Install ModSecurity with Apache on Ubuntu 16.04 LTS

In this guide we will see how to install ModSecurity Web Application Firewall (WAF) to secure your apache web server. You need an Apache Web Server installed on your Ubuntu 16.04 LTS before you proceed with installation of ModSecurity WAF.

Installing Apache

To install Apache on your Ubuntu, issue following commands

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install apache2

Installing ModSecurity (WAF)

After installing Apache Web Server, next we install ModSecurity by following command

$ apt-get install libapache2-modsecurity

To check whether ModSecurity is successfully installed or not, issue following command

$ apachectl -M | grep security

If everything went well, you will see something like this

security2_module (shared)

Configuring ModSecurity

ModSecurity includes a recommended configuration file, modsecurity.conf-recommended located in /etc/modsecurity directory.

In order to make this file work with ModSecurity we have to rename it by using following command

$ sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Next we edit the modsecurity.conf file

$ sudo nano -w /etc/modsecurity/modsecurity.conf

search for SecRuleEngine and change value of SecRuleEngine detectiononly as …

SecRuleEngine on

Save the file and restart the apache

$ systemctl restart apache2

If you wanna use Malware.Expert – ModSecurity rules, we have Default ModSecurity Configuration which you can use.

ModSecurity Core Set Rules (CSR)

ModSecurity comes with many Core Set Rules (CSR) that set can be found in directory /usr/share/modsecurity-crs

In order to make Apache use these Core Set Rules, We add following two lines bottom to file/etc/modsecurity/modsecurity.conf

    # ModSecurity Core Set Rules (CSR)        
    IncludeOptional /usr/share/modsecurity-crs/*.conf
    IncludeOptional /usr/share/modsecurity-crs/activated_rules/*.conf

Malware.Expert Rules to ModSecurity

In order to use Malware Expert Rules with ModSecurity, open terminal and replace configuration file:

$ sudo nano -w /etc/modsecurity/modsecurity.conf

with this: Default Ubuntu/Debian ModSecurity Configuration

Also paste following line in bottom of file:

SecRemoteRules SerialKey https://rules.malware.expert/download.php?rules=generic

Replace SerialKey in above line with the one provided by My Account -> Subscriptions