx installed (we will cover both in the following steps).
  • Basic understanding of server administration and command-line usage.

Step 1: Install ModSecurity on Apache or Nginx

ModSecurity can be installed for both Apache and Nginx web servers. We will guide you through the process for both.

1.1 Install ModSecurity for Apache

  1. Update your system: Begin by ensuring your system is up to date.

     
    sudo apt update sudo apt upgrade -y
  2. Install Apache and ModSecurity: Install Apache and ModSecurity packages from the default Ubuntu repositories.

     
    sudo apt install apache2 libapache2-mod-security2 -y
  3. Enable ModSecurity: By default, ModSecurity might not be enabled after installation. Enable it with the following command:

     
    sudo a2enmod security2
  4. Restart Apache: Restart Apache to apply the changes.

     
    sudo systemctl restart apache2

1.2 Install ModSecurity for Nginx

ModSecurity can also be installed on Nginx, though it requires additional steps as it doesn't come pre-packaged with Nginx.

  1. Install Nginx and ModSecurity dependencies: You will need the Nginx ModSecurity module and some dependencies for compilation.

     
    sudo apt install libnginx-mod-http-modsecurity libxml2 libxml2-dev libcurl4-openssl-dev libpcre3 libpcre3-dev -y
  2. Download and compile ModSecurity module: Download the ModSecurity source code from GitHub and compile it:

     
    cd /usr/local/src sudo git clone --recursive https://github.com/SpiderLabs/ModSecurity cd ModSecurity sudo git checkout v3/master sudo git submodule update --init --recursive sudo ./build.sh sudo ./configure sudo make sudo make install
  3. Configure Nginx to use ModSecurity: After compiling and installing ModSecurity, you need to configure Nginx to load the module. Edit your Nginx configuration file to load the ModSecurity module:

     
    sudo nano /etc/nginx/nginx.conf

    Add the following line at the top of the http block:

     
    load_module /usr/local/nginx/modules/ngx_http_modsec_module.so;
  4. Restart Nginx: Restart Nginx to load the ModSecurity module.

     
    sudo systemctl restart nginx

Step 2: Configure ModSecurity Rules

ModSecurity relies on rules to detect and block malicious requests. The default rule set is OWASP CRS (Core Rule Set), which is a good starting point.

2.1 Apache Configuration

  1. Edit ModSecurity configuration file: The main configuration file for ModSecurity is located at /etc/modsecurity/modsecurity.conf. Open it for editing:

     
    sudo nano /etc/modsecurity/modsecurity.conf
  2. Activate ModSecurity: Make sure ModSecurity is enabled by changing the following line:

     
    SecRuleEngine On
  3. Set the SecRequestBodyAccess: Ensure that ModSecurity inspects request bodies for malicious content:

     
    SecRequestBodyAccess On
  4. Enable the OWASP CRS: To use the OWASP Core Rule Set, include the rules in your ModSecurity configuration file. Add the following lines:

     
    IncludeOptional /usr/share/modsecurity-crs/base_rules/*.conf

    If the CRS package is not installed, you can install it:

     
    sudo apt install modsecurity-crs -y
  5. Restart Apache: After configuring ModSecurity, restart Apache to apply the settings:

     
    sudo systemctl restart apache2

2.2 Nginx Configuration

  1. Enable ModSecurity in Nginx: To enable ModSecurity, open the nginx.conf file:

     
    sudo nano /etc/nginx/nginx.conf

    In the http block, include ModSecurity configuration:

     
    modsec_rules /etc/nginx/modsec_rules.conf;
  2. Configure OWASP CRS: Download and configure the OWASP CRS for Nginx by creating a custom ModSecurity rule configuration file:

     
    sudo nano /etc/nginx/modsec_rules.conf

    Add the following configuration to load the default OWASP rules:

     
    Include /usr/share/modsecurity-crs/base_rules/*.conf
  3. Restart Nginx: After making the changes, restart Nginx to apply the configuration:

     
    sudo systemctl restart nginx

Step 3: Testing ModSecurity

After installation and configuration, you can test whether ModSecurity is working properly by performing an attack simulation.

3.1 Test ModSecurity on Apache

To check if ModSecurity is filtering requests, you can use a basic SQL injection test.

  1. Create a test page: Create a test PHP file to simulate an SQL injection attack:

    php
     
    <?php if (isset($_GET['id'])) { $id = $_GET['id']; $sql = "SELECT * FROM users WHERE id = '$id'"; echo $sql; } ?>
  2. Test the SQL injection: Open your browser and visit http://yourserver/test.php?id=1 OR 1=1. ModSecurity should block this request and log it.

3.2 Test ModSecurity on Nginx

  1. Create a test page for SQL injection as done in the Apache test.

  2. Check Nginx error logs for any blocked requests:

     
    sudo tail -f /var/log/nginx/error.log

    You should see entries indicating that requests have been blocked by ModSecurity.


Step 4: Monitor and Fine-Tune ModSecurity

ModSecurity will start logging blocked requests in the Apache or Nginx logs. You can use these logs to fine-tune your ruleset and ensure that legitimate traffic is not blocked.

4.1 View ModSecurity Logs

  1. Apache: The ModSecurity logs are typically stored in /var/log/apache2/modsec_audit.log. Use the following command to view them:

     
    sudo tail -f /var/log/apache2/modsec_audit.log
  2. Nginx: For Nginx, the ModSecurity logs are usually located in /var/log/nginx/modsec_audit.log.

4.2 Fine-tune rules

You may need to fine-tune rules by adjusting the ModSecurity configuration file or disabling certain rules that might block legitimate traffic. It’s recommended to start with a testing mode (SecRuleEngine DetectionOnly) and move to full protection once you’re confident that no false positives are being triggered.


Conclusion

By following this guide, you have successfully installed and configured ModSecurity as a Web Application Firewall on your VPS. ModSecurity adds an extra layer of security, helping protect your web applications from common threats and vulnerabilities.

Regularly monitor your logs, update rules, and fine-tune your configuration for optimal protection. ModSecurity, combined with other server hardening practices, can significantly reduce the risk of malicious attacks on your VPS-hosted websites.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Powered by WHMCompleteSolution