Introduction
ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. you can consider it as an enabler, there are no hard rules telling you what to do, instead, it is up to you to choose your own path through the available features. The freedom to choose what to do is an essential part of ModSecurity’s identity and goes very well with its open source nature. With full access to the source code, your freedom to choose extends to the ability to customize and extend the tool itself to make it fit your needs.
We are assuming that you have root permission, otherwise, you may start commands with “sudo”.
NOTE: For installing and using ModSecurity you need an Apache web server configured. If you don’t, check out our LAMP stack tutorials.
How to install LAMP (Apache, MySQL, PHP) stack on Debian 8
How to install LAMP (Apache, MySQL, PHP) Stack on Ubuntu 16
How to install LAMP (Apache, MySQL, PHP) stack on CentOS 7
Install ModSecurity
On Debian and Ubuntu
apt-get install libapache2-modsecurity
On CentOs
yum install mod_security
Verify if the ModSecurity module was loaded with your Apache:
apachectl -M | grep --color sec
You should see a module named “security2_module (shared)” which indicates that the module was loaded.
The installation includes a recommended configuration file which has to be renamed with the command below:
mv /etc/modsecurity/modsecurity.conf{-recommended,}
Restart Apache:
systemctl restart apache2
systemctl restart httpd
Configuring ModSecurity
If you want to add rules or edit some existing rules you should open the “modsecurity.conf” and make changes. Here we are going to point to some common rules and configurations:
nano /etc/modsecurity/modsecurity.conf
Find the following line:
SecRuleEngine DetectionOnly
And change it like below:
SecRuleEngine On
Another directive to modify is “SecResponseBodyAccess” This configures whether response bodies are buffered. This is only necessary if data leakage detection and protection is required. Therefore, leaving it On will use up servers resources and also increase the log file size.
Find the following line:
SecResponseBodyAccess On
And turn it off like below:
SecResponseBodyAccess Off
We also can limit the maximum data that can be posted to your web application:
SecRequestBodyLimit
SecRequestBodyNoFilesLimit
The “SecRequestBodyLimit” specifies the maximum post data size. If anything larger is sent by a client the server will respond with a “413 Request Entity Too Large” error. If your web application doesn’t have any file uploads this value can be greatly reduced.
The default value of the configuration file is:
SecRequestBodyLimit 13107200
Which is 12.5 MB
Rule-Set Recommendation
You can also use free ModSecurity rules that provided by Cybersecurity companies like:
Also, you can find more information about ModSecurity on its official website!
Thank you for this article.
I finally took the step for the installation of this module. I took the opportunity to translate a part in French.
https://wiki.visionduweb.fr/index.php?title=Installer_Apache2_sur_Debian#Installer_mod-security_sur_Debian