Notes on installing ModSecurity and applying it to Apache (Ubuntu 24.04 LTS)

Hello,
this
is Kawa from the EOL System Solutions Department.

A while ago, in June, I participated in Micro Hardening the Hardening Project, a team competition for security hardening

The training was held on Awaji Island and was tough, but the weather was good and we were able to do it in a natural environment surrounded by the sea and mountains, so we had a really fulfilling time.

(The sunset was beautiful)

Each set of exercises lasts for 45 minutes (total of 6 sets), and while protecting the e-commerce site from attacks, the SLA even if it goes down is also calculated, and teams compete for the final sales + score.

There are always attacks of some kind, but my team was particularly troubled by SQL injection

▼ For more information, please refer to our company Ichiki's article ▼ 

[Micro Hardening v2] Gentle security incident experience

When I was thinking about how to prevent it, I decided to try using ModSecurity, and it ended up being successful and I was able to get a high score.

This time, I will leave a memorandum about how to install ModSecurity and introduce the accompanying CRS rules

First of all, what is ModSecurity?

(If you already know, please skip ahead!)
ModSecurity is an OSS WAF (Web Application Firewall) engine owned by OWASP that protects websites provided using various CMS from attacks. .

It is used in combination with a ruleset (like a definition file) called CRS rules, and is compatible with major CMSs such as WordPress and Drupal, as well as middleware such as Apache, Nginx, and IIS. After installation, you can use it with a few settings, so it can be easily introduced in a standalone environment.

However, since tuning for false positives is a little difficult, I think it will take time to introduce and operate it in a production environment.

In addition, in environments where cloud WAFs such as AWS WAF and WAFCharm are placed in front, there is little merit in implementing them as their scope of protection overlaps.

environment

Ubuntu 24.04 LTS Apache/2.4.58

Installation and initial configuration

sudo apt update sudo apt install libapache2-mod-security2 sudo a2enmod security2 # enable module

Below are the basic settings after installation.
A sample configuration will be created, so change the file name and make some edits.

cd /etc/modsecurity/ sudo mv modsecurity.conf-recommended modsecurity.conf sudo nano /etc/modsecurity/modsecurity.conf SecRuleEngine DetectionOnly #The default is detection only, so enable it ↓ SecRuleEngine On SecAuditLogParts ABIJDEFHZ #D is "intermediate" "Response header", but it seems to be a reserved word and not implemented. ↓ SecAuditLogParts ABCEFHJKZ # Delete I, change D to C (request body) sudo systemctl restart apache2

The temporary settings are now complete.
Next, download the CRS rules.

Download ruleset (v4.3.0)

*It seems that v4.4.0 was released while this article was being written, but basically this procedure is the same regardless of the version. Please refer to the following for the latest version.
https://github.com/coreruleset/coreruleset/releases

Download the file from GitHub, unzip it, and then move it to the Apache directory.

cd /tmp/ sudo wget -p /tmp/ https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.3.0.tar.gz tar xvf v4.3.0.tar.gz sudo mkdir /etc/ apache2/modsecurity-crs/ sudo mv coreruleset-4.3.0/ /etc/apache2/modsecurity-crs/ cd /etc/apache2/modsecurity-crs/coreruleset-4.3.0/ sudo mv crs-setup.conf.example crs- setup.conf

Include to recognize the core ruleset.

/etc/apache2/mods-enabled/security2.conf … # Include OWASP ModSecurity CRS rules if installed #IncludeOptional /usr/share/modsecurity-crs/*.load IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-4.3.0 /crs-setup.conf IncludeOptional /etc/apache2/modsecurity-crs/coreruleset-4.3.0/rules/*.conf … sudo apache2ctl -t # I think there will probably be an error in the syntax check. AH00526: Syntax error on line 818 of /etc/apache2/modsecurity-crs/coreruleset-4.3.0/crs-setup.conf: ModSecurity: Found another rule with the same id /etc/apache2/modsecurity-crs/coreruleset-4.3 .0/rules # → There is an error in the REQUEST-922-MULTIPART-ATTACK.conf rule, so delete the 3 corresponding places or rename 922 to avoid it.

Regarding the second half of the error, it seems to occur depending on the version of ModSecurity.
As reported in this closed issue,
https://github.com/coreruleset/coreruleset/issues/3129
, it seems that this issue will not occur if you increase the ModSecurity version, but since it seems to be an unofficial repository, It is not covered in the article.

Before starting production...

As mentioned above, IPS and endpoint security products, including WAF, can generate false positives.

I think the first step is to
run it in IDS mode (detection only) and collect logs before installation In the case of ModSecurity, the error.log, find out what kind of content was detected , and consider mitigation where exclusion rules and thresholds are set.

summary

WAFs, including cloud-based WAFs, are convenient, but tuning is required before implementing them into production as they may affect the actual environment.

Although it is a little difficult to operate, if you can clear this point, you can strengthen the security even when operating as a standalone system, so if you add an endpoint product, you will have multi-layered defense and further increase the robustness.

complete