Install ModSecurity:
If your Ubuntu is 64bit, you need to fix a bug:
Configure ModSecurity:
Enable the rule engine:
Increase the request body size limit to 10Mb(Optional, only if your site accepts uploads):
Check the ModSecurity version:
The installed ModSecurity version is:
Install
OWASP ModSecurity Core Rule Set:
sudo
apt-get
install
libxml2 libxml2-dev libxml2-utils libaprutil1 libaprutil1-dev libapache-mod-security
|
sudo
ln
-s
/usr/lib/x86_64-linux-gnu/libxml2
.so.2
/usr/lib/libxml2
.so.2
|
sudo
mv
/etc/modsecurity/modsecurity
.conf-recommended
/etc/modsecurity/modsecurity
.conf;
sudo
vi
/etc/modsecurity/modsecurity
.conf
|
SecRuleEngine On
|
SecRequestBodyLimit 10000000
SecRequestBodyInMemoryLimit 10000000
|
dpkg -s libapache-mod-security |
grep
Version
|
Version: 2.6.3-1ubuntu0.2
|
- Download the rule set(version 2.2.5 because the latest version requires ModSecurity 2.7.0+):
wget https:
//github
.com
/SpiderLabs/owasp-modsecurity-crs/tarball/v2
.2.5 -O
/tmp/owasp
.
tar
.gz
- Extract the package:
cd
/tmp
;
tar
-zxvf owasp.
tar
.gz;
rm
owasp.
tar
.gz
- Copy the directory to /etc/modsecurity, and set the permissions:
sudo
mv
SpiderLabs-owasp-modsecurity-crs-5c28b52/
/etc/modsecurity/owasp-crs
sudo
chmod
-R 644
/etc/modsecurity/owasp-crs
- Link the rules to /etc/modsecruity/owasp-crs/activated_rules directory:
sudo
mv
/etc/modsecurity/owasp-crs/modsecurity_crs_10_setup
.conf.example
/etc/modsecurity/owasp-crs/modsecurity_crs_10_setup
.conf
cd
/etc/modsecurity/owasp-crs/activated_rules/
sudo
ln
-s ..
/modsecurity_crs_10_setup
.conf
for
f
in
$(
ls
..
/base_rules/
);
do
sudo
ln
-s ..
/base_rules/
$f;
done
for
f
in
$(
ls
..
/optional_rules/
);
do
sudo
ln
-s ..
/optional_rules/
$f;
done
- Modify /etc/apache2/mods-available/mod-security.conf to include the rules:
sudo
vi
/etc/apache2/mods-available/mod-security
.conf
Include "/etc/modsecurity/owasp-crs/activated_rules/*.conf"
- Enable headers module:
sudo
a2enmod headers
Syntax error on line 29 of /etc/apache2/conf.d/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf:
Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
sudo
a2enmod mod-security;
sudo
/etc/init
.d
/apache2
restart
|