Skip to main content
  1. Posts/

Cara Menginstal ModSecurity di Apache

4 mins
apache apache modsec
Table of Contents

ModSecurity atau web application firewall adalah kumpulan rules yang bertujuan untuk melindungi aplikasi web dari berbagai macam serangan dengan minimum false alerts. Biasanya vendor modsec yang sering dipakai adalah OWASP ModSecurity Core Rule Set (CRS) dan Comodo ModSecurity.

Anda dapat menginstall package ModSecurity menyesuaikan OS yang Anda pakai, contoh untuk menginstal pada OS Rocky Linux 8

dnf -y install mod_security_crs

Namun menginstal dengan package tidak selalu mendapatkan versi modsec yang terbaru sesuai yang ada di https://github.com/coreruleset/coreruleset/releases sehingga perlu melakukan instalasi secara manual.

OWASP ModSecurity Core Rule Set (CRS)
#

Instal ModSecurity untuk Apache

dnf -y install mod_security libmodsecurity

Download archive OWASP terbaru.

wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.tar.gz

Extract archive ke direktori /etc/httpd/modsecurity.d/

tar -xaf v3.3.5.tar.gz -C /etc/httpd/modsecurity.d/

Pindah dan rename crs-setup.conf.example ke dalam folder rules

cd /etc/httpd/modsecurity.d/coreruleset-3.3.5
mv crs-setup.conf.example rules/crs-setup.conf

Edit mod_security.conf lalu tambahkan baris berikut.

/etc/httpd/conf.d/mod_security.conf

<IfModule mod_security2.c>
Include modsecurity.d/coreruleset-3.3.5/crs-setup.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/plugins/*-config.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/plugins/*-before.conf
Include modsecurity.d/coreruleset-3.3.5/rules/*.conf
IncludeOptional modsecurity.d/owasp-modsecurity-crs/plugins/*-after.conf
</IfModule>

Restart service apache

systemctl restart httpd

Test rule modsecurity dengan cara

curl 'http://www.example.com/?foo=/etc/passwd&bar=/bin/sh'

Jika output HTTP 403 berarti OWASP sudah sudah berjalan dengan baik.

$ curl -I 'http://www.example.com/?foo=/etc/passwd&bar=/bin/sh'
HTTP/1.1 403 Forbidden
Date: Thu, 12 Oct 2023 08:28:43 GMT
Server: Apache
Last-Modified: Wed, 27 Jul 2022 18:04:30 GMT
Accept-Ranges: bytes
Content-Length: 7620
Content-Type: text/html; charset=UTF-8

Terdapat juga plugin OWASP yang bisa Anda explore pada https://github.com/coreruleset/plugin-registry

Comodo Web Application Firewall
#

Instal ModSecurity untuk Apache

dnf -y install mod_security libmodsecurity

Selanjutnya buat akun Comodo untuk mendapatkan free CWAF https://accounts.comodo.com/cwaf/management/signup

Setelah daftar dan menyelesaikan order CWAF, Anda bisa mendownload rule WAF melalui https://waf.comodo.com/user/cwaf_revisions

Buat folder cwaf_rules-1.240 lalu extract rule WAF ke folder tersebut.

mkdir -p /etc/httpd/modsecurity.d/cwaf_rules-1.240
tar -xaf cwaf_rules-1.240.tgz -C /etc/httpd/modsecurity.d/cwaf_rules-1.240

Edit mod_security.conf lalu tambahkan path folder cwaf_rules-1.240

/etc/httpd/conf.d/mod_security.conf

<IfModule mod_security2.c>
Include modsecurity.d/cwaf_rules-1.240/*.conf
</IfModule>

Restart service apache

systemctl restart httpd

Test rule modsecurity dengan cara

curl 'http://www.example.com/?foo=/etc/passwd&bar=/bin/sh'

Monitor modsec audit log

# tail -f /var/log/httpd/modsec_audit.log
--7c0af67e-F--
HTTP/1.1 403 Forbidden
Last-Modified: Wed, 27 Jul 2022 18:04:30 GMT
Accept-Ranges: bytes
Content-Length: 7620
Content-Type: text/html; charset=UTF-8

--7c0af67e-H--
Message: Access denied with code 403 (phase 2). Match of "contains cpanel" against "REQUEST_URI" required. [file "/etc/httpd/modsecurity.d/cwaf_rules-1.240/02_Global_Generic.conf"] [line "55"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||web1.srv1.de|F|2"] [data "Matched Data: /etc/ found within REQUEST_URI: /?foo=/etc/passwd&bar=/bin/sh"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.12.48] ModSecurity: Access denied with code 403 (phase 2). Match of "contains cpanel" against "REQUEST_URI" required. [file "/etc/httpd/modsecurity.d/cwaf_rules-1.240/02_Global_Generic.conf"] [line "55"] [id "211190"] [rev "9"] [msg "COMODO WAF: Remote File Access Attempt||web1.srv1.de|F|2"] [data "Matched Data: /etc/ found within REQUEST_URI: /?foo=/etc/passwd&bar=/bin/sh"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "web1.srv1.de"] [uri "/"] [unique_id "ZSrphn6L4rZ4OdFdAN5WuQAAAIU"]
Action: Intercepted (phase 2)
Stopwatch: 1697311110981298 2959 (- - -)
Stopwatch2: 1697311110981298 2959; combined=776, p1=518, p2=162, p3=0, p4=0, p5=95, sr=140, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine-Mode: "ENABLED"

Imunify360 Apache Rule Set
#

Anda dapat memilih rule modsecurity minimal atau full dari imunify360.

Meta imunify360-minimal.

curl -s https://files.imunify360.com/static/modsec/v2/meta_imunify360-minimal-apache.yaml

Meta imunify360-full.

curl -s https://files.imunify360.com/static/modsec/v2/meta_imunify360-full-apache.yaml

Ini juga tersedia pada beberapa webserver seperti litespeed dan nginx.

Selanjutnya download archive rule modsecurity.

wget https://files.imunify360.com/static/modsec/v2/imunify360-modsec3-full-apache.zip

Extract archive ke tujuan /etc/httpd/modsecurity.d

unzip -q imunify360-modsec3-full-apache.zip -d /etc/httpd/modsecurity.d/

Edit mod_security.conf.

<IfModule mod_security2.c>
Include modsecurity.d/imunify360-full-apache/*.conf
</IfModule>

Restart service apache

systemctl restart httpd

Test rule modsecurity dengan cara

curl 'http://www.example.com/?foo=/etc/passwd&bar=/bin/sh'

Monitor modsec_audit.log

# tail -f /var/log/httpd/modsec_audit.log
--5b7d3254-F--
HTTP/1.1 403 Forbidden
Last-Modified: Wed, 27 Jul 2022 18:04:30 GMT
Accept-Ranges: bytes
Content-Length: 7620
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8

--5b7d3254-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?:(?<!\\w)(?:\\.(?:ht(?:group|passwd)|www_{0,1}acl)|boot\\.ini|global\\.asa|httpd\\.conf)\\b|^/etc/)" at ARGS:foo. [file "/etc/httpd/modsecurity.d/imunify360-full-apache/009_i360_1_infectors.conf"] [line "90"] [id "77140882"] [msg "IM360 WAF: Infectors: OS File Access Attempt||MVN:ARGS:foo||MV:/etc/passwd||T:APACHE||SC:"] [severity "CRITICAL"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client 192.168.12.57] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:(?<!\\\\\\\\w)(?:\\\\\\\\.(?:ht(?:group|passwd)|www_{0,1}acl)|boot\\\\\\\\.ini|global\\\\\\\\.asa|httpd\\\\\\\\.conf)\\\\\\\\b|^/etc/)" at ARGS:foo. [file "/etc/httpd/modsecurity.d/imunify360-full-apache/009_i360_1_infectors.conf"] [line "90"] [id "77140882"] [msg "IM360 WAF: Infectors: OS File Access Attempt||MVN:ARGS:foo||MV:/etc/passwd||T:APACHE||SC:"] [severity "CRITICAL"] [hostname "web1.srv1.de"] [uri "/"] [unique_id "ZTH2G2zYkJsBuJW5bTioIQAAAQA"]
Action: Intercepted (phase 2)
Stopwatch: 1697773083532561 30678 (- - -)
Stopwatch2: 1697773083532561 30678; combined=5928, p1=1648, p2=4257, p3=0, p4=0, p5=22, sr=224, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.9.6 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"

--5b7d3254-Z--

Related

Setup Apache dan PHP-FPM di Docker
7 mins
apache docker apache php
Blocking URI paths using ModSecurity
2 mins
modsec modsec apache
Custom Log Format in Apache
1 min
apache apache linux
Blocking Domain with ModSecurity
1 min
modsec apache modsec
How to use mod_rewrite in Apache
2 mins
apache apache
Monitor Apache Web Server with mod_status
1 min
apache apache